Jump to content
Tuts 4 You

[unpackme][crackme] PECompact 3.0.3.x beta - Easy


redblkjck
Go to solution Solved by Lostin,

Recommended Posts

Here is a simple unpackme that checks if still packed. It uses known checks from PECompact after the file is unpacked. - Injected API.


 


This demos the use of IsPacked and WaterMark API, coded in Delphi.  Solution is to unpack it and patch so it runs unpacked. This was coded for beginners learning so the level is very easy.  Text references and the memo box are there to make it easier to understand what needs patched.  Delphi decompilers will have no problem with this file. Only anti debug is the standard included from the packer.  Try just not patching the watermark to the good cracker jmp as the watermark value could be crucial for other functions of a protected app. 


 


1 check is by plain text API call.


2 check is by ordinal address to same check as 1


3a check is a watermark check from the pe header.


3b check if the watermark value is valid via a CRC.  


 


Hope you find this useful.  - jack


 



 


Link to comment
Share on other sites

Glad you liked it. Your unpacked runs as packed and would pass further checks if a watermark value was used. Good job. 


An alternate method would be to emulate the call routines in some free space of the code (or inject your own API with dll) in place of the call to GetProcAddress.


Test the push value, return a proper CALL address for the CALL (EBX ESI) destinations. Those addresses would return value of 1 for IsPacked or the watermark value in EAX. 


Often you will find strings for the injected API are encrypted/encoded but is pretty easy to identify when you see the TEST Jump followed by CALL to one of the registers.  Anyway will mark as solved. Good job.  - jack  


  • Like 1
Link to comment
Share on other sites

At what part of patching this do you get stuck at?

 

at the first button "isPacked" I don't know how to "emulate the call routines in some free space of the code in place of the call to GetProcAddress" this is new  for me or please suggest me video tutorial about "emulate the call routines" because i can't found it in google.

 

thanks

Link to comment
Share on other sites

Just an add-on to what Nacho_dj linked about.  You are trying to emulate what is happening in the memory range that has been injected by PECompact.  This can be helpful if there are several checks to patch.   Rather than changing a conditional jump to JMP or using NOP, you create your own code to return the expected values. 


 


You could compare this to finding a routine that performs a check by repeatedly calling to the same address.  Like a trial check to verify if registered and if not, check how many days are left.  Lets say there are 10 direct calls to this trial check. You could patch each and every test after the trial check call (10 patches) or patch the trial call to always return the value for being registered.   In the case of the injected API, these checks are done in a memory range that will not exist unpacked.  So you can create your own little routine in some free space to return the expected values.  You then modify the CALL address that would normally go to the packer memory range to your own routine address.   You then have a patch that could be used for future versions and you don't have to patch every conditional jump.


 


How you go about it is a matter of preference.  Just so the end result is the same.  - jack

  • Like 1
Link to comment
Share on other sites

  • 9 months later...
  • 5 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...