ap0x Posted August 23, 2007 Share Posted August 23, 2007 RLPack 1.19 [NT only] unpacking challenge:Your objective is to unpack the file deASPack.exe. To achieve this you can do anything you can think of. There is only one rule. Your unpacked file must unpack crackme.aspacked.exe file in such manner that file verify.exe says that the file unpacked.exe is valid. You can only modify/unpack the file deASPack.exe and any of your patches to it must not use the information obtained from the original unpacked.exe produced by the packed deASPack.exe. This means that your unpacked deASPack.exe file must create the valid unpacked.exe without patching it to write original data by force to unpacked.exe.To verify that everything works fine run deASPack.exe and unpack the file crackme.aspacked.exe with it. Then run verify.exe which should tell you that the file unpacked.exe is valid.If you solve this challenge please tell me your observations about the protection itself. Also note that this is not the original 1.19 version. This version has been modified so that the security of the Full Edition users is not threatened by potential plugins/scripts/unpackers.The best will be reworded![b]http://ap0x.jezgra.net/RLPack_1.19_officialUnpackme.rarGood luck, ap0x Link to comment Share on other sites More sharing options...
What Posted August 23, 2007 Share Posted August 23, 2007 (edited) Going to give it shot, When i get home tonight. Edited August 24, 2007 by What Link to comment Share on other sites More sharing options...
rendari Posted August 23, 2007 Share Posted August 23, 2007 I'll try, even tho in previous versions I didn't have much success Link to comment Share on other sites More sharing options...
Killboy Posted August 23, 2007 Share Posted August 23, 2007 I can tell you the OEP but the rest is just uber :/ Import redirection sucks really hard and stolen code is harder than in previous versions :/ Besides, Imprec plugins dont work for me with phant0m, I need HWBPs though :x Nice job, ap0x I'll see if I continue this tomorrow, OEP is enough for me Gotta care about TLS as well, argh Link to comment Share on other sites More sharing options...
rendari Posted August 23, 2007 Share Posted August 23, 2007 Yeah, he also packed Dlls like last time Link to comment Share on other sites More sharing options...
Killboy Posted August 23, 2007 Share Posted August 23, 2007 (edited) **** :X There are even stolen APIs WTF I managed to repair the jumps with a script, works pretty well, just gotta fix the apis, my old imprec plug doesnt work anymore... time to recode but MASM moans and I dunno why...hm Since when are there stolen APIs, man you really developed RLPack very well Gotta stop now, my eyes really start burning. Hope I can come up w/ something tomorrow, let's see how hard TLS and DLLs are going to be... Edited August 23, 2007 by Killboy Link to comment Share on other sites More sharing options...
rendari Posted August 23, 2007 Share Posted August 23, 2007 Yeah, I'm finishing up some code right now for imports. I attached to the process for now, since there was some weird crash going on for me after RLP loaded all the DLLs. I lost patience with it and just attached and started observing the Import redirection. Nothing too hard really, redirects em all to a central routine which then decides where they will go in a temporary mem zone. In this temporary mem zone it then executes all the commands in an API up to the first call/jmp, then it jumps back to the real API. Have yet to observe anything else. I'll go and look at that antidebug again now Link to comment Share on other sites More sharing options...
SunBeam Posted August 24, 2007 Share Posted August 24, 2007 @ap0x: Check this out http://www.tuts4you.com/forum/index.php?showtopic=13195 Is that RLP 1.19? Link to comment Share on other sites More sharing options...
Killboy Posted August 24, 2007 Share Posted August 24, 2007 Imports aren't that hard, as you said. My ImpRec plug resolves about 90%, leaving a few fully stolen APIs and the redirected virtual file stuff unfixed.I dumped the virtual files, but the headers look weird, seems they need to be fixed.Still gotta find out the files' names, prolly the ugliest part :/ Link to comment Share on other sites More sharing options...
SunBeam Posted August 24, 2007 Share Posted August 24, 2007 Are we allowed to post partial findings, or should we treat it as an individual's work? Link to comment Share on other sites More sharing options...
ap0x Posted August 24, 2007 Author Share Posted August 24, 2007 No it is not RLP 1.19 since there is no such thing. It is RLP 0.7.4. Shoooo already solved it but if you unpack it you will still be reworded. Link to comment Share on other sites More sharing options...
Sonny27 Posted August 24, 2007 Share Posted August 24, 2007 Whaaahh, shoooo already unpacked it China beats Link to comment Share on other sites More sharing options...
ap0x Posted August 24, 2007 Author Share Posted August 24, 2007 (edited) Yeah he is a great guy Thanks to him I found some weak spots. So expect an even more challenging unpackme next time Edited August 24, 2007 by ap0x Link to comment Share on other sites More sharing options...
Killboy Posted August 24, 2007 Share Posted August 24, 2007 Why did I even start unpacking, like I could stand a chance I temporarily give up on this one (I couldn't be rewarded anyway, seeing 2 solutions posted, whatever that reward is), got some other personal stuff to do. No, that's not an excuse for being unable to unpack it Maybe I can take a closer look at it next week, let's see. Nice work Link to comment Share on other sites More sharing options...
pavka Posted August 24, 2007 Share Posted August 24, 2007 @Killboy There import very simply approximately here so: var pntf var pnt1t var pnt2t var fnc var oep var iat_st var jmpf var pax var chk_eax mov pax,004B4984 mov iat_st,00461000 mov pntf,004B499A mov pnt1t,004b4971 mov pnt2t,004b4964 mov oep,004b17e4 BPHWS 4b02c1,"x" erun BPHWC 4b02c1 sti repl eip, #750F#, #EB0F#,BC repl eip, #7410#, #EB10#,BC BPHWS pntf,"x" BPHWS pnt1t,"x" BPHWS pnt2t,"x" BPHWS oep,"x" erun loop: cmp eip,oep je quit erun cmp eip,pntf jne loop mov chk_eax,eax and chk_eax,FF000000 cmp chk_eax,0 je loop mov [iat_st],eax mov fnc,iat_st add iat_st,4 erun mov jmpf,ebx-2 bp pax erun bc pax mov [jmpf],#FF25# add jmpf,2 mov [jmpf],fnc jmp loop quit: ret Link to comment Share on other sites More sharing options...
Ox87k Posted August 24, 2007 Share Posted August 24, 2007 deroko//ARTeam did it too, i think before shoooo! Great job ap0x! Link to comment Share on other sites More sharing options...
SunBeam Posted August 24, 2007 Share Posted August 24, 2007 I bet deroko was first Call it a hunch Link to comment Share on other sites More sharing options...
ap0x Posted August 25, 2007 Author Share Posted August 25, 2007 Well deroko has more RLPack licenses than I do... And I have the keygen Link to comment Share on other sites More sharing options...
SunBeam Posted August 25, 2007 Share Posted August 25, 2007 Haha. I tried getting a valid license once for 1.17 full Based on someone else's Yea, you guessed it - major phail... Link to comment Share on other sites More sharing options...
thaton Posted August 26, 2007 Share Posted August 26, 2007 (edited) UnPacked by Magic_h2001 from ExeToolsRLPack.1.19.UnPackme.Magiced.rar Edited August 26, 2007 by thaton Link to comment Share on other sites More sharing options...
Guest wynney Posted September 24, 2007 Share Posted September 24, 2007 How to Unpack it?tut? Link to comment Share on other sites More sharing options...
Guest eIcn Posted September 30, 2007 Share Posted September 30, 2007 How to Unpack it?tut? no tuts so far Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now