Jump to content
Tuts 4 You

[unpackme] PEP 5.0.0

SHADOW_UA

By SHADOW_UA
in UnPackMe

 Share
Go to solution Solved by Raham,

Recommended Posts

White

White

Posted
Posted

Hi,Nice unpackme.


 


Found IAT Redirection VA :




0F0172EF      75 07          jnz short 0F0172F8

Mod 'jnz' to 'jmp' then you will get all real API Addr.


 


And the next  is rebuilding its resource structure.

  • Like 1
evlncrn8

evlncrn8

Posted
Posted

nicely done raham...

though, is the rediculous image size (on the crackme) actually correct? or (as im guessing) is it some silly anti dump thing?

Raham

Raham

Posted
Posted (edited)

nicely done raham...

though, is the rediculous image size (on the crackme) actually correct? or (as im guessing) is it some silly anti dump thing?

 

 

=> As you guessed, the anti dump is not effective, and its useless also in PE Structure

Edited by Raham
xSRTsect

xSRTsect

Posted
Posted (edited)

I think the purpose with the gigantic imagesize on the pe is so that the memory needed to allocate the image is much bigger and hence to slow down your  debugger - proves effective here as it is so annoying that every single operation on the debugger is so slow.


 


(http://puu.sh/c4ls1/9d80220c9d.png)


Edited by xSRTsect
kuazi GA

kuazi GA

Posted
Posted

Licensing system have change??


GIV

GIV

Posted
Posted

I think the purpose with the gigantic imagesize on the pe is so that the memory needed to allocate the image is much bigger and hence to slow down your  debugger - proves effective here as it is so annoying that every single operation on the debugger is so slow.

 

(http://puu.sh/c4ls1/9d80220c9d.png)

I do the following.

Find OEP witch is not obfuscated.

Restore all imports.

Next i see that resources are messed up.

I have almost no idea if resource rebuilding but i will search.

I saw also that the process have a TLS callback.

xSRTsect

xSRTsect

Posted
Posted

But can you actually debugg that thing ? I have even thought about reducing the size of section #2 but then I thought that the use of memory could be fragmented - thats what I would do.

GIV

GIV

Posted
Posted

After some minutes my Olly responds and run the thing.


You can see the near OEP call in the stack.


xSRTsect

xSRTsect

Posted
Posted (edited)

Anyway - if you are running into trouble dumping the actual file theres a trick you can do, it worked with me, that is you can patch (on the fly patch - otherwise you will be caught by PEP crc check for anti corrupted file) all sections to read/write so that when ollydump tries to dump the file it won't tell you it can't access the memory. But there seem to be some imports coming from the dll, at first I thought these were emulations from standard system api calls but they seem to be chunks of actual code in the dll, so I have no clue.


Edited by xSRTsect
SmilingWolf

SmilingWolf

Posted
Posted

MUPed and sections' VirtualSize reduced to the bare minimum for great (debugging) justice!


Tested on Win7 x64 (real) and Win XP SP3 (VBox).


UnpackME_MUPed.7z

  • Like 1
xSRTsect

xSRTsect

Posted
Posted

but how do you guys deal with the imports that are called from the dll?


xSRTsect

xSRTsect

Posted
Posted (edited)

hooo sorry kalach, I thought you were submitting a new solution :/


Edited by xSRTsect
GIV

GIV

Posted
Posted (edited)

About CRC.

It depends on what method of unpack is used, what imports fixing tool is used etc. Even if a byte is changed regarding another file the CRC is different.

Edited by GIV

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...