Jump to content
Tuts 4 You

[unpackme] simple


woot332

Recommended Posts

Hello,

I see the TLS does sth with VirtualProtect and then self-modify at 00408223 and 004081BD. Back to EP of file i complete lose, can i have some hint please?

Edit:

And what does this upm do with e545_appcompat.txt in temp?

Edited by kakamail
Link to comment

Hello,

I see the TLS does sth with VirtualProtect and then self-modify at 00408223 and 004081BD. Back to EP of file i complete lose, can i have some hint please?

Edit:

And what does this upm do with e545_appcompat.txt in temp?

Clear debug flag in peb else tls xor decrypt fails.

Link to comment

First, when i saw Mov EAX, FS:[18], i think "hmm, antidebug, isn't"? But when i trace, i don't see any jump (if debugged => Jump), so i thought i'm wrong. But when woot332 said that "..PEB", well, i take a deep look at what i did wonder.

I write a small tut here for who can't follow tutorial by Mr. eXoDia. I can't follow it because i use no-plugin version to unpack this file, if you want to follow Mr. eXoDia you will need a plugin that hide your olly from this trick (see below)

The TLS trick is used, google for it: TLS Callback Functions, when you're at 00408230, you can continue.

This is full code from Olly

00408188 PUSH DWORD PTR FS:[18]

00408182 POP EAX ; 7FFDE000

Push then POP to EAX = MOV into EAx.

1. Mov EAX, DWORD PTR FS:[18]

2. MOV EAX,[EAX+30]

3. ADD EAX,24

4. MOV EDX,[EAX-22]

5. ADD EDX,31

...

6. XOR [EAX],DL

6 => DL is used to XOR with [EAX], and if DL is not right value, this will change the whole code => No run! So which is correct value of DL?

MOV EAX,DWORD PTR FS:[18] ; fs:[18] return the TEB address

MOV EAX,DWORD PTR [EAX+30] ;TEB+0x30 return the PEB address

You can find the quote above by googling MOV EAX,DWORD PTR FS:[18].

3, 4 ==> Add EAX, 24 then Sub EAX, 22 => EAX is added to 2 ==> The 2 commands 3, 4 are now become one ADD EAX, 2

From here i google with "PEB FS:[18] debug" and then i got this one

(2) PEB!IsDebugged

Example:

mov eax, fs:[30h]

mov eax, byte [eax+2]

test eax, eax

jne @DebuggerDetected

It's same, isn't it? JNE to Detected => EAX should = 0 to avoid detection. Now back to olly, F8 => look at EDX and you know what you have to do :) Contining with F8 you will see the same but clearer than the first one

MOV EAX,FS:[18]

MOV EAX,[EAX+30]

MOVZX EAX,BYTE PTR [EAX+2]

CMP EAX,1

JE SHORT 004080BA

Look at this CMP EAX,1 and JE. IF this jump is taken then badboy, notgood.

After the RET, you will be into ntdll file, when you see ntdll, try to find SEH Handler, if not, try with breakpoint on first section. I don't see any SEH Handler, so i put a bp on the first section => Contine tracing or if you realize that it's upx you can put a bp on the last JMP.

That's it. You're now on OEP, luckly this one does not have problem with IAT, so you can dump and fix your file and test it :)

@Mr. eXoDia: I guess you dumped your file by option in ImportREC, because your file no run on my pc :D And me too :D If i dump by ImportIREC, the dumped file no run, but if i dump by olly, it'll run perfectly. I don't know why but this is second time i encounter this problem.

Edited by kakamail
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...