Jump to content
Tuts 4 You

[unpackme] ASmbc


by:70

Recommended Posts

Ok so i thought this was the OEP.

66003575	 FF15 98100066			 CALL DWORD PTR DS:[66001098]					; ntdll.RtlLeaveCriticalSection
6600357B C3 RETN
6600357C 55 PUSH EBP ; unpakme.00405013 - OEP
6600357D 8BEC MOV EBP,ESP
6600357F 6A FF PUSH -1

When i dump the file I get an error when opening it. Am I missing something?

Link to comment

Ok well i've unpacked it. I sort of cheated and had a look at pavka's unpacked .exe. I don't understand why the starting address has to be placed there.

Also how do we remove extra sections that arn't needed to minimise the file size?

http://rapidshare.com/files/171648398/dump.rar
Link to comment
Ok well i've unpacked it. I sort of cheated and had a look at pavka's unpacked .exe. I don't understand why the starting address has to be placed there.

Also how do we remove extra sections that arn't needed to minimise the file size?

http://rapidshare.com/files/171648398/dump.rar

when you reach the moleboxed oep (esp trick and go inside call eax) run the program and search for intermodular calls. You'll see one call:

msvbvm60.ThunRTMain<==== It's always placed before the oep in vb programs

The OEP is this:

00401128 68 4C1B4000 PUSH 00401B4C ; ASCII "VB5!6&vb6chs.dll"

0040112D E8 F0FFFFFF CALL 00401122 ; JMP to msvbvm60.ThunRTMain

Fix the iat is easy.... for remove extra section I have used DIE becuse it scans the sections...

example ( section a:code,section b:imports,section c:resource,section d:none... maybe it is an "extra section"....). Then you can wipe those sections and rebuild the exe with LordPe.

Regards

NoScONf

Edited by nosconf
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...