Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

Packer\Protector:

...

Level:

Simple

Link:

http://minus.com/mbckovpIum/

unpackme.rar

Edited by Teddy Rogers
Please attach all CrackMe's to your topic, thank you...

Very simple indeed

dump.rar

Hello,

I see the TLS does sth with VirtualProtect and then self-modify at 00408223 and 004081BD. Back to EP of file i complete lose, can i have some hint please?

Edit:

And what does this upm do with e545_appcompat.txt in temp?

Edited by kakamail

nice simple unpackme

Dump.rar

  • Author

Solved nice work guys

  • Author

Hello,

I see the TLS does sth with VirtualProtect and then self-modify at 00408223 and 004081BD. Back to EP of file i complete lose, can i have some hint please?

Edit:

And what does this upm do with e545_appcompat.txt in temp?

Clear debug flag in peb else tls xor decrypt fails.

Easy indeed.

Attached unpacked+tutorial

unpackme_tutorial.rar

First, when i saw Mov EAX, FS:[18], i think "hmm, antidebug, isn't"? But when i trace, i don't see any jump (if debugged => Jump), so i thought i'm wrong. But when woot332 said that "..PEB", well, i take a deep look at what i did wonder.

I write a small tut here for who can't follow tutorial by Mr. eXoDia. I can't follow it because i use no-plugin version to unpack this file, if you want to follow Mr. eXoDia you will need a plugin that hide your olly from this trick (see below)

The TLS trick is used, google for it: TLS Callback Functions, when you're at 00408230, you can continue.

This is full code from Olly

00408188 PUSH DWORD PTR FS:[18]

00408182 POP EAX ; 7FFDE000

Push then POP to EAX = MOV into EAx.

1. Mov EAX, DWORD PTR FS:[18]

2. MOV EAX,[EAX+30]

3. ADD EAX,24

4. MOV EDX,[EAX-22]

5. ADD EDX,31

...

6. XOR [EAX],DL

6 => DL is used to XOR with [EAX], and if DL is not right value, this will change the whole code => No run! So which is correct value of DL?

MOV EAX,DWORD PTR FS:[18] ; fs:[18] return the TEB address

MOV EAX,DWORD PTR [EAX+30] ;TEB+0x30 return the PEB address

You can find the quote above by googling MOV EAX,DWORD PTR FS:[18].

3, 4 ==> Add EAX, 24 then Sub EAX, 22 => EAX is added to 2 ==> The 2 commands 3, 4 are now become one ADD EAX, 2

From here i google with "PEB FS:[18] debug" and then i got this one

(2) PEB!IsDebugged

Example:

mov eax, fs:[30h]

mov eax, byte [eax+2]

test eax, eax

jne @DebuggerDetected

It's same, isn't it? JNE to Detected => EAX should = 0 to avoid detection. Now back to olly, F8 => look at EDX and you know what you have to do :) Contining with F8 you will see the same but clearer than the first one

MOV EAX,FS:[18]

MOV EAX,[EAX+30]

MOVZX EAX,BYTE PTR [EAX+2]

CMP EAX,1

JE SHORT 004080BA

Look at this CMP EAX,1 and JE. IF this jump is taken then badboy, notgood.

After the RET, you will be into ntdll file, when you see ntdll, try to find SEH Handler, if not, try with breakpoint on first section. I don't see any SEH Handler, so i put a bp on the first section => Contine tracing or if you realize that it's upx you can put a bp on the last JMP.

That's it. You're now on OEP, luckly this one does not have problem with IAT, so you can dump and fix your file and test it :)

@Mr. eXoDia: I guess you dumped your file by option in ImportREC, because your file no run on my pc :D And me too :D If i dump by ImportIREC, the dumped file no run, but if i dump by olly, it'll run perfectly. I don't know why but this is second time i encounter this problem.

Edited by kakamail

  • Author

Here's a new one with other tricks.

Packer\Protector:

...

Level:

Simple

Link:

http://minus.com/mcu13qU5s/

I see nothing new :cc_confused:

unpacked.rar

  • Author

I see nothing new :cc_confused:

unpacked.rar

link fixed lol.

New:
/>http://netload.in/dateicQsWmYoXRc/unpk.rar.htm

Edited by woot332

Nice,

I liked the trick with the stolen WinMain procedure...

I attached my dumps and also the unpackme itself (waiting for sharing host sucks)

unpk.rar

dumps.rar

  • Author

Solved again :thumbs:

My try

unpacked.rar

  • Author

My try

unpacked.rar

Changing the entry point works too :)

Yes, it's true. But only work for the EP which does nothing :)

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.