Jump to content
Tuts 4 You

[unpackme] Pecancer 2007 07 11


Teddy Rogers

Recommended Posts

OK I understand the packer, what it does, how to find the oep, but the entire beginning is encrypted. To get to the oep tap f8 once, breakpoint the esp, run till you hit a ret, then tap f8, then your at the real oep. Once your at the oep Tap f8 and it will show the real oep not crypted, push 70, then followed by a jump, this jump will take you to the next command that was crypted, this continues until the call that sets off the run.

Edit in:

If you read this at an earlier time and tried what i said to get the the oep, sorry, but i forgot i placed a hardware bp on the oep so my way to get to the oep was wrong, now fixed, sorry.

Im not really sure what to do from here. I think i missed something that screws up imprec too. Can anyone help? :wacko:

Attached is a text file of what the beginning should look like, well what i got, but i wasnt sure if i should trace into the calls i was getting or trace over, i just traced over for all this.

Edited by What
Link to comment

If it has "stolen code" and it decrypts it at some point you can copy the code to a text file using olly binary cut/paste option and repair the bytes at OEP by pasting the decrypted code there when you reach "false" OEP.

As for finding the IAT, just binary search "FF 25" and you can find the IAT easily most times. When you find this sequence of bytes, it translates to jmp dword ptr:[xxxxxxxx] which is an indirect jump. You can follow the the bytes in the brackets, in the dump window and scroll up and down to find the start and end of IAT. This just takes some practice recognizing what the dll calls look like.

Link to comment

I don't think that your [unpackme] unpacked is right, I mean, your where the Oep should be, but you app doesnt run and is still encrypted. :(

Edited by What
Link to comment
VM

0040112A 68 00000000 PUSH 0

0040112F E8 5CAFFDFF CALL 003DC090

00401134 CC INT3

00401135 CC INT3

00401136 50 PUSH EAX

Fix

0040112A 6A 00 PUSH 0

0040112C 68 94924000 PUSH SDKDEMO1.00409294 ; UNICODE "VM Code Test"

00401131 68 B0924000 PUSH SDKDEMO1.004092B0 ; UNICODE "Just Test VM Code!"

00401136 50 PUSH EAX

unpacked.rar

Link to comment
  • 2 weeks later...
updated on 23-July 07

notepad1_0723.rar

Not too much of a difference from the first one, topic starter. I havent unpacked the new one yet because I dont have the time, but it looks like the author added fake code to hide the stolen code better, all I noticed so far.

Look at this, I wonder what the real code is, LOL :P

PUSHFD

PUSH EBP

MOV EBP, DWORD PTR DS:[1019A2F]

POP EBP

POPFD

PUSH 70 <--

Edited by What
Link to comment

Just took a quick look at it.

Let's hope my stolen bytes are rigth, like I said, just took a quick look. It's possible I missed some jmp... :P Just then wrote the bytes I got at pseudo-OEP:

