Sonny27 Posted September 2, 2006 Posted September 2, 2006 here you go, topic caption should say enough.greetzMupMe_1.rar
lena151 Posted September 2, 2006 Posted September 2, 2006 Hi Sonny27, I have another one made by you lying around here.People may find this one interesting too. Find it attached here :lena151PS Thanks for sharing !
zako Posted September 2, 2006 Posted September 2, 2006 here you go, topic caption should say enough.greetzhttp://rapidshare.de/files/31738854/sonny27.rar.html
pavka Posted September 3, 2006 Posted September 3, 2006 http://rapidshare.de/files/31757889/UnpackMupMe_1.rar
mia Posted September 3, 2006 Posted September 3, 2006 How can i reach OEP. What is used to packed it PECompact or EXEStealth.mia.....
Sonny27 Posted September 3, 2006 Author Posted September 3, 2006 Both is used and also PseudoSigner well done, zako and pavka greetz
mia Posted September 3, 2006 Posted September 3, 2006 wow two packers plus an extra layer. I never saw anyone like this before. Nice unpackme sonny27 its oosing out my time please help me how to find oep. I know its oep is at 465ff4 so it can be easily dumped and repaied since it has only two unresolved pointers. But i can't find a way to reach oep. One more what is the order of the leyers; Exestealth-Pecompact-pseudo right ??...mia...............
Sonny27 Posted September 3, 2006 Author Posted September 3, 2006 Yes, your order is right.Ok, do the following:2 times F8 until you?re over the PUSHAD. ESP --> Follow in Dump --> Mark first Bytes --> HWBP on access. F9 and you should be on a PUSH EAX --> remove HWBP --> Alt+M and MBP on access on code section.Now we?re ready with ExeStealth.Remove MBP and set a bp on VirtualFree --> two times F9 --> remove BP --> Alt+F9 to leave API --> trace over RETN --> Trace until JMP EAX and we?re done with PECompact.You should be at PUHAD --> 2 times F7 to go into call and land at PUSH 465FF4 --> Trace over RETN and OEP is reached.Now dump (i suggest you ollydump plugin for this) and fire up ImpRec. Enter OEP minus ImageBase and get imports. Size and RVA are ok. there should be 2 invalid thunks, don?t remove them but edit them to kernel32.GetProcAddress because these are emulated APIs of PECompact. Fix dump and you?re finegreetz
mia Posted September 4, 2006 Posted September 4, 2006 At last i got it, thankyou very much sunny. I tried two more methods to reach oep and dump. Here it is1) Press F8 untill ESP changes in to red-->Follow in dump-->Put HWBP on DWORD--> Ok now press F9 8 times. Now the pecompact is unpacked in memory (If disassembly still looks as data, remove analysis). Press F7 3 times and you are at the oep. Now dump and fix api as sunny said...2) This is a dump method. Try only when you are lazy. On in this method try to find oep with peid oep finder, you will be informed with oep at 465ff4. Now write ' HE 465FF4 ' on the command line of olly and press enter. Now run the app and you will break at the oep. Dump and fix api...mia............
Sonny27 Posted September 4, 2006 Author Posted September 4, 2006 In most cases there are more than one way to reach oep or al least unpack the target. but PEiD method is really lame, no learning effect or somethin?...but your second method is also well.greetz
mia Posted September 4, 2006 Posted September 4, 2006 In most cases there are more than one way to reach oep or al least unpack the target. but PEiD method is really lame, no learning effect or somethin?...but your second method is also well.greetzYes sunny there are many ways to solve an unpackme. I also tried exceptions method; it also works. Once again thanks sunny it was a different experience for me.mia.......
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now