Posted July 14, 201213 yr Packer\Protector:...Level:SimpleLink:http://minus.com/mbckovpIum/unpackme.rar Edited July 15, 201213 yr by Teddy Rogers Please attach all CrackMe's to your topic, thank you...
July 15, 201213 yr Hello,I see the TLS does sth with VirtualProtect and then self-modify at 00408223 and 004081BD. Back to EP of file i complete lose, can i have some hint please?Edit:And what does this upm do with e545_appcompat.txt in temp? Edited July 15, 201213 yr by kakamail
July 15, 201213 yr Author Hello,I see the TLS does sth with VirtualProtect and then self-modify at 00408223 and 004081BD. Back to EP of file i complete lose, can i have some hint please?Edit:And what does this upm do with e545_appcompat.txt in temp?Clear debug flag in peb else tls xor decrypt fails.
July 16, 201213 yr First, when i saw Mov EAX, FS:[18], i think "hmm, antidebug, isn't"? But when i trace, i don't see any jump (if debugged => Jump), so i thought i'm wrong. But when woot332 said that "..PEB", well, i take a deep look at what i did wonder. I write a small tut here for who can't follow tutorial by Mr. eXoDia. I can't follow it because i use no-plugin version to unpack this file, if you want to follow Mr. eXoDia you will need a plugin that hide your olly from this trick (see below) The TLS trick is used, google for it: TLS Callback Functions, when you're at 00408230, you can continue. This is full code from Olly 00408188 PUSH DWORD PTR FS:[18] 00408182 POP EAX ; 7FFDE000 Push then POP to EAX = MOV into EAx. 1. Mov EAX, DWORD PTR FS:[18] 2. MOV EAX,[EAX+30] 3. ADD EAX,24 4. MOV EDX,[EAX-22] 5. ADD EDX,31 ... 6. XOR [EAX],DL 6 => DL is used to XOR with [EAX], and if DL is not right value, this will change the whole code => No run! So which is correct value of DL? MOV EAX,DWORD PTR FS:[18] ; fs:[18] return the TEB addressMOV EAX,DWORD PTR [EAX+30] ;TEB+0x30 return the PEB address You can find the quote above by googling MOV EAX,DWORD PTR FS:[18]. 3, 4 ==> Add EAX, 24 then Sub EAX, 22 => EAX is added to 2 ==> The 2 commands 3, 4 are now become one ADD EAX, 2 From here i google with "PEB FS:[18] debug" and then i got this one (2) PEB!IsDebugged Example: mov eax, fs:[30h] mov eax, byte [eax+2] test eax, eax jne @DebuggerDetected It's same, isn't it? JNE to Detected => EAX should = 0 to avoid detection. Now back to olly, F8 => look at EDX and you know what you have to do Contining with F8 you will see the same but clearer than the first one MOV EAX,FS:[18] MOV EAX,[EAX+30] MOVZX EAX,BYTE PTR [EAX+2] CMP EAX,1 JE SHORT 004080BA Look at this CMP EAX,1 and JE. IF this jump is taken then badboy, notgood. After the RET, you will be into ntdll file, when you see ntdll, try to find SEH Handler, if not, try with breakpoint on first section. I don't see any SEH Handler, so i put a bp on the first section => Contine tracing or if you realize that it's upx you can put a bp on the last JMP. That's it. You're now on OEP, luckly this one does not have problem with IAT, so you can dump and fix your file and test it @Mr. eXoDia: I guess you dumped your file by option in ImportREC, because your file no run on my pc And me too If i dump by ImportIREC, the dumped file no run, but if i dump by olly, it'll run perfectly. I don't know why but this is second time i encounter this problem. Edited July 16, 201213 yr by kakamail
July 19, 201213 yr Author Here's a new one with other tricks.Packer\Protector:...Level:SimpleLink:http://minus.com/mcu13qU5s/
July 19, 201213 yr Author I see nothing new unpacked.rar link fixed lol. New:/>http://netload.in/dateicQsWmYoXRc/unpk.rar.htm Edited July 19, 201213 yr by woot332
July 19, 201213 yr Nice,I liked the trick with the stolen WinMain procedure...I attached my dumps and also the unpackme itself (waiting for sharing host sucks)unpk.rardumps.rar
Create an account or sign in to comment