Results 1 to 5 of 5

Thread: Unpacking Tag&Rename..

  1. #1
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Unpacking Tag&Rename..

    Greetings on the board,
    I haven't posted anything for a long time since I've somehow been away from the cracking scene for a long time.
    But the other day I decided to try to manually unpacking Tag&Rename (latest version). But after trying for some time, I need some help. I have unsuccesfully been trying to find OEP by breaking on some of the api's. But so far I haven't found something that doesn't accquire a lot of singlestep tracing afterwards.
    Could someone who has been looking at this program please tell me how they found the OEP? And how they managed to dump from there?

    All kinds of hints will be appriciated...

    regards,
    hobgoblin

  2. #2

    ..

    Hiya hob,
    Welcome back. May be worth your while doing a search, seem to recall a fair bit of discussion about t&r not so long back.
    Ever hear anything from tiamath these days?.
    regards

  3. #3
    nofurs
    Guest

    Re: Unpacking Tag&Rename..

    Originally posted by hobgoblin
    Greetings on the board,
    I haven't posted anything for a long time since I've somehow been away from the cracking scene for a long time.
    But the other day I decided to try to manually unpacking Tag&Rename (latest version). But after trying for some time, I need some help. I have unsuccesfully been trying to find OEP by breaking on some of the api's. But so far I haven't found something that doesn't accquire a lot of singlestep tracing afterwards.
    Could someone who has been looking at this program please tell me how they found the OEP? And how they managed to dump from there?

    All kinds of hints will be appriciated...

    regards,
    hobgoblin

    Hi Hobgoblin,

    There are couple ways to find the OEP.
    1)use api
    2)icedump /tracex 400000 402000
    3)bpr xxxxxx xxxxxx rw
    4)bpm xxxxxx rw
    5)use the original OEP

    Now I'm explaining the last one

    bpx getmodulehandlea after a few tracing
    you can see a popad and ret .f8 and you find this similar
    code.step through and the last call f8
    EAX=00000001 EBX=00DC05C4 ECX=00D90000 EDX=C10CFFD8 ESI=00D90000
    EDI=00DB0000 EBP=0062F379 ESP=0086FE04 EIP=00DC1AD0 o d I s z a p c
    CS=0137 DS=013F SS=013F ES=013F FS=211F GS=0000
    컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴byte컴컴컴컴컴컴컴PROT컴(0)컴
    0030:00000000 9E 0F C9 00 65 04 70 00-16 00 D0 0A 65 04 70 00 ....e.p.....e.p.
    0030:00000010 65 04 70 00 54 FF 00 F0-4C E1 00 F0 6F EF 00 F0 e.p.T...L...o...
    0030:00000020 00 00 00 C8 28 00 D0 0A-6F EF 00 F0 6F EF 00 F0 ....(...o...o...
    0030:00000030 6F EF 00 F0 6F EF 00 F0-9A 00 D0 0A 65 04 70 00 o...o.......e.p.
    컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴횾ROT32
    0137:00DC1ACD 8D4000 LEA EAX,[EAX+00] 
    0137:00DC1AD0 55 PUSH EBP 
    0137:00DC1AD1 8BEC MOV EBP,ESP
    0137:00DC1AD3 83C4F4 ADD ESP,-0C
    0137:00DC1AD6 E85516FFFF CALL 00DB3130
    0137:00DC1ADB 0F856B23FFFF JNZ 00DB3E4C
    0137:00DC1AE1 E82228FFFF CALL 00DB4308
    0137:00DC1AE6 E8DD6FFFFF CALL 00DB8AC8
    0137:00DC1AEB E86C79FFFF CALL 00DB945C
    0137:00DC1AF0 E89BA4FFFF CALL 00DBBF90
    0137:00DC1AF5 E85223FFFF CALL 00DB3E4C <------F8 
    0137:00DC1AFA 8BE5 MOV ESP,EBP   
    컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴





    bpx getmodulehandlea again...util you reach 00DBF549 and dump it with peditor

    EAX=BFF70000 EBX=00DD34D0 ECX=C10CF108 EDX=BFFBFA00 ESI=0086FCA3
    EDI=0086FDF8 EBP=0086FC84 ESP=0086FC5C EIP=00DBF543 o d I s Z a P c
    CS=0137 DS=013F SS=013F ES=013F FS=211F GS=0000 SS:0086FC80=00000013
    컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴byte컴컴컴컴컴컴컴PROT컴(0)컴
    0030:00000000 9E 0F C9 00 65 04 70 00-16 00 D0 0A 65 04 70 00 ....e.p.....e.p.
    0030:00000010 65 04 70 00 54 FF 00 F0-4C E1 00 F0 6F EF 00 F0 e.p.T...L...o...
    0030:00000020 00 00 00 C8 28 00 D0 0A-6F EF 00 F0 6F EF 00 F0 ....(...o...o...
    0030:00000030 6F EF 00 F0 6F EF 00 F0-9A 00 D0 0A 65 04 70 00 o...o.......e.p.
    컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴횾ROT32
    0137:00DBF53E E8094FFFFF CALL KERNEL32!GetModuleHandleA 
    0137:00DBF543 8945FC MOV [EBP-04],EAX 
    0137:00DBF546 8B450C MOV EAX,[EBP+0C]
    0137:00DBF549 50 PUSH EAX <-----------here
    0137:00DBF54A 8B45FC MOV EAX,[EBP-04]
    0137:00DBF54D 50 PUSH EAX
    0137:00DBF54E E8014FFFFF CALL KERNEL32!GetProcAddress
    0137:00DBF553 8945F8 MOV [EBP-08],EAX
    0137:00DBF556 837DF800 CMP DWORD PTR [EBP-08],00
    0137:00DBF55A 0F8500010000 JNZ 00DBF660
    0137:00DBF560 F7450C0000FFFF TEST DWORD PTR [EBP+0C],FFFF0000 
    0137:00DBF567 0F8599000000 JNZ 00DBF606   
    컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴

    Fixing the iat

    use revirgin to fixed the iat.There are some emulated api's.You have to use softice and
    find out .an example
    iat=170000
    use this command
    bpr 170000 170100 rw and you will see a call xxxx .put a dd 570000
    coz 570000-400000=170000
    step in that particular call

    you will see some codes in the data window
    bff...
    next step is to uassemble that bff...
    and see whats that api.
    There are tutes about asprotect on using Revirgin and imprec
    you can find ImPrec on this site http://mackt.cjb.net
    http://ebliss.cjb.net
    http://tsehp.cjb.net
    http://http://rotaderp.cjb.net

    its a very brief explaination
    hopes this helps

    Orginal from Js
    >Ever hear anything from tiamath these days?.

    He's IN-THE-NET find him
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4

    thnx clueless

    would never have thought of that.

  5. #5
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Thanks..

    thanks for the info...
    I will definitly look into it.:-)
    regards,
    hobgoblin

Similar Threads

  1. Unpacking UPX
    By mahdi in forum The Newbie Forum
    Replies: 3
    Last Post: October 22nd, 2013, 06:00
  2. Rename NTice service. SuperHidden! :P
    By Manko in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: April 9th, 2003, 18:03
  3. Tag&Rename 2 whatever
    By +SplAj in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: September 8th, 2002, 18:58
  4. +Tsehp,Can you post a tutorial on Tag&Rename 1.9
    By newbie in forum Advanced Reversing and Programming
    Replies: 26
    Last Post: April 29th, 2001, 03:47
  5. UPX Unpacking
    By Jack in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: December 11th, 2000, 16:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •