Unpackme #1

[Sonny27]

here you go, topic caption should say enough.

greetz

MupMe_1.rar

[lena151]

Hi Sonny27, I have another one made by you lying around here.

People may find this one interesting too. Find it attached here :

lena151

PS Thanks for sharing !

[zako]

here you go, topic caption should say enough.

greetz

http://rapidshare.de/files/31738854/sonny27.rar.html

[pavka]

http://rapidshare.de/files/31757889/UnpackMupMe_1.rar

[mia]

How can i reach OEP. What is used to packed it PECompact or EXEStealth.

mia.....

[Sonny27]

Both is used and also PseudoSigner

well done, zako and pavka

greetz

[mia]

wow two packers plus an extra layer. I never saw anyone like this before. Nice unpackme sonny27 its oosing out my time please help me how to find oep. I know its oep is at 465ff4 so it can be easily dumped and repaied since it has only two unresolved pointers. But i can't find a way to reach oep. One more what is the order of the leyers; Exestealth-Pecompact-pseudo right ??...

mia...............

[Sonny27]

Yes, your order is right.

Ok, do the following:

2 times F8 until you?re over the PUSHAD. ESP --> Follow in Dump --> Mark first Bytes --> HWBP on access. F9 and you should be on a PUSH EAX --> remove HWBP --> Alt+M and MBP on access on code section.

Now we?re ready with ExeStealth.

Remove MBP and set a bp on VirtualFree --> two times F9 --> remove BP --> Alt+F9 to leave API --> trace over RETN --> Trace until JMP EAX and we?re done with PECompact.

You should be at PUHAD --> 2 times F7 to go into call and land at PUSH 465FF4 --> Trace over RETN and OEP is reached.

Now dump (i suggest you ollydump plugin for this) and fire up ImpRec. Enter OEP minus ImageBase and get imports. Size and RVA are ok. there should be 2 invalid thunks, don?t remove them but edit them to kernel32.GetProcAddress because these are emulated APIs of PECompact. Fix dump and you?re fine

greetz

[mia]

At last i got it, thankyou very much sunny.

I tried two more methods to reach oep and dump. Here it is

1) Press F8 untill ESP changes in to red-->Follow in dump-->Put HWBP on DWORD--> Ok now press F9 8 times. Now the pecompact is unpacked in memory (If disassembly still looks as data, remove analysis). Press F7 3 times and you are at the oep. Now dump and fix api as sunny said...

2) This is a dump method. Try only when you are lazy. On in this method try to find oep with peid oep finder, you will be informed with oep at 465ff4. Now write ' HE 465FF4 ' on the command line of olly and press enter. Now run the app and you will break at the oep. Dump and fix api...

mia............

[Sonny27]

In most cases there are more than one way to reach oep or al least unpack the target. but PEiD method is really lame, no learning effect or somethin?...

but your second method is also well.

greetz

[mia]

In most cases there are more than one way to reach oep or al least unpack the target. but PEiD method is really lame, no learning effect or somethin?...

but your second method is also well.

greetz

Yes sunny there are many ways to solve an unpackme. I also tried exceptions method; it also works. Once again thanks sunny it was a different experience for me.

mia.......