010073A5	  6A 70			 push	70
010073A7 68 B0180001 push 010018B0
010073AC E8 BC5C0000 call 0100D06D
010073B1 33DB xor ebx, ebx
010073B3 895D FC mov dword ptr [ebp-4], ebx
010073B6 8D45 80 lea eax, dword ptr [ebp-80]
010073B9 50 push eax
010073BA 90 nop
010073BB FF15 D0100001 call dword ptr [10010D0]
010073C1 83CF FF or edi, FFFFFFFF
010073C4 897D FC mov dword ptr [ebp-4], edi
010073C7 66:813D 00000001 >cmp word ptr [1000000], 5A4D
010073D0 A1 3C000001 mov eax, dword ptr [100003C]
010073D5 8D80 00000001 lea eax, dword ptr [eax+1000000]
010073DB 8138 50450000 cmp dword ptr [eax], 4550
010073E1 0FB748 18 movzx ecx, word ptr [eax+18]
010073E5 81F9 0B010000 cmp ecx, 10B
010073EB 8378 74 0E cmp dword ptr [eax+74], 0E
010073EF 33C9 xor ecx, ecx
010073F1 3998 E8000000 cmp dword ptr [eax+E8], ebx
010073F7 0F95C1 setne cl
010073FA 894D E4 mov dword ptr [ebp-1C], ecx
010073FD C745 FC 01000000 mov dword ptr [ebp-4], 1
01007404 6A 02 push 2
01007406 FF15 34130001 call dword ptr [1001334]
0100740C 59 pop ecx
0100740D 893D 9CAE0001 mov dword ptr [100AE9C], edi
01007413 893D A0AE0001 mov dword ptr [100AEA0], edi
01007419 FF15 30130001 call dword ptr [1001330]
0100741F 8B0D B89D0001 mov ecx, dword ptr [1009DB8]
01007425 8908 mov dword ptr [eax], ecx
01007427 FF15 2C130001 call dword ptr [100132C]
0100742D 8B0D B49D0001 mov ecx, dword ptr [1009DB4]
01007433 8908 mov dword ptr [eax], ecx
01007435 A1 28130001 mov eax, dword ptr [1001328]
0100743A 8B00 mov eax, dword ptr [eax]
0100743C A3 A4AE0001 mov dword ptr [100AEA4], eax
01007441 E8 DA010000 call 01007620
01007446 391D F0950001 cmp dword ptr [10095F0], ebx
0100744C 75 0C jnz short 0100745A
0100744E 68 20760001 push 01007620
01007453 FF15 24130001 call dword ptr [1001324]
01007459 C3 retn
0100745A E8 AA010000 call 01007609
0100745F 68 54130001 push 01001354
01007464 68 50130001 push 01001350
01007469 E8 90010000 call 010075FE
0100746E A1 B09D0001 mov eax, dword ptr [1009DB0]
01007473 8945 DC mov dword ptr [ebp-24], eax
01007476 8D45 DC lea eax, dword ptr [ebp-24]
01007479 50 push eax
0100747A FF35 AC9D0001 push dword ptr [1009DAC]
01007480 8D45 D4 lea eax, dword ptr [ebp-2C]
01007483 50 push eax
01007484 8D45 D0 lea eax, dword ptr [ebp-30]
01007487 50 push eax
01007488 90 nop
01007489 8D45 CC lea eax, dword ptr [ebp-34]
0100748C 50 push eax
0100748D 90 nop
0100748E FF15 1C130001 call dword ptr [100131C]
01007494 8945 C8 mov dword ptr [ebp-38], eax
01007497 68 4C130001 push 0100134C
0100749C 68 44130001 push 01001344
010074A1 E8 58010000 call 010075FE
010074A6 83C4 24 add esp, 24
010074A9 A1 18130001 mov eax, dword ptr [1001318]
010074AE 8B00 mov eax, dword ptr [eax]
010074B0 8945 E0 mov dword ptr [ebp-20], eax
010074B3 8038 22 cmp byte ptr [eax], 22
010074B6 40 inc eax
010074B7 8945 E0 mov dword ptr [ebp-20], eax
010074BA 8A08 mov cl, byte ptr [eax]
010074BC 3ACB cmp cl, bl
010074BE 74 05 je short 010074C5
010074C0 80F9 22 cmp cl, 22
010074C3 ^ 74 F1 je short 010074B6
010074C5 8038 22 cmp byte ptr [eax], 22
010074C8 75 04 jnz short 010074CE
010074CA 40 inc eax
010074CB 8945 E0 mov dword ptr [ebp-20], eax
010074CE 8A08 mov cl, byte ptr [eax]
010074D0 3ACB cmp cl, bl
010074D2 74 05 je short 010074D9
010074D4 80F9 20 cmp cl, 20
010074D7 ^ 76 F1 jbe short 010074CA
010074D9 F645 AC 01 test byte ptr [ebp-54], 1
010074DD 74 23 je short 01007502
010074DF 0FB74D B0 movzx ecx, word ptr [ebp-50]
010074E3 51 push ecx
010074E4 50 push eax
010074E5 53 push ebx
010074E6 68 00000001 push 01000000
010074EB E8 66B4FFFF call 01002956
010074F0 8BF0 mov esi, eax
010074F2 8975 C4 mov dword ptr [ebp-3C], esi ; notepad1.01007620
010074F5 395D E4 cmp dword ptr [ebp-1C], ebx
010074F8 75 0D jnz short 01007507
010074FA 56 push esi ; notepad1.01007620
010074FB 90 nop
010074FC FF15 14130001 call dword ptr [1001314]
01007502 6A 0A push 0A
01007504 59 pop ecx
01007505 ^ EB DC jmp short 010074E3
01007507 FF15 FC120001 call dword ptr [10012FC]
0100750D 897D FC mov dword ptr [ebp-4], edi
01007510 8BC6 mov eax, esi ; notepad1.01007620
01007512 E8 B8000000 call 010075CF
01007517 C3 retn

So, OEP would be 0x073A5, IAT RVA 0x01000 and size 0x0344. Just didn't fix that pointers, will do that later.

I'm sure here's a mistake in the stolen bytes, so, please correct me. ;D

Greetz

Edited by metr0
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...