redblkjck Posted June 25, 2013 Share Posted June 25, 2013 Here is a simple unpackme that checks if still packed. It uses known checks from PECompact after the file is unpacked. - Injected API. This demos the use of IsPacked and WaterMark API, coded in Delphi. Solution is to unpack it and patch so it runs unpacked. This was coded for beginners learning so the level is very easy. Text references and the memo box are there to make it easier to understand what needs patched. Delphi decompilers will have no problem with this file. Only anti debug is the standard included from the packer. Try just not patching the watermark to the good cracker jmp as the watermark value could be crucial for other functions of a protected app. 1 check is by plain text API call.2 check is by ordinal address to same check as 13a check is a watermark check from the pe header.3b check if the watermark value is valid via a CRC. Hope you find this useful. - jack pec_unpackme.7z Link to comment Share on other sites More sharing options...
Solution Lostin Posted June 25, 2013 Solution Share Posted June 25, 2013 Nice unpack me 2 invalid IAT which are GetProcAddress Here is my unpacked/patched file pec_unpackme_Unpacked_Patched.rar Link to comment Share on other sites More sharing options...
redblkjck Posted June 25, 2013 Author Share Posted June 25, 2013 Glad you liked it. Your unpacked runs as packed and would pass further checks if a watermark value was used. Good job. An alternate method would be to emulate the call routines in some free space of the code (or inject your own API with dll) in place of the call to GetProcAddress.Test the push value, return a proper CALL address for the CALL (EBX ESI) destinations. Those addresses would return value of 1 for IsPacked or the watermark value in EAX. Often you will find strings for the injected API are encrypted/encoded but is pretty easy to identify when you see the TEST Jump followed by CALL to one of the registers. Anyway will mark as solved. Good job. - jack 1 Link to comment Share on other sites More sharing options...
ewwink Posted June 28, 2013 Share Posted June 28, 2013 I'm still not able to patch it, redblkjck if you don't mind can you explain detail of the steps Link to comment Share on other sites More sharing options...
redblkjck Posted June 29, 2013 Author Share Posted June 29, 2013 At what part of patching this do you get stuck at? Link to comment Share on other sites More sharing options...
ewwink Posted June 30, 2013 Share Posted June 30, 2013 At what part of patching this do you get stuck at? at the first button "isPacked" I don't know how to "emulate the call routines in some free space of the code in place of the call to GetProcAddress" this is new for me or please suggest me video tutorial about "emulate the call routines" because i can't found it in google. thanks Link to comment Share on other sites More sharing options...
Nacho_dj Posted June 30, 2013 Share Posted June 30, 2013 To understand the meaning of that sentence, just read this article: http://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves 2 Link to comment Share on other sites More sharing options...
redblkjck Posted July 1, 2013 Author Share Posted July 1, 2013 Just an add-on to what Nacho_dj linked about. You are trying to emulate what is happening in the memory range that has been injected by PECompact. This can be helpful if there are several checks to patch. Rather than changing a conditional jump to JMP or using NOP, you create your own code to return the expected values. You could compare this to finding a routine that performs a check by repeatedly calling to the same address. Like a trial check to verify if registered and if not, check how many days are left. Lets say there are 10 direct calls to this trial check. You could patch each and every test after the trial check call (10 patches) or patch the trial call to always return the value for being registered. In the case of the injected API, these checks are done in a memory range that will not exist unpacked. So you can create your own little routine in some free space to return the expected values. You then modify the CALL address that would normally go to the packer memory range to your own routine address. You then have a patch that could be used for future versions and you don't have to patch every conditional jump. How you go about it is a matter of preference. Just so the end result is the same. - jack 1 Link to comment Share on other sites More sharing options...
ewwink Posted July 2, 2013 Share Posted July 2, 2013 great,, thank you Link to comment Share on other sites More sharing options...
SmilingWolf Posted April 15, 2014 Share Posted April 15, 2014 Challenges never get old PECompact 3.0.3.x Beta Unpackme Solved.7z Link to comment Share on other sites More sharing options...
ngocquy719 Posted June 23, 2019 Share Posted June 23, 2019 Can anyone help me solve this please! i have a same problems with PEcompact 3.03. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now