acidflash Posted June 11, 2008 Share Posted June 11, 2008 (edited) Good luck...PECompact_UnPack_Me.rar Edited June 11, 2008 by acidflash Link to comment Share on other sites More sharing options...
quosego Posted June 11, 2008 Share Posted June 11, 2008 (edited) Unpacked; (needed to get away from winlicense.. ) Only look at it when you're stuck : Don't cheat!! http://www.willhostforfood.com/access.php?fileid=24402 PW: SnD123quo quosego PS: Thnx for the unpackme... It's a nice one for everybody new to unpacking.. Edited June 11, 2008 by quosego Link to comment Share on other sites More sharing options...
acidflash Posted June 11, 2008 Author Share Posted June 11, 2008 Unpacked;(needed to get away from winlicense.. ) Only look at it when you're stuck : Don't cheat!! http://www.willhostforfood.com/access.php?fileid=24402 PW: SnD123quo quosego PS: Thnx for the unpackme... It's a nice one for everybody new to unpacking.. Nice work I figured I would put 3 levels of packers up (all latest legit versions)... Link to comment Share on other sites More sharing options...
quosego Posted June 11, 2008 Share Posted June 11, 2008 (edited) Hey didn't notice the other two.. was working on some other winlicense target I'll do yours later on.. Doesn't use VM from the looks of it... So shouldn't be a problem.. Depends a bit if they changed the IAT redirs handling if it takes some extra time.. and actually looked at my method of fixing it.. though doubt it.. BTW new winlicense oep! They did a really big rewrite.. quosego Edited June 11, 2008 by quosego Link to comment Share on other sites More sharing options...
jesy Posted July 24, 2008 Share Posted July 24, 2008 unpacked00401E6E >/$ 55 PUSH EBP00401E6F |. 8BEC MOV EBP,ESP00401E71 |. 6A FF PUSH -100401E73 |. 68 58454100 PUSH dumped_.0041455800401E78 |. 68 904A4000 PUSH dumped_.00404A90 ; SE 处理程序安装00401E7D |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]00401E83 |. 50 PUSH EAX00401E84 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP00401E8B |. 83EC 58 SUB ESP,5800401E8E |. 53 PUSH EBX00401E8F |. 56 PUSH ESI00401E90 |. 57 PUSH EDI00401E91 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP00401E94 |. FF15 AC314100 CALL DWORD PTR DS:[<&kernel32.GetVersion>; kernel32.GetVersion Link to comment Share on other sites More sharing options...
SunBeam Posted July 24, 2008 Share Posted July 24, 2008 (edited) PEC_EP == OEP, just so you know it 00361679 50 PUSH EAX ------------------------------[1]0036167A 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]0036167D 8DBB C61A0010 LEA EDI,DWORD PTR DS:[EBX+10001AC6]00361683 33C0 XOR EAX,EAX00361685 0206 ADD AL,BYTE PTR DS:[ESI]00361687 74 12 JE SHORT 0036169B00361689 0227 ADD AH,BYTE PTR DS:[EDI]0036168B 74 11 JE SHORT 0036169E0036168D 3C 61 CMP AL,610036168F 73 02 JNB SHORT 0036169300361691 04 20 ADD AL,2000361693 3AC4 CMP AL,AH00361695 75 04 JNZ SHORT 0036169B00361697 46 INC ESI00361698 47 INC EDI00361699 ^ EB E8 JMP SHORT 003616830036169B 58 POP EAX0036169C EB 05 JMP SHORT 003616A3 ----------------------------[2]0036169E E8 83FEFFFF CALL 00361526003616A3 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]003616A6 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]003616A9 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]003616AC 85D2 TEST EDX,EDX003616AE 75 02 JNZ SHORT 003616B2003616B0 8BD6 MOV EDX,ESI003616B2 85F6 TEST ESI,ESI003616B4 75 02 JNZ SHORT 003616B8003616B6 8BF2 MOV ESI,EDX003616B8 C783 C21A0010 00000000 MOV DWORD PTR DS:[EBX+10001AC2],0 ----------------------------[3]003616C2 8B02 MOV EAX,DWORD PTR DS:[EDX]003616C4 85C0 TEST EAX,EAX003616C6 74 44 JE SHORT 0036170C003616C8 52 PUSH EDX003616C9 8983 C21A0010 MOV DWORD PTR DS:[EBX+10001AC2],EAX003616CF A9 00000080 TEST EAX,80000000003616D4 74 09 JE SHORT 003616DF003616D6 25 FFFFFF7F AND EAX,7FFFFFFF003616DB 6A 00 PUSH 0003616DD EB 0E JMP SHORT 003616ED003616DF 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]003616E2 0341 08 ADD EAX,DWORD PTR DS:[ECX+8]003616E5 33C9 XOR ECX,ECX003616E7 66:8B08 MOV CX,WORD PTR DS:[EAX]003616EA 51 PUSH ECX003616EB 40 INC EAX003616EC 40 INC EAX003616ED 50 PUSH EAX003616EE FF75 FC PUSH DWORD PTR SS:[EBP-4]003616F1 FF93 4D1F0010 CALL DWORD PTR DS:[EBX+10001F4D]003616F7 5A POP EDX003616F8 85C0 TEST EAX,EAX003616FA ^ 0F84 6FFFFFFF JE 0036166F 00361700 8906 MOV DWORD PTR DS:[ESI],EAX //write fIAT00361702 8902 MOV DWORD PTR DS:[EDX],EAX00361704 83C2 04 ADD EDX,400361707 83C6 04 ADD ESI,40036170A ^ EB AC JMP SHORT 003616B8 ----------------------------[4]0036170C 33C0 XOR EAX,EAX0036170E 5E POP ESI0036170F 5F POP EDI00361710 5B POP EBX00361711 C9 LEAVE00361712 C2 1000 RET 10 Code in charge with IAT handling From [1] till [2] checks loaded libs, then from [3] till [4] processes the APIs Edited July 24, 2008 by sunbeam Link to comment Share on other sites More sharing options...
pavka Posted July 26, 2008 Share Posted July 26, 2008 Normal PeCompact. script var va var iat_st var oep var counter var ImageBase var lbase var simb mov counter,0 gmi eip,MODULEBASE mov ImageBase,$RESULT mov simb,$RESULT rev simb mov simb,$RESULT eval "#0000{simb}0000{simb}#" mov simb,$RESULT gpa "VirtualAlloc","kernel32.dll" bp $RESULT erun rtu mov lbase,eax erun bc eip rtu find lbase,simb cmp $RESULT,0 je quit mov oep,[$RESULT+8] mov iat_st,[$RESULT+30] add oep,ImageBase find eip,#8906890283C20483C604# cmp $RESULT,0 je quit mov [$RESULT],#8B028906# find eip,#034E085156E8????????85C074# cmp $RESULT,0 je quit bp $RESULT+A erun bc eip mov eip,oep cmt eip,"This is the OEP" sub oep,ImageBase mov counter,ImageBase add counter,3C mov counter,[counter] add counter,ImageBase add counter,28 mov [counter],oep add counter,58 mov [counter],iat_st dpe "dump.exe", eip msg ""The file is completely unpacked!" ret quit: ret Link to comment Share on other sites More sharing options...
acidflash Posted July 26, 2008 Author Share Posted July 26, 2008 Normal PeCompact. script var va var iat_st var oep var counter var ImageBase var lbase var simb mov counter,0 gmi eip,MODULEBASE mov ImageBase,$RESULT mov simb,$RESULT rev simb mov simb,$RESULT eval "#0000{simb}0000{simb}#" mov simb,$RESULT gpa "VirtualAlloc","kernel32.dll" bp $RESULT erun rtu mov lbase,eax erun bc eip rtu find lbase,simb cmp $RESULT,0 je quit mov oep,[$RESULT+8] mov iat_st,[$RESULT+30] add oep,ImageBase find eip,#8906890283C20483C604# cmp $RESULT,0 je quit mov [$RESULT],#8B028906# find eip,#034E085156E8????????85C074# cmp $RESULT,0 je quit bp $RESULT+A erun bc eip mov eip,oep cmt eip,"This is the OEP" sub oep,ImageBase mov counter,ImageBase add counter,3C mov counter,[counter] add counter,ImageBase add counter,28 mov [counter],oep add counter,58 mov [counter],iat_st dpe "dump.exe", eip msg ""The file is completely unpacked!" ret quit: ret Script works well, thanks -acid Link to comment Share on other sites More sharing options...
SunBeam Posted July 26, 2008 Share Posted July 26, 2008 Good work, pavka You've become a "script kiddie" Messin' with you Link to comment Share on other sites More sharing options...
