Packer\Protector:

...

Level:

Simple

Link:

http://minus.com/mbckovpIum/

unpackme.rar

Edited July 15, 201213 yr by Teddy Rogers
Please attach all CrackMe's to your topic, thank you...

Very simple indeed

dump.rar

Hello,

I see the TLS does sth with VirtualProtect and then self-modify at 00408223 and 004081BD. Back to EP of file i complete lose, can i have some hint please?

Edit:

And what does this upm do with e545_appcompat.txt in temp?

Edited July 15, 201213 yr by kakamail

nice simple unpackme

Dump.rar

Solved nice work guys

Hello,

I see the TLS does sth with VirtualProtect and then self-modify at 00408223 and 004081BD. Back to EP of file i complete lose, can i have some hint please?

Edit:

And what does this upm do with e545_appcompat.txt in temp?

Clear debug flag in peb else tls xor decrypt fails.

Easy indeed.

Attached unpacked+tutorial

unpackme_tutorial.rar

First, when i saw Mov EAX, FS:[18], i think "hmm, antidebug, isn't"? But when i trace, i don't see any jump (if debugged => Jump), so i thought i'm wrong. But when woot332 said that "..PEB", well, i take a deep look at what i did wonder.

I write a small tut here for who can't follow tutorial by Mr. eXoDia. I can't follow it because i use no-plugin version to unpack this file, if you want to follow Mr. eXoDia you will need a plugin that hide your olly from this trick (see below)

The TLS trick is used, google for it: TLS Callback Functions, when you're at 00408230, you can continue.

This is full code from Olly

00408188 PUSH DWORD PTR FS:[18]

00408182 POP EAX ; 7FFDE000

Push then POP to EAX = MOV into EAx.

1. Mov EAX, DWORD PTR FS:[18]

2. MOV EAX,[EAX+30]

3. ADD EAX,24

4. MOV EDX,[EAX-22]

5. ADD EDX,31

...

6. XOR [EAX],DL

6 => DL is used to XOR with [EAX], and if DL is not right value, this will change the whole code => No run! So which is correct value of DL?

MOV EAX,DWORD PTR FS:[18] ; fs:[18] return the TEB address

MOV EAX,DWORD PTR [EAX+30] ;TEB+0x30 return the PEB address

You can find the quote above by googling MOV EAX,DWORD PTR FS:[18].

3, 4 ==> Add EAX, 24 then Sub EAX, 22 => EAX is added to 2 ==> The 2 commands 3, 4 are now become one ADD EAX, 2

From here i google with "PEB FS:[18] debug" and then i got this one

(2) PEB!IsDebugged

Example:

mov eax, fs:[30h]

mov eax, byte [eax+2]

test eax, eax

jne @DebuggerDetected

It's same, isn't it? JNE to Detected => EAX should = 0 to avoid detection. Now back to olly, F8 => look at EDX and you know what you have to do Contining with F8 you will see the same but clearer than the first one

MOV EAX,FS:[18]

MOV EAX,[EAX+30]

MOVZX EAX,BYTE PTR [EAX+2]

CMP EAX,1

JE SHORT 004080BA

Look at this CMP EAX,1 and JE. IF this jump is taken then badboy, notgood.

After the RET, you will be into ntdll file, when you see ntdll, try to find SEH Handler, if not, try with breakpoint on first section. I don't see any SEH Handler, so i put a bp on the first section => Contine tracing or if you realize that it's upx you can put a bp on the last JMP.

That's it. You're now on OEP, luckly this one does not have problem with IAT, so you can dump and fix your file and test it

@Mr. eXoDia: I guess you dumped your file by option in ImportREC, because your file no run on my pc And me too If i dump by ImportIREC, the dumped file no run, but if i dump by olly, it'll run perfectly. I don't know why but this is second time i encounter this problem.

Edited July 16, 201213 yr by kakamail

Here's a new one with other tricks.

Packer\Protector:

...

Level:

Simple

Link:

http://minus.com/mcu13qU5s/

I see nothing new

unpacked.rar

I see nothing new

unpacked.rar

link fixed lol.

New:
/>http://netload.in/dateicQsWmYoXRc/unpk.rar.htm

Edited July 19, 201213 yr by woot332

Nice,

I liked the trick with the stolen WinMain procedure...

I attached my dumps and also the unpackme itself (waiting for sharing host sucks)

unpk.rar

dumps.rar

Solved again

My try

unpacked.rar

My try

unpacked.rar

Changing the entry point works too

Yes, it's true. But only work for the EP which does nothing