Jump to content
Tuts 4 You

Unpackme #1


Sonny27

Recommended Posts

Hi Sonny27, I have another one made by you lying around here.

People may find this one interesting too. Find it attached here :

lena151

PS Thanks for sharing !

Link to comment

wow two packers plus an extra layer. I never saw anyone like this before. Nice unpackme sonny27 its oosing out my time please help me how to find oep. I know its oep is at 465ff4 so it can be easily dumped and repaied since it has only two unresolved pointers. But i can't find a way to reach oep. One more what is the order of the leyers; Exestealth-Pecompact-pseudo right ??...

mia...............

Link to comment

Yes, your order is right.

Ok, do the following:

2 times F8 until you?re over the PUSHAD. ESP --> Follow in Dump --> Mark first Bytes --> HWBP on access. F9 and you should be on a PUSH EAX --> remove HWBP --> Alt+M and MBP on access on code section.

Now we?re ready with ExeStealth.

Remove MBP and set a bp on VirtualFree --> two times F9 --> remove BP --> Alt+F9 to leave API --> trace over RETN --> Trace until JMP EAX and we?re done with PECompact.

You should be at PUHAD --> 2 times F7 to go into call and land at PUSH 465FF4 --> Trace over RETN and OEP is reached.

Now dump (i suggest you ollydump plugin for this) and fire up ImpRec. Enter OEP minus ImageBase and get imports. Size and RVA are ok. there should be 2 invalid thunks, don?t remove them but edit them to kernel32.GetProcAddress because these are emulated APIs of PECompact. Fix dump and you?re fine

greetz

Link to comment

At last i got it, thankyou very much sunny.

I tried two more methods to reach oep and dump. Here it is

1) Press F8 untill ESP changes in to red-->Follow in dump-->Put HWBP on DWORD--> Ok now press F9 8 times. Now the pecompact is unpacked in memory (If disassembly still looks as data, remove analysis). Press F7 3 times and you are at the oep. Now dump and fix api as sunny said...

2) This is a dump method. Try only when you are lazy. On in this method try to find oep with peid oep finder, you will be informed with oep at 465ff4. Now write ' HE 465FF4 ' on the command line of olly and press enter. Now run the app and you will break at the oep. Dump and fix api...

mia............

Link to comment

In most cases there are more than one way to reach oep or al least unpack the target. but PEiD method is really lame, no learning effect or somethin?...

but your second method is also well.

greetz

Link to comment
In most cases there are more than one way to reach oep or al least unpack the target. but PEiD method is really lame, no learning effect or somethin?...

but your second method is also well.

greetz

Yes sunny there are many ways to solve an unpackme. I also tried exceptions method; it also works. Once again thanks sunny it was a different experience for me.

mia.......

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...