Gladiator Posted September 7, 2011 Posted September 7, 2011 HiPlease Unpack and write a tutEnabled Options :[+] Anti OllyDbg[+] Anti Dump Protection[+] IAT Redirection
DizzY_D Posted September 7, 2011 Posted September 7, 2011 Unpacking this one is quite easy but the problem is that none of the currently aviable import fixers can fix the IAT successfully. Neither on Win XP x86 nor Win 7 x64.ImpREC: Detects wrong ImageBase.CHimpRC: Detects wrong ImageBase.Imports Fixer: Says "The process doesn't exist anymore!", but it does.Scylla: Detects right ImageBase but crashes whils fixing the dumpThats very frustrating. Anyone got a solution?
LCF-AT Posted September 7, 2011 Posted September 7, 2011 Hi, ok here my unpacked file.Test it. solution is very simple. There is nothing to fix. Level 1 | 10 greetz UnpackMe_Unpacked.rar 1
Gladiator Posted September 7, 2011 Author Posted September 7, 2011 Thanks LCF-ATThis is very similar to binders , am i right ?
deepzero Posted September 7, 2011 Posted September 7, 2011 Scylla: Detects right ImageBase but crashes whils fixing the dumpgo report it, scylla still is in the intial phase of developpment.
LCF-AT Posted September 7, 2011 Posted September 7, 2011 @ Magician No problem but you should better throw this protection in the trash. The problem is that the full target is already there which is original and not protected.Some kind of wrapper or so.You only need to catch the real place and then only dump it with the right PE datas and thats all. So you had already used better protections in the past. greetz 1
DizzY_D Posted September 7, 2011 Posted September 7, 2011 (edited) Oh damn I forgot that everything is valid already. So here my dumped file. Dumped.rar Edited September 7, 2011 by DizzY_D 1
Gladiator Posted September 7, 2011 Author Posted September 7, 2011 may you make a little and short tut ?Thanks
DizzY_D Posted September 7, 2011 Posted September 7, 2011 Sorry I have to finish the Enigma paper first.Maybe after that.
Gladiator Posted September 7, 2011 Author Posted September 7, 2011 Thanks , i like wait for enigma paper , its better
Aguila Posted September 7, 2011 Posted September 7, 2011 Nice unpackme.How do you fake the process image path? I know there is some PEB trick, but usually it is still possible to get the image path with NtQueryInformationProcess and ProcessImageFileName.
LCF-AT Posted September 7, 2011 Posted September 7, 2011 Hi, here a small script. pausebphwcbc// VI Protect UnpackMe direct dumper// Start script at EPvar Avar MZmov A, eip////////////////////LOOP:sticmp eip, Aje LOOPbphws esp, "r"estobphwcbp eip+0BAestobcbp eip+35runbccmt eip ,"IsDebuggerPresent PEB | JMP if NOT"add eip, 101mov A, eipbp eip+15runbcadd eip, 94mov A, eip////////////////////LOOP2:sticmp eip, Aje LOOP2mov A, eipmov MZ, esipushamov eax, [esi+3C]add eax, MZmov eax, [eax+50]dm esi, eax, "Unpacked_AT.exe"poparet greetz 1
metr0 Posted September 8, 2011 Posted September 8, 2011 (edited) It's the infamous RunPE method which is why import tools have troubles to find the real executable's path (the process is started as your default browser and then unmapped). Edited September 8, 2011 by metr0 1
CodeExplorer Posted September 8, 2011 Posted September 8, 2011 CreateProcessW("C:\Program Files\Mozilla Firefox\firefox.exe")
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now