Jump to content
Tuts 4 You

[UnpackMe] simple unpackme v0.1


Recommended Posts

Hello all, welcome to my first unpackme. It won't make your code smaller though, it's more of a protector. The attached file is a simple window. The goal is to restore the .exe to it's original transparent state, and if it were a real app it could then be reversed.


Compiler: mingw

Name: simple

Difficulty: 1 or 1.5 / 10, no anti reversing/debug


Feedback is welcome, do enjoy and thank you for reversing!


Edited by simple
Link to comment

For some reason the correct unpackme was not being shown kao, No idea who's file that is but the file you just reversed wasn't mine!


Just to make sure, the program is a simple, empty window, no buttons, text boxes, etc, and in the caption of the window it says "Restore .exe to original state". If it's a program that does anything else, it isn't mine.



Edited by simple
Link to comment

For some reason you uploaded the wrong file? :Dhttp://forum.tuts4you.com/index.php?app=core&module=attach&section=attach&attach_id=9565 - this was the link in your original post and the file was unpackme.rar (15438 bytes). Inside it there was unpackme.exe (22528 bytes) - that's what I unpacked.

As for your "proper" unpackme - there's a small bug at address 401CA5. I'll look more into it tomorrow.

Link to comment

Sorry about that kao, reversed the problem and my generic naming scheme failed me.


Any ideas for fixing that bug? It might still run ok on win7. 


EDIT - Sorry if you were one of the 3 or 4 people who downloaded the incorrect crackme I posted, please confirm with the pic I posted.

Edited by simple
Link to comment

Worked on Win7 x64, _SetMode never called.  Fixed stolen bytes from OEP.   Corrected imports, replaced the JMPs to the corrected CALLs.   Didn't zero out any of the excess code.  Thx

edit add:

In ref to 401CA5 for _SetMode

00401CA5                             .  C605 B01A4000 34    MOV     BYTE PTR [401AB0], 34
should've been
00401CA5                             .  C605 B01A4000 34    MOV     BYTE PTR [401AB2], 34


reuploaded and removed the excess code.  The EOF data could be wiped out and cut down the file to 7KB


Edited by redblkjck
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...