Jump to content
Tuts 4 You

[UnpackMe] Simple Nag Remove


Gladiator

Recommended Posts

Hi Magician,

again a new file to test? :)

Ok here my unpacked file.Test it.

New anti debug tricks - Low level - Only one check to bypass | quick patch

IAT RD - Low Level

MOV DWORD PTR DS:[EDX],EAX and ECX

Anti Dumping protect - Low Level

------------------------------

Level 1 of 10

greetz

NagRemove_Unpacked.rar

  • Like 2
Link to comment
  • 2 months later...

@ rooster1

1. What happend if you run it in Olly?It terminates right?

- Set BP on TerminateProcess & run :)

or

- Just start tracing with F8 from the last knwon call address then you will find this.

Bypass + OEP

003C0000 PUSH 400000
003C0005 PUSH 3B0000
003C000A PUSH 7C800000
003C000F PUSH 7C910000
003C0014 MOV EAX,9B2510
003C0019 CALL EAX
003C001B MOV ESP,12FF80
003C0020 JMP EAX
$+45133 009B5133 PUSH -1
$+45135 009B5135 PUSH -1
$+45137 009B5137 PUSH 28
$+45139 009B5139 CALL 009B0900$+40900 009B0900 POP EAX
$+40901 009B0901 XCHG DWORD PTR SS:[ESP],EAX
$+40904 009B0904 SHL EAX,2
$+40907 009B0907 LEA EAX,DWORD PTR DS:[EAX+9B0995]
$+4090D 009B090D JMP DWORD PTR DS:[EAX]
$+4090F 009B090F PUSH EAX
$+40910 009B0910 SUB EAX,9B0995
$+40915 009B0915 PUSH EAX
$+40916 009B0916 LEA EAX,DWORD PTR DS:[EAX+9B15EB]
$+4091C 009B091C MOV EAX,DWORD PTR DS:[EAX]
$+4091E 009B091E LEA EAX,DWORD PTR DS:[EAX+9B15EB]
$+40924 009B0924 PUSH EAX
$+40925 009B0925 PUSH 9B0988
$+4092A 009B092A PUSH 9B098C ; ASCII "kernel32"
$+4092F 009B092F CALL 009A8BD0
$+40934 009B0934 XCHG DWORD PTR SS:[ESP],EAX
$+40937 009B0937 POP DWORD PTR DS:[EAX]
$+40939 009B0939 JMP DWORD PTR DS:[EAX] ; kernel32.TerminateProcess
kernel32.TerminateProcess <----7C801E1A TerminateProcess MOV EDI,EDI
origin to ret 8
7C801E1A TerminateProcess RETN 8003C001B MOV ESP,12FF80
003C0020 JMP EAX ; NagRemov.0045570CEAX 0045570C NagRemov.0045570C <------ OEP
ECX 0012FE0C
EDX 7C91E4F4 ntdll.KiFastSystemCallRet
EBX 003C0000
ESP 0012FF80
EBP 0012FED8
ESI 0040B9B0 NagRemov.0040B9B0
EDI 003B0000
EIP 003C00200045570C PUSH EBP ; OEP
00404868   JMP EAX  | EAX=003C0000 <--- MEM ADDR

IAT:


$ ==> 0045D6C8 770F4880 oleaut32.SysFreeString$+38 0045D700 003E24DC <-- RD $+C0 0045D788 003F288C <-- RD
$+C4 0045D78C 00000000
$+C8 0045D790 7E37E4A9 USER32.CreateWindowExA$+440 >77BD1A40 version.GetFileVersionInfoA
$+444 >00000000
$+448 >003E270C <-- RD $+514 >003D2AAC <-- RD
$+518 >00000000
$+51C >77DA7AAB ADVAPI32.RegQueryValueExA$+528 >77DA6C17 ADVAPI32.RegCloseKey
$+52C >00000000
$+530 >003F2C0C <-- RD
$+534 >00000000
$+538 >770FAB10 oleaut32.SafeArrayPtrOfIndex$+5A8 >773B935B comctl32.ImageList_Create
$+5AC >00000000
0097A046 8902 MOV DWORD PTR DS:[EDX],EAX <--- for RD blocks patch eax to ecx
0097A048 75 06 JNZ SHORT 0097A050
IAT:

You can also fix the IAT at OEP so its very easy so you can see all API push values or simple xorings.

