Results 1 to 6 of 6

Thread: Crypkey 7.1 DLL Unpack

  1. #1

    Question Crypkey 7.1 DLL Unpack

    I'm unpacking a DLL protected by Crypkey packer and what I did is the following:

    1) Dumped the entire DLL, with a .text section full of int 3 (CC).
    2) Find the nano table in ck*.tmp process and create an OK .text section
    3) Merge this OK section on dumped file.
    4) Import this .text section on current running process to restore IAT
    4) Used IMPREC to restore the import table.

    But here comes my problem. The import table is not redirecting to the real function address entry, for example

    Code:
    10017E37  |. 8B1D 2CF20210  MOV EBX,DWORD PTR DS:[<&kernel32.GetProcessHeap>]
    10017E3D  |. BF 94000000    MOV EDI,94
    10017E42  |. 57             PUSH EDI
    10017E43  |. 6A 00          PUSH 0
    10017E45  |. FFD3           CALL EBX                                                                  ; [GetProcessHeap
    The EBX value is: 00058A68
    The real GetProcessHeap Address is: 7C80AC61 in kernel32.dll

    Actually, in the import table, its writen 00058A68 for this function, when I try to manually write the real address on dll, I get an invalid dll file.

    Anybody know how can I solve this?

    Thanks in advance
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    That looks normal. 00058A68 is the GetProcessHeap entry address in the IAT. 7C80AC61 is the address pointed to by the DWORD at 00058A68.

  3. #3
    But it calls:
    CALL EBX=CALL 00058A68
    I get an error on this.

    Something is missing to link the 00058A68 to 7C80AC61.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Here is the imprec result. the thunk RVA and thunk offset must not be the same.

    http://i49.tinypic.com/2rh0175.png

    See on attatched file:
    LMS.DLL - original file
    teste.dll - dumped file with reconstructed .text section
    teste.dll_ - dumped file w/ import table reconstructed.

    I attatched to this post the detailed following steps that I performed.

    Help me to solve this issue.

    Thx
    Attached Images Attached Images
    Attached Files Attached Files
    Last edited by tazBRC; March 5th, 2010 at 09:24.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    With a plethora of tools to generate valid CrypKey licenses why bother with unpacking anything - unless you are educating yourself - just running the protected proggie and usually the keys are plainly displayed out in the open, it does take a little cognition on your part but you'll "get it".

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  6. #6
    Yes, but this is not the point.
    I already generated valid site code for the app, but as you said, I want to unpack this app.

    The DLL perform getprocaddress to all functions and restore IAT, maybe I must implement this code on dll entry point.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Crypkey 7.1
    By NEODIG in forum The Newbie Forum
    Replies: 40
    Last Post: May 5th, 2013, 13:12
  2. Crypkey??
    By hobferret in forum The Newbie Forum
    Replies: 1
    Last Post: April 5th, 2003, 16:22
  3. Crypkey
    By peterg70 in forum Malware Analysis and Unpacking Forum
    Replies: 17
    Last Post: December 29th, 2001, 23:14
  4. Crypkey
    By peterg70 in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: November 13th, 2001, 03:02
  5. Crypkey SDK.
    By Ziggie in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: November 12th, 2001, 07:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •