[unpackme][crackme] PECompact 3.0.3.x beta - Easy

[redblkjck]

Here is a simple unpackme that checks if still packed. It uses known checks from PECompact after the file is unpacked. - Injected API.

 

This demos the use of IsPacked and WaterMark API, coded in Delphi.  Solution is to unpack it and patch so it runs unpacked. This was coded for beginners learning so the level is very easy.  Text references and the memo box are there to make it easier to understand what needs patched.  Delphi decompilers will have no problem with this file. Only anti debug is the standard included from the packer.  Try just not patching the watermark to the good cracker jmp as the watermark value could be crucial for other functions of a protected app. 

 

1 check is by plain text API call.

2 check is by ordinal address to same check as 1

3a check is a watermark check from the pe header.

3b check if the watermark value is valid via a CRC.  

 

Hope you find this useful.  - jack

 

pec_unpackme.7z

 

[Lostin]

Nice unpack me

 

2 invalid IAT which are GetProcAddress

 

Here is my unpacked/patched file

 

pec_unpackme_Unpacked_Patched.rar

[redblkjck]

Glad you liked it. Your unpacked runs as packed and would pass further checks if a watermark value was used. Good job. 

An alternate method would be to emulate the call routines in some free space of the code (or inject your own API with dll) in place of the call to GetProcAddress.

Test the push value, return a proper CALL address for the CALL (EBX ESI) destinations. Those addresses would return value of 1 for IsPacked or the watermark value in EAX. 

Often you will find strings for the injected API are encrypted/encoded but is pretty easy to identify when you see the TEST Jump followed by CALL to one of the registers.  Anyway will mark as solved. Good job.  - jack  

[ewwink]

I'm still not able to patch it, redblkjck if you don't mind can you explain detail of the steps

[redblkjck]

At what part of patching this do you get stuck at?

[ewwink]

At what part of patching this do you get stuck at?

 

at the first button "isPacked" I don't know how to "emulate the call routines in some free space of the code in place of the call to GetProcAddress" this is new  for me or please suggest me video tutorial about "emulate the call routines" because i can't found it in google.

 

thanks

[Nacho_dj]

To understand the meaning of that sentence, just read this article:

http://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves

[redblkjck]

Just an add-on to what Nacho_dj linked about.  You are trying to emulate what is happening in the memory range that has been injected by PECompact.  This can be helpful if there are several checks to patch.   Rather than changing a conditional jump to JMP or using NOP, you create your own code to return the expected values. 

 

You could compare this to finding a routine that performs a check by repeatedly calling to the same address.  Like a trial check to verify if registered and if not, check how many days are left.  Lets say there are 10 direct calls to this trial check. You could patch each and every test after the trial check call (10 patches) or patch the trial call to always return the value for being registered.   In the case of the injected API, these checks are done in a memory range that will not exist unpacked.  So you can create your own little routine in some free space to return the expected values.  You then modify the CALL address that would normally go to the packer memory range to your own routine address.   You then have a patch that could be used for future versions and you don't have to patch every conditional jump.

 

How you go about it is a matter of preference.  Just so the end result is the same.  - jack

[ewwink]

great,, thank you

[SmilingWolf]

Challenges never get old

PECompact 3.0.3.x Beta Unpackme Solved.7z

[ngocquy719]

Can anyone help me solve this please!

i have a same problems with PEcompact 3.03.