@ donny

Your dump crashs. :(

Why?

Look in your Import Table there you can see...

00073000 <--- RVA

F0 <--- size should be 104

In your import table is only ONE User32.dll module to find-

0045D6E8 7E3811DB USER32.GetKeyboardType

0045D6EC 7E37B19C USER32.DestroyWindow

0045D6F0 7E37C908 USER32.LoadStringA

0045D6F4 7E3A07EA USER32.MessageBoxA

0045D6F8 7E37C8B0 USER32.CharNextA

But the app used 2 User32.dll blocks and just one you have fixed above and the other not.

$ ==> >75CFA5E6 <--- Your direct address of API

$+4 >75D02DDB

$+8 >75D04378

$+C >75D02D12

till

$+288 >75D09485

$+28C >00000000

So if you fix this again correctly then you dump runs very well. :)

Info for you: Always search IAT start / end manually and enter the data in your fixing tool.

Load you dump now In olly start Scylla and enter...

IAT: 0045D6C8

size: 5AC

and fix your dump a 2. time.

greetz

  • Like 1
Link to comment
  • 2 weeks later...

lot of stuff to do in "real life" but now im back

@LCF-AT

ok, i messed up... i knew that there is a problem with the imports, but file run ok on my pc that day, but tomorrow it was not... strange

also however i rebuild file with ImpRec it works on my pc but not on the others, and Scylla did not rebuild OEP so i had to do this manually

pls test those files now

unpacked.rar

iat.rar

Link to comment

@ donny

So your SCY file works. :)

So just use the right settings of your fixing tool and just enter the data manually and then fix your dump.On this way you are on the safe side.I also just use Scylla for fixing any dumped files.

greetz

Link to comment

@ donny

Funny script. :)

Here some basic infos for you if you like.Just to save time next time + knowing what it really does.

------------------------------------
MOV [temp], 90c033, [3] <--- [3] has no sense No brackets!MOV [temp], 90c033, 3 <--- now it has a sense
MOV [temp], DWORD <--- always write 4 bytesMOV [temp], DWORD, SIZE <--- Size = 1 or 2 or 3 | no size = 4If you enter just one two or three bytes without size = 4 bytes to writeMOV [temp], 90c033 <--- = 90C033|00 <-- = 00 bytes automatic usedMOV [temp], 90 <--- = 90|000000 <-- = 3x00 after used
-----------------------------------MOV temp, eip, [4] = MOV temp, eip
MOV OEP, eip+20, [4] = MOV OEP, eip+20
MOV temp, [eip+15] , [4] = MOV temp, [eip+15]MOV [temp], 90c033, [3] = MOV [temp], 90c033, 03MOV [patch_addr-27C4], #9090#, [2] = MOV [patch_addr-27C4], #9090#-----------------------------------

greetz

Link to comment

@LCF-AT

thank for all the help and corrections, attched file is fixed

i was using OllySubScript and the description was

MOV dest, src, // Move

Moves src into dest. The size parameter may be included to specify how many bytes to copy.

To move a long hexadecimal string into dest, enclose the hex values within hash symbols "#".

and i was awake for more than 24hrs strait so my contraction was a "little" low crazy.gif

Scylla wasn't fixing EP to OEP , i had to do this manually with lordpe after imports rebuilding... did you have this issue or is it just me??? cc_confused.gif

and pls excuse my ignorance, im a newbie :)

Edited by donny
Link to comment

@ donny

Ah ok so I hope you have taken your sleep now. :)

So if scylla does not use your new OEP if you dump then it can be a TLS callback problem.Just check this.So in some cases this happend also for me so that I have to correct the new EP.

greetz

Link to comment
  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...