Godkiller Posted March 30, 2009 Share Posted March 30, 2009 Normal PeCompact. script var va var iat_st var oep var counter var ImageBase var lbase var simb mov counter,0 gmi eip,MODULEBASE mov ImageBase,$RESULT mov simb,$RESULT rev simb mov simb,$RESULT eval "#0000{simb}0000{simb}#" mov simb,$RESULT gpa "VirtualAlloc","kernel32.dll" bp $RESULT erun rtu mov lbase,eax erun bc eip rtu find lbase,simb cmp $RESULT,0 je quit mov oep,[$RESULT+8] mov iat_st,[$RESULT+30] add oep,ImageBase find eip,#8906890283C20483C604# cmp $RESULT,0 je quit mov [$RESULT],#8B028906# find eip,#034E085156E8????????85C074# cmp $RESULT,0 je quit bp $RESULT+A erun bc eip mov eip,oep cmt eip,"This is the OEP" sub oep,ImageBase mov counter,ImageBase add counter,3C mov counter,[counter] add counter,ImageBase add counter,28 mov [counter],oep add counter,58 mov [counter],iat_st dpe "dump.exe", eip msg ""The file is completely unpacked!" ret quit: ret Strong !!!! Link to comment Share on other sites More sharing options...
Eviler Posted April 12, 2009 Share Posted April 12, 2009 (edited) Upload My work UnPacked.rar Edited April 12, 2009 by Eviler Link to comment Share on other sites More sharing options...
ala_borbe Posted April 12, 2009 Share Posted April 12, 2009 (edited) here is my work too.. easy i also coded a small plugin for imprec juct for fun (four lines of code, although i am sure that this can be done in less lines) so here it is, together with sorce pecompact_unpack_me_dump_.rar PECompact_2.86.1_imprec.rar Edited April 12, 2009 by donny Link to comment Share on other sites More sharing options...
joekames Posted May 4, 2009 Share Posted May 4, 2009 (edited) here is my unpack...did the esp trick to find oep, dumped...used imprec to rebuild the IAT..i used the PECompact 2.7.x.dll plug in and it worked fine, also used donny's plug, which also worked fine (nice job), either way u will end up with one invalid which u can just delete because is a junk one (un-needed, u can go to the address and c for urself) ...and used lordpe to rebuild and bam unpacked...uploaded what i did...anyquestions feel free to ask and there is no stupid questions, unless someone tells u it is stupid ^^dumped.rar Edited May 4, 2009 by joekames Link to comment Share on other sites More sharing options...
ghandi Posted May 4, 2009 Share Posted May 4, 2009 Unpacked manually, 2 different methods... First was to disable redirection (simple Jxx to patch) and remove single invalid ptr. Dumped and fixed imports with ImpREC Second method was to make it save original import thunks back to thunk table, as IAT isnt destroyed. Instead of allowing it to save redirected crap, patch in a little jmp and PUSH DWORD PTR [EDX], POP DWORD PTR [ESI], with a jump back to where it loads next slot. (ADD EDX,4 - ADD ESI,4) Dumped when imports were finished, code is already unpacked. Edit PE header to point to original import table and its done. I can make a small tut if anyone is interested. HR, Ghandi Unpacked.2.methods.rar Link to comment Share on other sites More sharing options...
Goaul Posted May 17, 2009 Share Posted May 17, 2009 Unpacked manually, 2 different methods... ... I can make a small tut if anyone is interested. HR, Ghandi That would be great from u G Link to comment Share on other sites More sharing options...
phiphi Posted May 21, 2009 Share Posted May 21, 2009 This is my tut...Download : 1.98 Mb RAR(including target and tut)http://www.4shared.com/file/106544894/52dd0fa5/UnPackMe_PeCompactV_2984.html Link to comment Share on other sites More sharing options...
Goaul Posted May 23, 2009 Share Posted May 23, 2009 This is my tut...Download : 1.98 Mb RAR(including target and tut) http://www.4shared.com/file/106544894/52dd0fa5/UnPackMe_PeCompactV_2984.html hmm, only for me the tut lng is little bit strange and looks like this? Link to comment Share on other sites More sharing options...
Goldocrack Posted July 5, 2009 Share Posted July 5, 2009 here is my work too.. easy i also coded a small plugin for imprec juct for fun (four lines of code, although i am sure that this can be done in less lines) so here it is, together with sorce Your plugin does not work on vista neither on win7 Why? Thanks for your answer Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now