simple Posted February 18, 2013 Posted February 18, 2013 (edited) Hello all, welcome to my first unpackme. It won't make your code smaller though, it's more of a protector. The attached file is a simple window. The goal is to restore the .exe to it's original transparent state, and if it were a real app it could then be reversed. Compiler: mingwName: simpleDifficulty: 1 or 1.5 / 10, no anti reversing/debug Feedback is welcome, do enjoy and thank you for reversing!SimpleUnpackMe.rar Edited February 18, 2013 by simple
kao Posted February 18, 2013 Posted February 18, 2013 (edited) {post removed, as incorrect unpackme was uploaded by author} Edited February 19, 2013 by kao
simple Posted February 18, 2013 Author Posted February 18, 2013 (edited) For some reason the correct unpackme was not being shown kao, No idea who's file that is but the file you just reversed wasn't mine! Just to make sure, the program is a simple, empty window, no buttons, text boxes, etc, and in the caption of the window it says "Restore .exe to original state". If it's a program that does anything else, it isn't mine. Edited February 19, 2013 by simple
kao Posted February 19, 2013 Posted February 19, 2013 For some reason you uploaded the wrong file? http://forum.tuts4you.com/index.php?app=core&module=attach§ion=attach&attach_id=9565 - this was the link in your original post and the file was unpackme.rar (15438 bytes). Inside it there was unpackme.exe (22528 bytes) - that's what I unpacked. As for your "proper" unpackme - there's a small bug at address 401CA5. I'll look more into it tomorrow.
simple Posted February 19, 2013 Author Posted February 19, 2013 (edited) Sorry about that kao, reversed the problem and my generic naming scheme failed me. Any ideas for fixing that bug? It might still run ok on win7. EDIT - Sorry if you were one of the 3 or 4 people who downloaded the incorrect crackme I posted, please confirm with the pic I posted. Edited February 19, 2013 by simple
redblkjck Posted February 19, 2013 Posted February 19, 2013 (edited) Worked on Win7 x64, _SetMode never called. Fixed stolen bytes from OEP. Corrected imports, replaced the JMPs to the corrected CALLs. Didn't zero out any of the excess code. Thx edit add:In ref to 401CA5 for _SetMode00401CA5 . C605 B01A4000 34 MOV BYTE PTR [401AB0], 34should've been00401CA5 . C605 B01A4000 34 MOV BYTE PTR [401AB2], 34 reuploaded and removed the excess code. The EOF data could be wiped out and cut down the file to 7KBUnpackMe_fix_.rar Edited February 19, 2013 by redblkjck
kao Posted February 19, 2013 Posted February 19, 2013 My version attached, imports & API calls fixed, most of junk code removed. Note - you probably messed up import of "signal" API (00401037, 00401094, etc..), I fixed it manually, even though your code never touches it.unpackme_patched.rar
simple Posted February 19, 2013 Author Posted February 19, 2013 I just obfuscated the 4 signal calls for the heck of it. Great work kao and redblkjck, thanks for reversing.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now