Jump to content
Tuts 4 You

[unpackme] Pecancer 2007 07 11

Teddy Rogers

By Teddy Rogers
in UnPackMe

 Share

Recommended Posts

What

What

Posted
Posted (edited)

OK I understand the packer, what it does, how to find the oep, but the entire beginning is encrypted. To get to the oep tap f8 once, breakpoint the esp, run till you hit a ret, then tap f8, then your at the real oep. Once your at the oep Tap f8 and it will show the real oep not crypted, push 70, then followed by a jump, this jump will take you to the next command that was crypted, this continues until the call that sets off the run.

Edit in:

If you read this at an earlier time and tried what i said to get the the oep, sorry, but i forgot i placed a hardware bp on the oep so my way to get to the oep was wrong, now fixed, sorry.

Im not really sure what to do from here. I think i missed something that screws up imprec too. Can anyone help? :wacko:

Attached is a text file of what the beginning should look like, well what i got, but i wasnt sure if i should trace into the calls i was getting or trace over, i just traced over for all this.

Edited by What
Fungus

Fungus

Posted
Posted

If it has "stolen code" and it decrypts it at some point you can copy the code to a text file using olly binary cut/paste option and repair the bytes at OEP by pasting the decrypted code there when you reach "false" OEP.

As for finding the IAT, just binary search "FF 25" and you can find the IAT easily most times. When you find this sequence of bytes, it translates to jmp dword ptr:[xxxxxxxx] which is an indirect jump. You can follow the the bytes in the brackets, in the dump window and scroll up and down to find the start and end of IAT. This just takes some practice recognizing what the dll calls look like.

sdy100

sdy100

Posted
Posted (edited)

unpacked

stolen oep save in .idata section

unpacked.rar

Edited by sdy100
What

What

Posted
Posted (edited)

I don't think that your [unpackme] unpacked is right, I mean, your where the Oep should be, but you app doesnt run and is still encrypted. :(

Edited by What
Ufo-Pu55y

Ufo-Pu55y

Posted
Posted
try this one
Good looking !

How did u go with the stolen stuff ? :)

sdy100

sdy100

Posted
Posted
How did u go with the stolen stuff ?

I fix it by manual I spend many time . :sweatdrop::sweatdrop::sweatdrop:

sdy100

sdy100

Posted
Posted
VM

0040112A 68 00000000 PUSH 0

0040112F E8 5CAFFDFF CALL 003DC090

00401134 CC INT3

00401135 CC INT3

00401136 50 PUSH EAX

Fix

0040112A 6A 00 PUSH 0

0040112C 68 94924000 PUSH SDKDEMO1.00409294 ; UNICODE "VM Code Test"

00401131 68 B0924000 PUSH SDKDEMO1.004092B0 ; UNICODE "Just Test VM Code!"

00401136 50 PUSH EAX

unpacked.rar

  • 2 weeks later...
What

What

Posted
Posted (edited)
updated on 23-July 07

notepad1_0723.rar

Not too much of a difference from the first one, topic starter. I havent unpacked the new one yet because I dont have the time, but it looks like the author added fake code to hide the stolen code better, all I noticed so far.

Look at this, I wonder what the real code is, LOL :P

PUSHFD

PUSH EBP

MOV EBP, DWORD PTR DS:[1019A2F]

POP EBP

POPFD

PUSH 70 <--

Edited by What
metr0

metr0

Posted
Posted (edited)

Just took a quick look at it.

Let's hope my stolen bytes are rigth, like I said, just took a quick look. It's possible I missed some jmp... :P Just then wrote the bytes I got at pseudo-OEP:

