Posted December 30, 200618 yr This is the official RLPack unpackme. Unpacking is considered correct if the unpacked Unpack.exe can unpack crackme.fsg.exe. You can not add ap0x unpacking engine .dll files to unpackme to make it work. You can only use things located inside the challenge archive. Due to the fact that Unpack.exe uses psapi.dll challenge will work only on NT systems. The first one to unpack the official unpackme will get RLPack Full Edition - Personal license! Contact email: ap0x.rce@gmail.com Happy cracking Challange.zip
December 30, 200618 yr WTF, I'm getting a trojan warning by that stupid Avast :/Bye bye, license x(Well that's destiny I suppose lol
December 30, 200618 yr Author Again problem with your AV I scanned it at virusscann.jotti and it was ok. Try deleting crackme.fsg.exe...
December 31, 200618 yr OEP to find easy!0040F738 61 popad0040F739 - E9 C218FFFF jmp UnPACK.004010Import it is possible resrore Original without Imprec!0040F69E /0F84 85120000 je UnPACK.004109290040F6A4 |E8 CE090000 call UnPACK.004100770040F6A9 |E8 411E0000 call UnPACK.004114EF<--------0040F6AE |C785 5E230000 00000000 mov dword ptr ss:[ebp+235E],00040F6B8 |8907 mov dword ptr ds:[edi],eax0040F6BA |83C7 04 add edi,4
December 31, 200618 yr Author Well pavka you need to dump and fix all boundled .dll files Nice work...
December 31, 200618 yr Well, it even stops me from downloading xD Win32:Banker-BKO [Trj] lol I wouldn't be able to unpack it anyway, I guess. So no harm done
December 31, 200618 yr Well, dude it doesn't matter. It surely doesn't have anything evil in it I took a look at this. Got 3 dlls and I think I can get another one, got IAT, got dump but having probs fixing dialog resource...
December 31, 200618 yr Thanks ap0x! It was interesting! All is ready http://rapidshare.com/files/9671267/Challange.rar
January 1, 200718 yr Author Great work pavka. You forgot one import from shell32.dll but no matter you are successfull Please register over at my forum so I can give you the license
January 1, 200718 yr Hy folks, Happy New Year also. Tip: You don't need to use ImpREC neither for main executable, neither for DLLs. For DLLs: No patching, magic jumps, rebuilding , realigning or something else. Just RAW DUMP AT THE RIGHT TIME
January 1, 200718 yr Hy folks, Happy New Year also.Tip: You don't need to use ImpREC neither for main executable, neither for DLLs. For DLLs: No patching, magic jumps, rebuilding , realigning or something else. Just RAW DUMP AT THE RIGHT TIME raw dump ? how to do that (RAW DUMP) ?
January 2, 200718 yr Author deroko wrote a tut, it is attached here http://forums.accessroot.com/index.php?sho...=4750&st=20
January 2, 200718 yr raw dump ? how to do that (RAW DUMP) ? Packer will reserve some memory for one DLL with VirtualAlloc. Then it will write DLL there. Writing loop is: 0041088C 8A06 MOV AL,BYTE PTR DS:[ESI]0041088E 8801 MOV BYTE PTR DS:[ECX],AL00410890 46 INC ESI ; UnPACK.0040B2D900410891 41 INC ECX00410892 4F DEC EDI00410893 83FF 00 CMP EDI,000410896 ^77 F4 JA SHORT UnPACK.0041088C After that loop ends, you dump that region of memory with LordPE and just save file as NameOF.DLL. After this loop , packer writes imports to DLL so later dumping would get bad dump.
January 2, 200718 yr @ap0x finally my question was answered... thx, bro from remind me, i'm looking for that tuts... @Haggar oh i c, thx for the info, i'm trying now...
January 2, 200718 yr That just means plain dump without fixing anything. Btw, I have a question, pavka, did you have to fix resources or you got a better dump than me?
January 2, 200718 yr cektopI not fix resources ! To do dump it is necessary right after captures of import!
January 2, 200718 yr lol That was the problem I didn't use some Olly plugin to dump but one tool I have that replaced memory it couldn't read with 0 bytes
January 3, 200718 yr LOL? Forgive, to what it concerns? If to make dump in the necessary place what problems will not be!
January 3, 200718 yr Sorry, I didn't understand your post. Anyway, I said I should have used an Olly plugin for dumping since outside tools can't access all pages of process memory. I'm out of touch. Haven't been cracking for years...
January 4, 200718 yr cektopHere to you an example! 0049C222 68 00400000 push 4000 <------------Dump it0049C227 68 0D190000 push 190D0049C22C FFB5 471F0000 push dword ptr ss:[ebp+1F47]0049C232 FF95 FE030000 call dword ptr ss:[ebp+3FE]0049C238 E8 06050000 call 1_.0049C7430049C23D E8 A7000000 call 1_.0049C2E90049C242 61 popad0049C243 - E9 68AFF8FF jmp 1_.004271B0<--------OEPIt is necessary dump it not reaching up to оеп in this place! If you use ImpRec that start it from this point!And last advice! Do not create new section for import, and rewrite old!Than to do dump, not important! I did OLLyDump
Create an account or sign in to comment