Snd Unpackme #1

February 28, 2005

Here is SnD UnPackMe #1

A quote from the included .nfo file:

Have a go at unpacking the SnD UnPackMe #1. It is not quite as straight forward as it may first look. There has been a couple of tricks applied to fool you. So... The solution is not just to unpack the file but also to discover some of the tricks that have been applied. Please leave your solutions at SnD forum in the appropriate forum area. Good luck!...

Ted.

snd_sndunpackme_1.unpackme.zip

February 28, 2005

good one written in delphi

and me is getting exception list error (

March 5, 2005

unpacked in 6 minutes

i will post solution only if ted thinks it is ok.

maybe someone tries it at the moment so i don't want to **** his day with solution

March 5, 2005

I think the error caused of the nice image

Jada^AoC

March 5, 2005

yeah, the nice image is a problem

hehe, checked da complete file... seems to be created with a cracked version of PicturesToExe

March 8, 2005

Post your explanations here or write a small tut

Ted.

March 8, 2005

Cracked version of Picture2EXE? Well i only see unregistered strings

Jada^AoC

March 8, 2005

yeha, not the output file was cracked but the main-program which creates them ;-)

Explanations:

Teddy wrapped off the image off the file, packed it with ASPack and then put it on the end of the file (last Teddy-section). start point to read the file is the end of the file (FILE_END).

the exception olly throws out when opening file is caused by TLS-table on OS-loader. you can simply ignore it (SHIFT+F9) and go on with unpacking. after unpacking and import fixing (read tutorial on ASPack if you don't know), load original file into LordPE and save the last section to disc. but here's another nasty trick, he set the RSize to 0, thus will save exactly 0 bytes. in fact the section is 2910 bytes long, update the size to this value. not more, not less. now you can save it to disc. open unpacked file in LordPE and load the section from disc. after closing all the lordPE things, your unpacked file will run.

API-BPs used to get the nasty trick:

CreateFileA (Access to file and handle to file)

SetFilePointer (File position)

ReadFile (read the bytes @Address set by SetFilePointer API and save them to memory)

i don't think there's an explanation needed for this. i just used this APIs to see if it is a self-check or other thing. through SetFilePointer and ReadMemory i found out that the last section is needed.

not more to say.

March 22, 2005

Markus, I have looked at your explanation again a little closer. Can you write a tutorial for this on how to unpack it and explain a little further on what you did. ReadMemory?

Ted.

March 22, 2005

let's see if i have time ReadMemory? it's not needed.

March 1, 2006

unpacked in 1 minutes

en, too easy!

March 2, 2006

lengxue write nice tut then

bye

March 2, 2006

lengxue write nice tut then
bye

004B1001 >  60			  pushad							/// F8 
004B1002	E8 03000000	 call SnD-UnPa.004B100A			/// come here, what can you see? Mmmm………… yes ,it's ESP -----> hr 12ffa4 ---->F9
004B1007  - E9 EB045D45	 jmp 45A814F7
004B100C	55			  push ebp
004B100D	C3			  retn
004B100E	E8 01000000	 call SnD-UnPa.004B1014
004B1013	EB 5D		   jmp short SnD-UnPa.004B1072
004B1015	BB EDFFFFFF	 mov ebx,-13
004B101A	03DD			add ebx,ebp
004B13B7   /75 01		   jnz short SnD-UnPa.004B13BA	 /// come here ,F8
004B13B9   |40			  inc eax
004B13BA   \68 80BA4700	 push SnD-UnPa.0047BA80
004B13BF	C3			  retn						   /// come here,F8 to the OEP :)0047BA80	55			  push ebp					  /// OEP ,Dump it
0047BA81	8BEC			mov ebp,esp
0047BA83	83C4 E8		 add esp,-18
0047BA86	53			  push ebx
0047BA87	56			  push esi
0047BA88	57			  push edi
0047BA89	33C0			xor eax,eax
0047BA8B	8945 E8		 mov dword ptr ss:[ebp-18],eax
0047BA8E	8945 F0		 mov dword ptr ss:[ebp-10],eax
0047BA91	8945 EC		 mov dword ptr ss:[ebp-14],eax
0047BA94	B8 E0B64700	 mov eax,SnD-UnPa.0047B6E0
0047BA99	E8 A69BF8FF	 call SnD-UnPa.00405644use the tool is called "Import REConstructor 1.6 Final" to fix unpacked and use the tool is called "add to the [Overlay]" to fix that's allthank  you

March 23, 2006

....
and use the tool is called "add to the [Overlay]" to fix
....

Hi Friend

where i can get this tools ?

April 13, 2006

I can't download...

always stop 91kb in download..

Sign In

Snd Unpackme #1

Recommended Posts

Teddy Rogers

tibetti

MaRKuS_TH-DJM

Jada^AoC

MaRKuS_TH-DJM

Teddy Rogers

Jada^AoC

MaRKuS_TH-DJM

Teddy Rogers

MaRKuS_TH-DJM

lengxue

NeO

lengxue

soda

Guest Incenlie

Fungus

Create an account or sign in to comment

Create an account

Sign in

Community

Search