Jump to content
Tuts 4 You

[unpackme] HSN.C3r protector 1.00 UnpackMe


HSN.C3r

Recommended Posts

Another way, without a script.

patch

005332D3 60 PUSHAD

005332D4 B9 18114500 MOV ECX,unpackme.00451118

005332D9 03CB ADD ECX,EBX

005332DB 8339 00 CMP DWORD PTR DS:[ECX],0

005332DE 74 07 JE SHORT unpackme.005332E7

005332E0 8901 MOV DWORD PTR DS:[ECX],EAX

005332E2 33C9 XOR ECX,ECX

005332E4 EB 17 JMP SHORT unpackme.005332FD

005332E6 90 NOP

005332E7 83C1 04 ADD ECX,4

005332EA 8901 MOV DWORD PTR DS:[ECX],EAX

005332EC 33C9 XOR ECX,ECX

005332EE 61 POPAD

005332EF 83C3 08 ADD EBX,8

005332F2 EB 0D JMP SHORT unpackme.00533301

005332F4 0000 ADD BYTE PTR DS:[EAX],AL

005332F6 8B09 MOV ECX,DWORD PTR DS:[ECX]

005332F8 83C3 05 ADD EBX,5

005332FB 890B MOV DWORD PTR DS:[EBX],ECX

005332FD 61 POPAD

005332FE 83C3 04 ADD EBX,4

00533301 03D1 ADD EDX,ECX

00533303 59 POP ECX

00533304 49 DEC ECX

00533305 0BC9 OR ECX,ECX

00533307 ^ 0F85 7BFFFFFF JNZ unpackme.00533288

0053330D 83C6 04 ADD ESI,4

00533310 59 POP ECX

00533311 49 DEC ECX

00533312 0BC9 OR ECX,ECX

00533314 ^ 0F85 2DFFFFFF JNZ unpackme.00533247

0053331A 68 6F5E5300 PUSH unpackme.00535E6F

0053331F C3 RETN

Link to comment

Nothing important has changed protection wise. :( http://www.mediafire.com/?kl1gtnkn1td

This is how I resolve imports. After that, use ImpRec with "Trace Level1 (Disasm)".

Pavka's method is little bit different but should work as well.

0056DADE   60               PUSHAD
0056DADF 90 NOP
0056DAE0 90 NOP
0056DAE1 90 NOP
0056DAE2 90 NOP
0056DAE3 90 NOP
0056DAE4 90 NOP
0056DAE5 90 NOP
0056DAE6 90 NOP
0056DAE7 81C3 3AF05600 ADD EBX,unpackme.0056F03A
0056DAED C603 E9 MOV BYTE PTR DS:[EBX],0E9
0056DAF0 2BC3 SUB EAX,EBX
0056DAF2 83E8 05 SUB EAX,5
0056DAF5 8943 01 MOV DWORD PTR DS:[EBX+1],EAX
0056DAF8 90 NOP
0056DAF9 90 NOP
0056DAFA 90 NOP
0056DAFB 90 NOP
0056DAFC 90 NOP
0056DAFD 90 NOP
0056DAFE 90 NOP
0056DAFF 90 NOP
0056DB00 90 NOP
0056DB01 90 NOP
0056DB02 90 NOP
0056DB03 90 NOP
0056DB04 90 NOP
0056DB05 90 NOP
0056DB06 90 NOP
0056DB07 90 NOP
0056DB08 61 POPAD
  • Like 1
Link to comment
  • 4 months later...

However the protection is stronger than version 1.00. :P

Thanks. ;)

i will made an tut in spanish for 2 version of this topic packme..

see if wana read:
/>http://ricardonarvaja.net/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1201-1300/1265-hsn%20by%20Apuromafo.7z

i was decripted the sub al,bl and add al,bl and inlined,

i was see how you divide and move the value of apis..

is a 9.x mb of tool and method to unpack this 2 unpackmes,without strong od./plugins only the script..and reading a little..

greeting Apuromafo

Link to comment

hi apuromafo

your link does not work

is down the .net.. try the .info
http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1201-1300/'>/>http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1201-1300/1265-hsn%20by%20Apuromafo.7z'>/>http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1201-1300/1265-hsn%20by%20Apuromafo.7z

or
/>http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1201-1300/

number 1265

  • Like 1
Link to comment

It would be better to post English version of it.

Thank you apuromafo.

Exeinfo PE :Poly!Crypt v.2.8(2007.03) by [BUNG] 

It's false detection or the BUNG's PolyCrypter is similar! :no:

The obfuscator engine is created by myself.And I am improving it. :P

Link to comment

It would be better to post English version of it.

Thank you apuromafo.

