Posted December 24, 201410 yr Hello all, Are you alone too with Christmas like me? And don't know what to do, then i will challenge you all for a new competition. I created a unpackme with selfmade code, so none protector is used, all coded by me. The goal is to find the original entrypoint, or make a running dump. Goodluck and merry xmas 1. Gold: SHADOW785 2. Silver: SmilingWolf 3. Bronze: GIV Note: The unpackme doesn't run in winXP for a unkown reason. iChallengeYou UnpackMe #1.rar Edited December 26, 201410 yr by iChallengeYou
December 24, 201410 yr Author Nice work shadow, although it wasn't that hard. You won the gold medal And yes the first layer is aspack to reduce the filesize.
December 25, 201410 yr Very easy.Some stolen imports and some double packing......I did not remove useless sections because is Christmas day and i will go in a visit right away (i'm in a quick rush) ....See ya!Attached is ImpRec tree. ichallengeyou unpackme #1_dump_.7ztree.txt Edited December 25, 201410 yr by GIV
December 25, 201410 yr Author Very easy. Some stolen imports ... (i'm in a quick rush) .... Probably you had a very quick rush because there are no stolen imports. Also the file is not unpacked correctly, you just unpacked the first layer which is Aspack for filesize reducing
December 25, 201410 yr Sure.The OEP is: 005F74C0But strange... under XP SP3 your file does not run ( i have unpacked the first layer under 7 X64 and used the ESP stuff).Was my mistake that i have not double checked if is the final OEP not the second protector OEP.Take a look in attach. I have made a video for you. Desktop.7z
December 25, 201410 yr Author Yes as I told in the first post for a unkown reason the packed file won't run in winxp, the unpacked does. But thanks for spending time to my challenge
December 26, 201410 yr Author This time you got the rigth oep, congrats for that , but you modified (or destroyed) the import-table which is not needed, so your dump still not running here.
December 26, 201410 yr My try. This is as small as I could get it.iChallengeYou UnpackMe #1_cleanup.7z
December 26, 201410 yr OK.Changed here: 722500A5toNOP IAT is clean. No more fake imports.Dump is running fine now.Maybe it was better to search for the redirection switch from the beginning. iChallengeYou UnpackMe #1_dump_SCY.7z
December 26, 201410 yr Author Nice job SmilingWolf! Giv, the dump is finally running, so good job But i still do not understand why you touch the imports, i didn't modified/protected the import-table at all. I will edit the first post to rank you, and be ready for the next challenge soon Edited December 26, 201410 yr by iChallengeYou
December 26, 201410 yr Or i'm stupid or Win 7 does something strange to imports.If i did not patch that address the imports are going crazy to other locations as it should be.Noticed that to a PEP 5 unpackme also.XP is way better to unpack than 7.
December 26, 201410 yr Nice job SmilingWolf! Giv, the dump is finally running, so good job But i still do not understand why you touch the imports, i didn't modified/protected the import-table at all. I will edit the first post to rank you, and be ready for the next challenge soon Next time do a unpackme that runs on XP.
December 26, 201410 yr Author Next time do a unpackme that runs on XP. Don't blame me, i can't help that you can't handle =>win7 But for the next challenge i hope the xp issue is solved for then.
December 28, 201410 yr Strange thing:The packed files crash under XP but the unpacked file runs fine.Conclusion:Badly implemented protection.
Create an account or sign in to comment