woot332 Posted July 14, 2012 Posted July 14, 2012 (edited) Packer\Protector:...Level:SimpleLink:http://minus.com/mbckovpIum/unpackme.rar Edited July 15, 2012 by Teddy Rogers Please attach all CrackMe's to your topic, thank you...
kakamail Posted July 15, 2012 Posted July 15, 2012 (edited) Hello,I see the TLS does sth with VirtualProtect and then self-modify at 00408223 and 004081BD. Back to EP of file i complete lose, can i have some hint please?Edit:And what does this upm do with e545_appcompat.txt in temp? Edited July 15, 2012 by kakamail
woot332 Posted July 15, 2012 Author Posted July 15, 2012 Hello,I see the TLS does sth with VirtualProtect and then self-modify at 00408223 and 004081BD. Back to EP of file i complete lose, can i have some hint please?Edit:And what does this upm do with e545_appcompat.txt in temp?Clear debug flag in peb else tls xor decrypt fails.
mrexodia Posted July 15, 2012 Posted July 15, 2012 Easy indeed.Attached unpacked+tutorialunpackme_tutorial.rar 1
kakamail Posted July 16, 2012 Posted July 16, 2012 (edited) First, when i saw Mov EAX, FS:[18], i think "hmm, antidebug, isn't"? But when i trace, i don't see any jump (if debugged => Jump), so i thought i'm wrong. But when woot332 said that "..PEB", well, i take a deep look at what i did wonder. I write a small tut here for who can't follow tutorial by Mr. eXoDia. I can't follow it because i use no-plugin version to unpack this file, if you want to follow Mr. eXoDia you will need a plugin that hide your olly from this trick (see below) The TLS trick is used, google for it: TLS Callback Functions, when you're at 00408230, you can continue. This is full code from Olly 00408188 PUSH DWORD PTR FS:[18] 00408182 POP EAX ; 7FFDE000 Push then POP to EAX = MOV into EAx. 1. Mov EAX, DWORD PTR FS:[18] 2. MOV EAX,[EAX+30] 3. ADD EAX,24 4. MOV EDX,[EAX-22] 5. ADD EDX,31 ... 6. XOR [EAX],DL 6 => DL is used to XOR with [EAX], and if DL is not right value, this will change the whole code => No run! So which is correct value of DL? MOV EAX,DWORD PTR FS:[18] ; fs:[18] return the TEB addressMOV EAX,DWORD PTR [EAX+30] ;TEB+0x30 return the PEB address You can find the quote above by googling MOV EAX,DWORD PTR FS:[18]. 3, 4 ==> Add EAX, 24 then Sub EAX, 22 => EAX is added to 2 ==> The 2 commands 3, 4 are now become one ADD EAX, 2 From here i google with "PEB FS:[18] debug" and then i got this one (2) PEB!IsDebugged Example: mov eax, fs:[30h] mov eax, byte [eax+2] test eax, eax jne @DebuggerDetected It's same, isn't it? JNE to Detected => EAX should = 0 to avoid detection. Now back to olly, F8 => look at EDX and you know what you have to do Contining with F8 you will see the same but clearer than the first one MOV EAX,FS:[18] MOV EAX,[EAX+30] MOVZX EAX,BYTE PTR [EAX+2] CMP EAX,1 JE SHORT 004080BA Look at this CMP EAX,1 and JE. IF this jump is taken then badboy, notgood. After the RET, you will be into ntdll file, when you see ntdll, try to find SEH Handler, if not, try with breakpoint on first section. I don't see any SEH Handler, so i put a bp on the first section => Contine tracing or if you realize that it's upx you can put a bp on the last JMP. That's it. You're now on OEP, luckly this one does not have problem with IAT, so you can dump and fix your file and test it @Mr. eXoDia: I guess you dumped your file by option in ImportREC, because your file no run on my pc And me too If i dump by ImportIREC, the dumped file no run, but if i dump by olly, it'll run perfectly. I don't know why but this is second time i encounter this problem. Edited July 16, 2012 by kakamail
woot332 Posted July 19, 2012 Author Posted July 19, 2012 Here's a new one with other tricks.Packer\Protector:...Level:SimpleLink:http://minus.com/mcu13qU5s/
woot332 Posted July 19, 2012 Author Posted July 19, 2012 (edited) I see nothing new unpacked.rar link fixed lol. New:/>http://netload.in/dateicQsWmYoXRc/unpk.rar.htm Edited July 19, 2012 by woot332
mrexodia Posted July 19, 2012 Posted July 19, 2012 Nice,I liked the trick with the stolen WinMain procedure...I attached my dumps and also the unpackme itself (waiting for sharing host sucks)unpk.rardumps.rar
woot332 Posted July 20, 2012 Author Posted July 20, 2012 My try unpacked.rar Changing the entry point works too
kakamail Posted July 20, 2012 Posted July 20, 2012 Yes, it's true. But only work for the EP which does nothing
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now