010073A5	  6A 70			 push	70
010073A7	  68 B0180001	   push	010018B0
010073AC	  E8 BC5C0000	   call	0100D06D
010073B1	  33DB			  xor	 ebx, ebx
010073B3	  895D FC		   mov	 dword ptr [ebp-4], ebx
010073B6	  8D45 80		   lea	 eax, dword ptr [ebp-80]
010073B9	  50				push	eax
010073BA	  90				nop
010073BB	  FF15 D0100001	 call	dword ptr [10010D0]
010073C1	  83CF FF		   or	  edi, FFFFFFFF
010073C4	  897D FC		   mov	 dword ptr [ebp-4], edi
010073C7	  66:813D 00000001 >cmp	 word ptr [1000000], 5A4D
010073D0	  A1 3C000001	   mov	 eax, dword ptr [100003C]
010073D5	  8D80 00000001	 lea	 eax, dword ptr [eax+1000000]
010073DB	  8138 50450000	 cmp	 dword ptr [eax], 4550
010073E1	  0FB748 18		 movzx   ecx, word ptr [eax+18]
010073E5	  81F9 0B010000	 cmp	 ecx, 10B
010073EB	  8378 74 0E		cmp	 dword ptr [eax+74], 0E
010073EF	  33C9			  xor	 ecx, ecx
010073F1	  3998 E8000000	 cmp	 dword ptr [eax+E8], ebx
010073F7	  0F95C1			setne   cl
010073FA	  894D E4		   mov	 dword ptr [ebp-1C], ecx
010073FD	  C745 FC 01000000  mov	 dword ptr [ebp-4], 1
01007404	  6A 02			 push	2
01007406	  FF15 34130001	 call	dword ptr [1001334]
0100740C	  59				pop	 ecx
0100740D	  893D 9CAE0001	 mov	 dword ptr [100AE9C], edi
01007413	  893D A0AE0001	 mov	 dword ptr [100AEA0], edi
01007419	  FF15 30130001	 call	dword ptr [1001330]
0100741F	  8B0D B89D0001	 mov	 ecx, dword ptr [1009DB8]
01007425	  8908			  mov	 dword ptr [eax], ecx
01007427	  FF15 2C130001	 call	dword ptr [100132C]
0100742D	  8B0D B49D0001	 mov	 ecx, dword ptr [1009DB4]
01007433	  8908			  mov	 dword ptr [eax], ecx
01007435	  A1 28130001	   mov	 eax, dword ptr [1001328]
0100743A	  8B00			  mov	 eax, dword ptr [eax]
0100743C	  A3 A4AE0001	   mov	 dword ptr [100AEA4], eax
01007441	  E8 DA010000	   call	01007620
01007446	  391D F0950001	 cmp	 dword ptr [10095F0], ebx
0100744C	  75 0C			 jnz	 short 0100745A
0100744E	  68 20760001	   push	01007620
01007453	  FF15 24130001	 call	dword ptr [1001324]
01007459	  C3				retn
0100745A	  E8 AA010000	   call	01007609
0100745F	  68 54130001	   push	01001354
01007464	  68 50130001	   push	01001350
01007469	  E8 90010000	   call	010075FE
0100746E	  A1 B09D0001	   mov	 eax, dword ptr [1009DB0]
01007473	  8945 DC		   mov	 dword ptr [ebp-24], eax
01007476	  8D45 DC		   lea	 eax, dword ptr [ebp-24]
01007479	  50				push	eax
0100747A	  FF35 AC9D0001	 push	dword ptr [1009DAC]
01007480	  8D45 D4		   lea	 eax, dword ptr [ebp-2C]
01007483	  50				push	eax
01007484	  8D45 D0		   lea	 eax, dword ptr [ebp-30]
01007487	  50				push	eax
01007488	  90				nop
01007489	  8D45 CC		   lea	 eax, dword ptr [ebp-34]
0100748C	  50				push	eax
0100748D	  90				nop
0100748E	  FF15 1C130001	 call	dword ptr [100131C]
01007494	  8945 C8		   mov	 dword ptr [ebp-38], eax
01007497	  68 4C130001	   push	0100134C
0100749C	  68 44130001	   push	01001344
010074A1	  E8 58010000	   call	010075FE
010074A6	  83C4 24		   add	 esp, 24
010074A9	  A1 18130001	   mov	 eax, dword ptr [1001318]
010074AE	  8B00			  mov	 eax, dword ptr [eax]
010074B0	  8945 E0		   mov	 dword ptr [ebp-20], eax
010074B3	  8038 22		   cmp	 byte ptr [eax], 22
010074B6	  40				inc	 eax
010074B7	  8945 E0		   mov	 dword ptr [ebp-20], eax
010074BA	  8A08			  mov	 cl, byte ptr [eax]
010074BC	  3ACB			  cmp	 cl, bl
010074BE	  74 05			 je	  short 010074C5
010074C0	  80F9 22		   cmp	 cl, 22
010074C3	^ 74 F1			 je	  short 010074B6
010074C5	  8038 22		   cmp	 byte ptr [eax], 22
010074C8	  75 04			 jnz	 short 010074CE
010074CA	  40				inc	 eax
010074CB	  8945 E0		   mov	 dword ptr [ebp-20], eax
010074CE	  8A08			  mov	 cl, byte ptr [eax]
010074D0	  3ACB			  cmp	 cl, bl
010074D2	  74 05			 je	  short 010074D9
010074D4	  80F9 20		   cmp	 cl, 20
010074D7	^ 76 F1			 jbe	 short 010074CA
010074D9	  F645 AC 01		test	byte ptr [ebp-54], 1
010074DD	  74 23			 je	  short 01007502
010074DF	  0FB74D B0		 movzx   ecx, word ptr [ebp-50]
010074E3	  51				push	ecx
010074E4	  50				push	eax
010074E5	  53				push	ebx
010074E6	  68 00000001	   push	01000000
010074EB	  E8 66B4FFFF	   call	01002956
010074F0	  8BF0			  mov	 esi, eax
010074F2	  8975 C4		   mov	 dword ptr [ebp-3C], esi	;  notepad1.01007620
010074F5	  395D E4		   cmp	 dword ptr [ebp-1C], ebx
010074F8	  75 0D			 jnz	 short 01007507
010074FA	  56				push	esi						;  notepad1.01007620
010074FB	  90				nop
010074FC	  FF15 14130001	 call	dword ptr [1001314]
01007502	  6A 0A			 push	0A
01007504	  59				pop	 ecx
01007505	^ EB DC			 jmp	 short 010074E3
01007507	  FF15 FC120001	 call	dword ptr [10012FC]
0100750D	  897D FC		   mov	 dword ptr [ebp-4], edi
01007510	  8BC6			  mov	 eax, esi					  ;  notepad1.01007620
01007512	  E8 B8000000	   call	010075CF
01007517	  C3				retn

So, OEP would be 0x073A5, IAT RVA 0x01000 and size 0x0344. Just didn't fix that pointers, will do that later.

I'm sure here's a mistake in the stolen bytes, so, please correct me. ;D

Greetz

Edited by metr0

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...