Exeinfo PE :Poly!Crypt v.2.8(2007.03) by [BUNG] 

It's false detection or the BUNG's PolyCrypter is similar! :no:

The obfuscator engine is created by myself.And I am improving it. :P

that are my native lenguaje

i will try in some day traduce that..but script can resume all..

and the maximus.exe will helped to decode the packer involved.

yes, i know that are custom, because i was unpacked some old time similar, but all are packer inself..

is a good challenge :)

Link to comment
  • 1 month later...

tutorial in english .is only a little traduction.(46 pages..)
/>http://forum.tuts4you.com/index.php?showtopic=23950

Edited by apuromafo
Link to comment
  • 2 months later...

Hmmm won't run on XP SP3. works fine on windows 7 though.

Will give it a try on win7.

EDIT:

1.

Lol you're killing my explorer.exe when I go to the map ollydbg. ;)

2.

hooking GetmOdulehandleA and I should be able to attach my olly. ;) Since I'm to lazy to actually debug your code.

00405B04                                             $- FF25 E4214500             JMP DWORD PTR DS:[4521E4]

Never underestimate the power of weirdo exotic dumpers you can't possibly check all. :)

3.

Jups done hooked it and supsended all threads. Which'll mean I can attach near oep. Everything else should be a walk in the park.

running tracer to find logic in IAT redirs.

4.

Voila tracer produces an API. ;)(takes a minute though. ;) )

(well since this process should take fing long and am not in the mood to make something decent time to do some other stuff.)

Unpack should follow in about 1 hour. (if not longer.. )

00452118  77777B5B  [{ww  ntdll.RtlDeleteCriticalSection
0045211C 77766B40 @kvw ntdll.RtlLeaveCriticalSection
00452120 77766B7E ~kvw ntdll.RtlEnterCriticalSection
00452124 7777F8BE ¾øww ntdll.RtlInitializeCriticalSection
00452128 76AE0D35 5.®v kernel32.VirtualFree
0045212C 76AE05F4 ô®v kernel32.VirtualAlloc
00452130 76AE057C |®v kernel32.LocalFree

etc.

Okay takes way to long, improved and should be fixed in a few secs.

5.

Done, import table retrieved. :) Only oep is left.

6.

Here ya go; Final unpack;
/>http://ifile.it/ynfismr/dumped_.rar

Lame IAT script below.


bphws 01601230, "x"mov temp, 452118
jmp LABEL_04LABEL_03:
add temp, 4LABEL_04:
mov temp_1, temp
cmp [temp], 0
je LABEL_03cmp temp, 4526d4
je LABEL_05mov eip, [temp]esto
sti
stiLABEL_02:
mov [temp_1], eip
jmp LABEL_03LABEL_05:
ret
Edited by quosego
Link to comment

Hmm weird, well it just access violates here. Ah well perfectly unpackable in win7 though. :)

In regard to difficulty I'd give it an low medium. Didn't require to much time, definitely fun though.

(unpack is located in my previous post.)

Edited by quosego
Link to comment

@quosego: Thanks .For explanation of unpacking and finally unpacked file. perfect !

@EvOlUtIoN: Because of anti debug which I've used , it must be extracted.

Edited by HSN.C3r
Link to comment

I also finished this...not written a tracer. Took another way.

I just dumped 2 other sections and attached to dumped. then written a little handler that fixed all pointers for me.

This unpackme is quite interesting imho, iat redirect is just like old obsidium version, but antidebug is really nice. Congratz!

OEP are only few bytes to rebuild does not take more than one minute.

will post my clean unpacked (few more than 400KB) as soon as i arrive at home.

Link to comment

Antidebug can be bypassed using unmodified olly with Phantom and StrongOD .

StrongOD Configurations: kernel mode , Hidepeb and skip some exceptions

Phantom Configurations: Change olly caption.

u have to edit ollydbg.ini first

CAPTEXT=Anyname
PRETEXT=Anyname

For iat fixing use the script below.

BPHWCALL
GPA "VirtualAlloc", "kernel32.dll"
BP $RESULT
RUN
BC $RESULT
FINDMEM #8937E94966FEFFE89E84FFFF#
MOV [$RESULT+1],#07#
BPHWS 405bc8, "x"
Run
ret

UnPacked.rar

Edited by Ronar22
Link to comment

Well done! ;)

It seems this Anti debug is not compatible with some Operating Systems ,so you can easily bypass it.

Setting configurations that you mentioned above does not bypass anti-debug on my OS .

(And I think some of users's OS who downloaded the unpackme!)

Edit:

The special anti debug that I used in this version is not compatible with Win7 & maybe Vista,so you can easily unpack it.

But on Win XP it fully works , and it will be harder to unpack.

Edited by HSN.C3r
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...