[UnpackMe] - iChallengeYou UnpackMe #1

[iChallengeYou]

Hello all, Are you alone too with Christmas like me? And don't know what to do, then i will challenge you all for a new competition. I created a unpackme with selfmade code, so none protector is used, all coded by me. The goal is to find the original entrypoint, or make a running dump.

 

Goodluck and merry xmas   

 

 

1. Gold: SHADOW785

2. Silver: SmilingWolf

3. Bronze: GIV

 

 

Note: The unpackme doesn't run in winXP for a unkown reason.

 

 

iChallengeYou UnpackMe #1.rar

Edited December 26, 2014 by iChallengeYou

[SHADOW_UA]

Isn't this ASPack?

 

Anyway...

iChallengeYou UnpackMe #1_Unpacked.zip

[iChallengeYou]

Nice work shadow, although it wasn't that hard. You won the gold medal

And yes the first layer is aspack to reduce the filesize.

[GIV]

Very easy.

Some stolen imports and some double packing......

I did not remove useless sections because is Christmas day and i will go in  a visit right away (i'm in a quick rush) ....

See ya!

Attached is ImpRec tree.

 

ichallengeyou unpackme #1_dump_.7z

tree.txt

Edited December 25, 2014 by GIV

[iChallengeYou]

Very easy.

Some stolen imports ... (i'm in a quick rush) ....

 

Probably you had a very quick rush because there are no stolen imports. Also the file is not unpacked correctly, you just unpacked the first layer which is Aspack for filesize reducing

[GIV]

Sure. I will review when i get more time. Was a 3 minutes job. Thank you!

[GIV]

Sure.

The OEP is:

 

005F74C0

But strange... under XP SP3 your file does not run ( i have unpacked the first layer under 7 X64 and used the ESP stuff).

Was my mistake that i have not double checked if is the final OEP not the second protector OEP.

Take a look in attach. I have made a video for you.

 

Desktop.7z

[iChallengeYou]

Yes as I told in the first post for a unkown reason the packed file won't run in winxp, the unpacked does.

But thanks for spending time to my challenge

[GIV]

OK.

I think this will be suitable.

 

ichallengeyou unpackme #1_dump_.7z

[iChallengeYou]

This time you got the rigth oep, congrats for that , but you modified (or destroyed) the import-table which is not needed, so your dump still not running here.

[GIV]

Strange thing.

The dump was running fine then.

Now it crash.

I hate WIN 7.

[SmilingWolf]

My try. This is as small as I could get it.

iChallengeYou UnpackMe #1_cleanup.7z

[GIV]

OK.

Changed here:

 

722500A5

to

NOP

 

IAT is clean. No more fake imports.

Dump is running fine now.

Maybe it was better to search for the redirection switch from the beginning.

 

iChallengeYou UnpackMe #1_dump_SCY.7z

[iChallengeYou]

Nice job SmilingWolf!

 

Giv, the dump is finally running, so good job

But i still do not understand why you touch the imports, i didn't modified/protected the import-table at all.

 

I will edit the first post to rank you, and be ready for the next challenge soon

Edited December 26, 2014 by iChallengeYou

[GIV]

Or i'm stupid or Win 7 does something strange to imports.

If i did not patch that address the imports are going crazy to other locations as it should be.

Noticed that to a PEP 5 unpackme also.

XP is way better to unpack than 7.

[GIV]

Nice job SmilingWolf!

Giv, the dump is finally running, so good job

But i still do not understand why you touch the imports, i didn't modified/protected the import-table at all.

I will edit the first post to rank you, and be ready for the next challenge soon

Next time do a unpackme that runs on XP.

[iChallengeYou]

Next time do a unpackme that runs on XP.

 

Don't blame me, i can't help that you can't handle =>win7

 

But for the next challenge i hope the xp issue is solved for then.

[GIV]

Strange thing:

The packed files crash under XP but the unpacked file runs fine.

Conclusion:

Badly implemented protection.