Rlpack - New Year Challenge

[ap0x]

This is the official RLPack unpackme. Unpacking is considered correct if the unpacked Unpack.exe can unpack crackme.fsg.exe. You can not add ap0x unpacking engine .dll files to unpackme to make it work. You can only use things located inside the challenge archive. Due to the fact that Unpack.exe uses psapi.dll challenge will work only on NT systems.

The first one to unpack the official unpackme will get RLPack Full Edition - Personal license!

Contact email: ap0x.rce@gmail.com

Happy cracking

Challange.zip

[Killboy]

WTF, I'm getting a trojan warning by that stupid Avast :/

Bye bye, license x(

Well that's destiny I suppose lol

[ap0x]

Again problem with your AV I scanned it at virusscann.jotti and it was ok. Try deleting crackme.fsg.exe...

[pavka]

OEP to find easy!

0040F738 61 popad

0040F739 - E9 C218FFFF jmp UnPACK.004010

Import it is possible resrore Original without Imprec!

0040F69E /0F84 85120000 je UnPACK.00410929

0040F6A4 |E8 CE090000 call UnPACK.00410077

0040F6A9 |E8 411E0000 call UnPACK.004114EF<--------

0040F6AE |C785 5E230000 00000000 mov dword ptr ss:[ebp+235E],0

0040F6B8 |8907 mov dword ptr ds:[edi],eax

0040F6BA |83C7 04 add edi,4

[Teddy Rogers]

I detect a little bundling going on, nice feature...

Ted.

[pavka]

Problem only in that what to pull out these 4 dll from memory 003E0000

[ap0x]

Well pavka you need to dump and fix all boundled .dll files Nice work...

[Killboy]

Well, it even stops me from downloading xD

Win32:Banker-BKO [Trj]

lol

I wouldn't be able to unpack it anyway, I guess. So no harm done

[cektop]

Well, dude it doesn't matter. It surely doesn't have anything evil in it

I took a look at this. Got 3 dlls and I think I can get another one, got IAT, got dump but having probs fixing dialog resource...

[pavka]

Thanks ap0x! It was interesting! All is ready

http://rapidshare.com/files/9671267/Challange.rar

[ap0x]

Great work pavka. You forgot one import from shell32.dll but no matter you are successfull Please register over at my forum so I can give you the license

[Guest Haggar]

Hy folks, Happy New Year also.

Tip: You don't need to use ImpREC neither for main executable, neither for DLLs.

For DLLs: No patching, magic jumps, rebuilding , realigning or something else. Just RAW DUMP AT THE RIGHT TIME

[pavka]

ap0x

I do not know where a forum ?

[cond0lence]

@pavka:

http://ap0x.jezgra.net/forum/

[Apakekdah]

Hy folks, Happy New Year also.

Tip: You don't need to use ImpREC neither for main executable, neither for DLLs.

For DLLs: No patching, magic jumps, rebuilding , realigning or something else. Just RAW DUMP AT THE RIGHT TIME

raw dump ? how to do that (RAW DUMP) ?

[ap0x]

deroko wrote a tut, it is attached here http://forums.accessroot.com/index.php?sho...=4750&st=20

[Guest Haggar]

raw dump ? how to do that (RAW DUMP) ?

Packer will reserve some memory for one DLL with VirtualAlloc. Then it will write DLL there. Writing loop is:

0041088C   8A06			 MOV AL,BYTE PTR DS:[ESI]
0041088E   8801			 MOV BYTE PTR DS:[ECX],AL
00410890   46			   INC ESI								 ; UnPACK.0040B2D9
00410891   41			   INC ECX
00410892   4F			   DEC EDI
00410893   83FF 00		  CMP EDI,0
00410896  ^77 F4			JA SHORT UnPACK.0041088C

After that loop ends, you dump that region of memory with LordPE and just save file as NameOF.DLL. After this loop , packer writes imports to DLL so later dumping would get bad dump.

[Apakekdah]

@ap0x

finally my question was answered...

thx, bro from remind me, i'm looking for that tuts...

@Haggar

oh i c, thx for the info, i'm trying now...

[cektop]

That just means plain dump without fixing anything.

Btw, I have a question, pavka, did you have to fix resources or you got a better dump than me?

[pavka]

cektop

I not fix resources ! To do dump it is necessary right after captures of import!

[cektop]

lol That was the problem I didn't use some Olly plugin to dump but one tool I have that replaced memory it couldn't read with 0 bytes

[pavka]

LOL? Forgive, to what it concerns?

If to make dump in the necessary place what problems will not be!

[cektop]

Sorry, I didn't understand your post. Anyway, I said I should have used an Olly plugin for dumping since outside tools can't access all pages of process memory. I'm out of touch. Haven't been cracking for years...

[pavka]

cektop

Here to you an example!

0049C222 68 00400000 push 4000 <------------Dump it

0049C227 68 0D190000 push 190D

0049C22C FFB5 471F0000 push dword ptr ss:[ebp+1F47]

0049C232 FF95 FE030000 call dword ptr ss:[ebp+3FE]

0049C238 E8 06050000 call 1_.0049C743

0049C23D E8 A7000000 call 1_.0049C2E9

0049C242 61 popad

0049C243 - E9 68AFF8FF jmp 1_.004271B0<--------OEP

It is necessary dump it not reaching up to оеп in this place! If you use ImpRec that start it from this point!

And last advice! Do not create new section for import, and rewrite old!

Than to do dump, not important! I did OLLyDump