Jump to content
Tuts 4 You

Snd Unpackme #1


Teddy Rogers

Recommended Posts

Here is SnD UnPackMe #1 :)

A quote from the included .nfo file:

Have  a  go  at unpacking the SnD UnPackMe #1. It is not quite  as  straight  forward as it may first look. There has  been a couple of tricks applied to fool you. So... The  solution is not just to unpack the file but also to discover  some  of  the  tricks  that have been applied. Please leave  your  solutions  at  SnD  forum  in  the appropriate forum area. Good luck!...

Ted.

snd_sndunpackme_1.unpackme.zip

Link to comment
MaRKuS_TH-DJM

unpacked in 6 minutes :P

i will post solution only if ted thinks it is ok.

maybe someone tries it at the moment so i don't want to **** his day with solution ;)

Link to comment
MaRKuS_TH-DJM

yeah, the nice image is a problem :P

hehe, checked da complete file... seems to be created with a cracked version of PicturesToExe :P

Link to comment
MaRKuS_TH-DJM

yeha, not the output file was cracked but the main-program which creates them ;-)

Explanations:

Teddy wrapped off the image off the file, packed it with ASPack and then put it on the end of the file (last Teddy-section). start point to read the file is the end of the file (FILE_END).

the exception olly throws out when opening file is caused by TLS-table on OS-loader. you can simply ignore it (SHIFT+F9) and go on with unpacking. after unpacking and import fixing (read tutorial on ASPack if you don't know), load original file into LordPE and save the last section to disc. but here's another nasty trick, he set the RSize to 0, thus will save exactly 0 bytes. in fact the section is 2910 bytes long, update the size to this value. not more, not less. now you can save it to disc. open unpacked file in LordPE and load the section from disc. after closing all the lordPE things, your unpacked file will run.

API-BPs used to get the nasty trick:

CreateFileA (Access to file and handle to file)

SetFilePointer (File position)

ReadFile (read the bytes @Address set by SetFilePointer API and save them to memory)

i don't think there's an explanation needed for this. i just used this APIs to see if it is a self-check or other thing. through SetFilePointer and ReadMemory i found out that the last section is needed.

not more to say.

Link to comment
  • 2 weeks later...
Teddy Rogers

Markus, I have looked at your explanation again a little closer. Can you write a tutorial for this on how to unpack it and explain a little further on what you did. ReadMemory?

Ted.

Link to comment
  • 11 months later...
lengxue write nice tut then :P

bye

004B1001 >  60			  pushad							/// F8 
004B1002 E8 03000000 call SnD-UnPa.004B100A /// come here, what can you see? Mmmm………… yes ,it's ESP -----> hr 12ffa4 ---->F9
004B1007 - E9 EB045D45 jmp 45A814F7
004B100C 55 push ebp
004B100D C3 retn
004B100E E8 01000000 call SnD-UnPa.004B1014
004B1013 EB 5D jmp short SnD-UnPa.004B1072
004B1015 BB EDFFFFFF mov ebx,-13
004B101A 03DD add ebx,ebp
004B13B7 /75 01 jnz short SnD-UnPa.004B13BA /// come here ,F8
004B13B9 |40 inc eax
004B13BA \68 80BA4700 push SnD-UnPa.0047BA80
004B13BF C3 retn /// come here,F8 to the OEP :)0047BA80 55 push ebp /// OEP ,Dump it
0047BA81 8BEC mov ebp,esp
0047BA83 83C4 E8 add esp,-18
0047BA86 53 push ebx
0047BA87 56 push esi
0047BA88 57 push edi
0047BA89 33C0 xor eax,eax
0047BA8B 8945 E8 mov dword ptr ss:[ebp-18],eax
0047BA8E 8945 F0 mov dword ptr ss:[ebp-10],eax
0047BA91 8945 EC mov dword ptr ss:[ebp-14],eax
0047BA94 B8 E0B64700 mov eax,SnD-UnPa.0047B6E0
0047BA99 E8 A69BF8FF call SnD-UnPa.00405644use the tool is called "Import REConstructor 1.6 Final" to fix unpacked and use the tool is called "add to the [Overlay]" to fix that's allthank you

:hug::hug::hug:

Link to comment
  • 3 weeks later...
  • 3 weeks later...
Guest Incenlie

I can't download...

always stop 91kb in download..

:help

other link...

:worthy::worthy::worthy:

I can't download...

always stop 91kb in download..

:help

other link...

:worthy::worthy::worthy:

SND :thumbsup::thumbsup::thumbsup::thumbsup::thumbsup:

:wub::wub::wub::wub:

:sorc::sorc::sorc::sorc::sorc:

Link to comment
  • 1 year later...

Hehe, I know this topic is ancient. But I jsut got around to some of these unpackme's. It was fun, and yeah quite easy :D

aspack w/overlay

SnD_UnPacked_1.rar

How'd I do Teddy?

:EDIT:

Can't seem to locate a topic for Unpackme #2. Ok, it's similar so I post it in here then :D

SnD_UnPacked_2.rar

they were fun Teddy.

Edited by Fungus
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...