Jump to content
Tuts 4 You

[UnpackME] RLPack

SHADOW_UA

By SHADOW_UA
in UnPackMe

 Share

Recommended Posts

SHADOW_UA

SHADOW_UA

Posted
Posted

diAKXiG.png


 


My second unpackme. This time it is protected with RLPack with some features ;)


 


 


 


 


UnpackME_2.zip

White

White

Posted
Posted (edited)

Stolen OEP:




push ebp

mov ebp,esp

add esp,-0x10

mov eax,0x4FA620

call 005423EB	;call 00542489 

mov eax,dword ptr ds:[0x4FF684]

mov eax,dword ptr ds:[eax]

call 0045BB44

mov ecx,dword ptr ds:[0x4FF784]

mov eax,dword ptr ds:[0x4FF684]

mov eax,dword ptr ds:[eax]

mov edx,dword ptr ds:[0x4FA358]

call 0045BB5C

mov eax,dword ptr ds:[0x4FF684]

mov eax,dword ptr ds:[eax]

call 0045BBDC

call 00404554



<00542489 >

push ebx

mov ebx,eax

xor eax,eax

mov dword ptr ds:[0x4FB09C],eax

push 0x0

call 004069D0

mov dword ptr ds:[0x500668],eax

mov eax,dword ptr ds:[0x500668]

mov dword ptr ds:[0x4FB0A8],eax

xor eax,eax

mov dword ptr ds:[0x4FB0AC],eax

xor eax,eax

mov dword ptr ds:[0x4FB0B0],eax

call 00406AA0

mov edx,0x4FB0A4

mov eax,ebx

call 0040438C

pop ebx

ret

Check that if it was right or not.


 


 


update: Add unpacked file.


 


UnpackME_2_UnPackEd_Not Perfect.rar


Edited by White、、
SHADOW_UA

SHADOW_UA

Posted
  • Author
Posted (edited)

White、、


yaUkgUl.png


 


OEP routine seems to be correct in your post.


Edited by SHADOW785
GIV

GIV

Posted
Posted

1. For me it crashes.


2. I take a couple of minutes to trace the imports redirection routine...




006E9DA2   > /E8 78270000   CALL UnpackME.006EC51F

006E9DA7   . |56            PUSH ESI

006E9DA8   . |FF95 350B0000 CALL DWORD PTR SS:[EBP+0xB35]            ;  Ia baza de memorie a librariei

006E9DAE   . |85C0          TEST EAX,EAX

006E9DB0   . |0F84 C6270000 JE UnpackME.006EC57C

006E9DB6   . |8985 975C0000 MOV DWORD PTR SS:[EBP+0x5C97],EAX        ;  Pune in variabila baza modului curent

006E9DBC   . |8BC6          MOV EAX,ESI                              ;  Muta in EAX numele modulului curent

006E9DBE   . |EB 43         JMP SHORT UnpackME.006E9E03

006E9DC0   > |8B85 9B5C0000 MOV EAX,DWORD PTR SS:[EBP+0x5C9B]

006E9DC6   . |8B00          MOV EAX,DWORD PTR DS:[EAX]

006E9DC8   . |E8 1D3D0000   CALL <UnpackME.Muta in ESI nume modul>   ;  Muta in ESI nume modul

006E9DCD   . |50            PUSH EAX                                 ;  Pune in stiva EAX

006E9DCE   . |FFB5 975C0000 PUSH DWORD PTR SS:[EBP+0x5C97]           ;  Pune in stiva adresa de memorie a modulului

006E9DD4   . |E8 F3470000   CALL <UnpackME.Ia Nume API>              ;  Ia urmatorul API

006E9DD9   . |85C0          TEST EAX,EAX

006E9DDB   . |0F84 62270000 JE UnpackME.006EC543

006E9DE1   . |E8 063E0000   CALL UnpackME.006EDBEC

006E9DE6   . |E8 8C3C0000   CALL UnpackME.006EDA77                   ;  Scriere API

