Jump to content
Tuts 4 You

[unpackme] PEP 5.0.0


SHADOW_UA
Go to solution Solved by Raham,

Recommended Posts

Hi,Nice unpackme.


 


Found IAT Redirection VA :



0F0172EF 75 07 jnz short 0F0172F8

Mod 'jnz' to 'jmp' then you will get all real API Addr.


 


And the next  is rebuilding its resource structure.

  • Like 1
Link to comment
Share on other sites

nicely done raham...

though, is the rediculous image size (on the crackme) actually correct? or (as im guessing) is it some silly anti dump thing?

Link to comment
Share on other sites

nicely done raham...

though, is the rediculous image size (on the crackme) actually correct? or (as im guessing) is it some silly anti dump thing?

 

 

=> As you guessed, the anti dump is not effective, and its useless also in PE Structure

Edited by Raham
Link to comment
Share on other sites

I think the purpose with the gigantic imagesize on the pe is so that the memory needed to allocate the image is much bigger and hence to slow down your  debugger - proves effective here as it is so annoying that every single operation on the debugger is so slow.


 


(http://puu.sh/c4ls1/9d80220c9d.png)


Edited by xSRTsect
Link to comment
Share on other sites

I think the purpose with the gigantic imagesize on the pe is so that the memory needed to allocate the image is much bigger and hence to slow down your  debugger - proves effective here as it is so annoying that every single operation on the debugger is so slow.

 

(http://puu.sh/c4ls1/9d80220c9d.png)

I do the following.

Find OEP witch is not obfuscated.

Restore all imports.

Next i see that resources are messed up.

I have almost no idea if resource rebuilding but i will search.

I saw also that the process have a TLS callback.

Link to comment
Share on other sites

But can you actually debugg that thing ? I have even thought about reducing the size of section #2 but then I thought that the use of memory could be fragmented - thats what I would do.

Link to comment
Share on other sites

Anyway - if you are running into trouble dumping the actual file theres a trick you can do, it worked with me, that is you can patch (on the fly patch - otherwise you will be caught by PEP crc check for anti corrupted file) all sections to read/write so that when ollydump tries to dump the file it won't tell you it can't access the memory. But there seem to be some imports coming from the dll, at first I thought these were emulations from standard system api calls but they seem to be chunks of actual code in the dll, so I have no clue.


Edited by xSRTsect
Link to comment
Share on other sites

About CRC.

It depends on what method of unpack is used, what imports fixing tool is used etc. Even if a byte is changed regarding another file the CRC is different.

Edited by GIV
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...