Jump to content
Tuts 4 You

[UnpackME] RLPack


SHADOW_UA

Recommended Posts

Stolen OEP:



push ebp
mov ebp,esp
add esp,-0x10
mov eax,0x4FA620
call 005423EB ;call 00542489
mov eax,dword ptr ds:[0x4FF684]
mov eax,dword ptr ds:[eax]
call 0045BB44
mov ecx,dword ptr ds:[0x4FF784]
mov eax,dword ptr ds:[0x4FF684]
mov eax,dword ptr ds:[eax]
mov edx,dword ptr ds:[0x4FA358]
call 0045BB5C
mov eax,dword ptr ds:[0x4FF684]
mov eax,dword ptr ds:[eax]
call 0045BBDC
call 00404554


<00542489 >
push ebx
mov ebx,eax
xor eax,eax
mov dword ptr ds:[0x4FB09C],eax
push 0x0
call 004069D0
mov dword ptr ds:[0x500668],eax
mov eax,dword ptr ds:[0x500668]
mov dword ptr ds:[0x4FB0A8],eax
xor eax,eax
mov dword ptr ds:[0x4FB0AC],eax
xor eax,eax
mov dword ptr ds:[0x4FB0B0],eax
call 00406AA0
mov edx,0x4FB0A4
mov eax,ebx
call 0040438C
pop ebx
ret

Check that if it was right or not.


 


 


update: Add unpacked file.


 


UnpackME_2_UnPackEd_Not Perfect.rar


Edited by White、、
Link to comment

1. For me it crashes.


2. I take a couple of minutes to trace the imports redirection routine...



006E9DA2 > /E8 78270000 CALL UnpackME.006EC51F
006E9DA7 . |56 PUSH ESI
006E9DA8 . |FF95 350B0000 CALL DWORD PTR SS:[EBP+0xB35] ; Ia baza de memorie a librariei
006E9DAE . |85C0 TEST EAX,EAX
006E9DB0 . |0F84 C6270000 JE UnpackME.006EC57C
006E9DB6 . |8985 975C0000 MOV DWORD PTR SS:[EBP+0x5C97],EAX ; Pune in variabila baza modului curent
006E9DBC . |8BC6 MOV EAX,ESI ; Muta in EAX numele modulului curent
006E9DBE . |EB 43 JMP SHORT UnpackME.006E9E03
006E9DC0 > |8B85 9B5C0000 MOV EAX,DWORD PTR SS:[EBP+0x5C9B]
006E9DC6 . |8B00 MOV EAX,DWORD PTR DS:[EAX]
006E9DC8 . |E8 1D3D0000 CALL <UnpackME.Muta in ESI nume modul> ; Muta in ESI nume modul
006E9DCD . |50 PUSH EAX ; Pune in stiva EAX
006E9DCE . |FFB5 975C0000 PUSH DWORD PTR SS:[EBP+0x5C97] ; Pune in stiva adresa de memorie a modulului
006E9DD4 . |E8 F3470000 CALL <UnpackME.Ia Nume API> ; Ia urmatorul API
006E9DD9 . |85C0 TEST EAX,EAX
006E9DDB . |0F84 62270000 JE UnpackME.006EC543
006E9DE1 . |E8 063E0000 CALL UnpackME.006EDBEC
006E9DE6 . |E8 8C3C0000 CALL UnpackME.006EDA77 ; Scriere API
006E9DEB . |83C7 04 ADD EDI,0x4
006E9DEE . |8B85 9B5C0000 MOV EAX,DWORD PTR SS:[EBP+0x5C9B]
006E9DF4 . |8938 MOV DWORD PTR DS:[EAX],EDI
006E9DF6 . |8385 9B5C0000>ADD DWORD PTR SS:[EBP+0x5C9B],0x4 ; Adauga la variabila din EBP+5c9b 4
006E9DFD . |8B85 9B5C0000 MOV EAX,DWORD PTR SS:[EBP+0x5C9B] ; Muta in EAX rezultatul
006E9E03 > |8338 00 CMP DWORD PTR DS:[EAX],0x0 ; Compara numele modului din EAX cu 0
006E9E06 .^|75 B8 JNZ SHORT UnpackME.006E9DC0
Link to comment

I found IAT redirection.


To have a clean IAT just NOP this call.



 


006E9DE1    E8 063E0000     CALL UnpackME.006EDBEC                   ; IAT REDirection


 

Link to comment

0040433E  - E9 82C49F00     JMP 00E007C5
 

how to solve that? :(

 

00E007C5    9C              PUSHFD
00E007C6    83EC 04         SUB ESP,0x4
00E007C9    C70424 5405664C MOV DWORD PTR SS:[ESP],0x4C660554
00E007D0    E8 2BF8FFFF     CALL 00E00000
00E007D5    50              PUSH EAX
00E007D6    FF7424 08       PUSH DWORD PTR SS:[ESP+0x8]
00E007DA    8B4424 08       MOV EAX,DWORD PTR SS:[ESP+0x8]
00E007DE    894424 0C       MOV DWORD PTR SS:[ESP+0xC],EAX
00E007E2    8B0424          MOV EAX,DWORD PTR SS:[ESP]               ; UnpackME.005422BD
00E007E5    894424 08       MOV DWORD PTR SS:[ESP+0x8],EAX
00E007E9    83C4 04         ADD ESP,0x4
00E007EC    58              POP EAX                                  ; UnpackME.005422BD
00E007ED    9D              POPFD
 

really many :(

Edited by kismp123
Link to comment
  • 2 weeks later...

Quite easy iat redirection, just one instructio patch since there is one place where both correct api and it location are present.


The stolen code at OEP is good since involve init::exe also anyway it is possible to not rebuild it and the file works anyway.


Link to comment
  • 1 month later...

I really liked this one :)In attach: UnpackMe, UnpackMe MUPed, a couple of MultiASM snippets, notes, IAT Trees for both Scylla and ImportREC and a fixed/boosted "RLPack 1.21 VM Code Translater" script (credits to LCF-AT for the original work of course :))

UnpackMe_2 MUPed.7z

Edited by SmilingWolf
  • Like 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...