006E9DEB   . |83C7 04       ADD EDI,0x4

006E9DEE   . |8B85 9B5C0000 MOV EAX,DWORD PTR SS:[EBP+0x5C9B]

006E9DF4   . |8938          MOV DWORD PTR DS:[EAX],EDI

006E9DF6   . |8385 9B5C0000>ADD DWORD PTR SS:[EBP+0x5C9B],0x4        ;  Adauga la variabila din EBP+5c9b 4

006E9DFD   . |8B85 9B5C0000 MOV EAX,DWORD PTR SS:[EBP+0x5C9B]        ;  Muta in EAX rezultatul

006E9E03   > |8338 00       CMP DWORD PTR DS:[EAX],0x0               ;  Compara numele modului din EAX cu 0

006E9E06   .^|75 B8         JNZ SHORT UnpackME.006E9DC0
White

White

Posted
Posted

day off.I'll check that later.


 missing. RVA: 00432E0C 


GIV

GIV

Posted
Posted

I found IAT redirection.


To have a clean IAT just NOP this call.



 


006E9DE1    E8 063E0000     CALL UnpackME.006EDBEC                   ; IAT REDirection


 

White

White

Posted
Posted (edited)

Hi,now it's fixed.


Have tested on Win7 x64 and no error.


 


Not rebuild section etc,so it's not perfect.


 


UnpackME_2_UnPackEd_Fixed.rar


Edited by White、、
  • Like 2
GIV

GIV

Posted
Posted

Yep.


Is working....


Good job....


Gegul

Gegul

Posted
Posted (edited)

0040433E  - E9 82C49F00     JMP 00E007C5
 

how to solve that? :(

 

00E007C5    9C              PUSHFD
00E007C6    83EC 04         SUB ESP,0x4
00E007C9    C70424 5405664C MOV DWORD PTR SS:[ESP],0x4C660554
00E007D0    E8 2BF8FFFF     CALL 00E00000
00E007D5    50              PUSH EAX
00E007D6    FF7424 08       PUSH DWORD PTR SS:[ESP+0x8]
00E007DA    8B4424 08       MOV EAX,DWORD PTR SS:[ESP+0x8]
00E007DE    894424 0C       MOV DWORD PTR SS:[ESP+0xC],EAX
00E007E2    8B0424          MOV EAX,DWORD PTR SS:[ESP]               ; UnpackME.005422BD
00E007E5    894424 08       MOV DWORD PTR SS:[ESP+0x8],EAX
00E007E9    83C4 04         ADD ESP,0x4
00E007EC    58              POP EAX                                  ; UnpackME.005422BD
00E007ED    9D              POPFD
 

really many :(

Edited by kismp123
  • 2 weeks later...
EvOlUtIoN

EvOlUtIoN

Posted
Posted

Quite easy iat redirection, just one instructio patch since there is one place where both correct api and it location are present.


The stolen code at OEP is good since involve init::exe also anyway it is possible to not rebuild it and the file works anyway.


Gegul

Gegul

Posted
Posted

hi EvOlUtIoN

 

how to fix dumped file?

 

0040433E  - E9 82C4B601     JMP 01F707C5
 

no memory address(01F707C5) in dumped file :(

EvOlUtIoN

EvOlUtIoN

Posted
Posted

You have to find out by yourself...there are 2 ways one fast and one slower, but both works ;) good luck


  • 1 month later...
SmilingWolf

SmilingWolf

Posted
Posted (edited)

I really liked this one :)In attach: UnpackMe, UnpackMe MUPed, a couple of MultiASM snippets, notes, IAT Trees for both Scylla and ImportREC and a fixed/boosted "RLPack 1.21 VM Code Translater" script (credits to LCF-AT for the original work of course :))

UnpackMe_2 MUPed.7z

Edited by SmilingWolf
  • Like 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...