Hello all, Are you alone too with Christmas like me? And don't know what to do, then i will challenge you all for a new competition. I created a unpackme with selfmade code, so none protector is used, all coded by me. The goal is to find the original entrypoint, or make a running dump.

 

Goodluck and merry xmas   

 

 

1. Gold: SHADOW785

2. Silver: SmilingWolf

3. Bronze: GIV

 

 

Note: The unpackme doesn't run in winXP for a unkown reason.

 

 

iChallengeYou UnpackMe #1.rar

Edited December 26, 201410 yr by iChallengeYou

Isn't this ASPack?

 

Anyway...

iChallengeYou UnpackMe #1_Unpacked.zip

Nice work shadow, although it wasn't that hard. You won the gold medal

And yes the first layer is aspack to reduce the filesize.

Very easy.

Some stolen imports and some double packing......

I did not remove useless sections because is Christmas day and i will go in  a visit right away (i'm in a quick rush) ....

See ya!

Attached is ImpRec tree.

 

ichallengeyou unpackme #1_dump_.7z

tree.txt

Edited December 25, 201410 yr by GIV

Very easy.

Some stolen imports ... (i'm in a quick rush) ....

 

Probably you had a very quick rush because there are no stolen imports. Also the file is not unpacked correctly, you just unpacked the first layer which is Aspack for filesize reducing

Sure. I will review when i get more time. Was a 3 minutes job. Thank you!

Sure.

The OEP is:

 

005F74C0

But strange... under XP SP3 your file does not run ( i have unpacked the first layer under 7 X64 and used the ESP stuff).

Was my mistake that i have not double checked if is the final OEP not the second protector OEP.

Take a look in attach. I have made a video for you.

 

Desktop.7z

Yes as I told in the first post for a unkown reason the packed file won't run in winxp, the unpacked does.

But thanks for spending time to my challenge

OK.

I think this will be suitable.

 

ichallengeyou unpackme #1_dump_.7z

This time you got the rigth oep, congrats for that , but you modified (or destroyed) the import-table which is not needed, so your dump still not running here.

Strange thing.

The dump was running fine then.

Now it crash.

I hate WIN 7.

My try. This is as small as I could get it.

iChallengeYou UnpackMe #1_cleanup.7z

OK.

Changed here:

 

722500A5

to

NOP

 

IAT is clean. No more fake imports.

Dump is running fine now.

Maybe it was better to search for the redirection switch from the beginning.

 

iChallengeYou UnpackMe #1_dump_SCY.7z

Nice job SmilingWolf!

 

Giv, the dump is finally running, so good job

But i still do not understand why you touch the imports, i didn't modified/protected the import-table at all.

 

I will edit the first post to rank you, and be ready for the next challenge soon

Edited December 26, 201410 yr by iChallengeYou

Or i'm stupid or Win 7 does something strange to imports.

If i did not patch that address the imports are going crazy to other locations as it should be.

Noticed that to a PEP 5 unpackme also.

XP is way better to unpack than 7.

Nice job SmilingWolf!

Giv, the dump is finally running, so good job

But i still do not understand why you touch the imports, i didn't modified/protected the import-table at all.

I will edit the first post to rank you, and be ready for the next challenge soon

Next time do a unpackme that runs on XP.

Next time do a unpackme that runs on XP.

 

Don't blame me, i can't help that you can't handle =>win7

 

But for the next challenge i hope the xp issue is solved for then.

Strange thing:

The packed files crash under XP but the unpacked file runs fine.

Conclusion:

Badly implemented protection.