Results 1 to 8 of 8

Thread: Help me Unpack this Packer!!!

  1. #1
    AntiCrk
    Guest

    Smile Help me Unpack this Packer!!!

    Hi!

    I'm new member in this forrum.

    Please help to to Unpack this Unpackme.

    Thank!

    Best regard.
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    artik
    Guest

    Smile

    hehe, it's just
    UPX 0.89.6 - 1.02 / 1.05 - 1.22 (Delphi) stub -> Markus & Lazlo
    so don't worry there are many tutorials about unpacking UPX

    i think you can find what you need at http://new2cracking.cjb.net or http://zor.org/krobar

    good luck!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    r4g3
    Guest
    CALL Unpackme.00463CD6: in - edi points to function name, on return its addr in eax.

    00463C9D FF95 80744000 CALL DWORD PTR SS:[EBP+407480] ; kernel32.CreateThread

    at this point go to stack window:

    0012FF94 00462370 Unpackme.00462370

    its a callback function for new thread, bpx on it. Then run the target with F9. Once u land on new bpx you are at the start of unpacking code.
    IAT is constructed at the end:

    00462492 LEA EDI,DWORD PTR DS:[ESI+5F000] import table
    00462498 MOV EAX,DWORD PTR DS:[EDI]
    0046249A OR EAX,EAX
    0046249C JE SHORT Unpackme.004624DA
    0046249E MOV EBX,DWORD PTR DS:[EDI+4]
    004624A1 LEA EAX,DWORD PTR DS:[EAX+ESI+62A04]
    004624A8 ADD EBX,ESI
    004624AA PUSH EAX
    004624AB ADD EDI,8
    004624AE CALL DWORD PTR DS:[ESI+62AA4] ; kernel32.LoadLibraryA
    004624B4 XCHG EAX,EBP
    004624B5 MOV AL,BYTE PTR DS:[EDI]
    004624B7 INC EDI
    004624B8 OR AL,AL
    004624BA JE SHORT Unpackme.00462498
    004624BC MOV ECX,EDI
    004624BE PUSH EDI
    004624BF DEC EAX
    004624C REPNE SCAS BYTE PTR ES:[EDI]
    004624C2 PUSH EBP
    004624C3 CALL DWORD PTR DS:[ESI+62AA8] ; kernel32.GetProcAddress
    004624C9 OR EAX,EAX
    004624CB JE SHORT Unpackme.004624D4
    004624CD MOV DWORD PTR DS:[EBX],EAX Write function addr
    004624CF ADD EBX,4
    004624D2 JMP SHORT Unpackme.004624B5
    004624D4 CALL DWORD PTR DS:[ESI+62AAC]
    004624DA POPAD
    004624DB JMP Unpackme.0044DD50 jmp to OEP

    dump it on oep. reconstruct imports. thats all.
    nothing special, but is it really upx as hardcore peid scan says ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi!

    AntiCrk, you have found a very interesting target, it would represent a nice project on 'manual unpacking for newbies'. :-)

    Rage has conceptually said all but I would like to encourage newbies to ask questions about:
    1. tools to be used
    2. how to find oep
    3. how to dump the exe
    4. how to reconstruct imports
    and so on...

    Ciao,
    ZaiRoN

  5. #5
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Hi AntiCrk

    A useful suggestion for this, having read what others have said about it, would be to "bpx GetModuleHandleA". When it breaks press F12 2 or 3 times to return to the program thread. There should be a call above where you land!

    The OEP is usually 10h to 15h above where you are, if you can't see it by scrolling up do a u [address-10h] e.t.c and you should find it.

    The reason for you not being able to see it directly is because the code gets obfuscated i.e. the address you look at is not necessarily the correct instruction!

    /hobferret

  6. #6
    AntiCrk
    Guest

    Re::

    Hi There!

    That's a good Idea!
    I tried it very long time, I Unpacked it but it not run.

    I think after unpack this unpackme We must patch some where in the CODE section.
    Can you help me? If you Unpacked it, Please upload to the forum

    Thank very much!

    I'm Vietnamese so I speak English not well, I'm sorry!!!

    Best regard!

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Hi all

    'I think after unpack this unpackme We must patch some where in the CODE section.
    '
    Look at :
    0044DB1B A1 44ED4400 MOV EAX, DWORD PTR [44ED44]
    0044DB20 66:8338 03 CMP WORD PTR [EAX], 3
    0044DB24 75 1B JNZ SHORT 0044DB41
    0044DB26 A1 48ED4400 MOV EAX, DWORD PTR [44ED48]
    0044DB2B 8138 043C0600 CMP DWORD PTR [EAX], 63C04
    0044DB31 75 0E JNZ SHORT 0044DB41
    0044DB33 EB 02 JMP SHORT 0044DB37

    Try to find what is checked
    Regards

    SV
    Last edited by sv; June 3rd, 2003 at 02:21.

  8. #8
    AntiCrk
    Guest

    Thumbs up Re::

    Hi!
    Great!!!!!!!!!!.
    It's run very cool.

    Thank!
    Best regard!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Packer Conflict
    By dila in forum The Newbie Forum
    Replies: 4
    Last Post: January 14th, 2010, 00:49
  2. Packer analysis
    By OpenRCE_Saphex in forum Blogs Forum
    Replies: 1
    Last Post: January 9th, 2008, 09:19
  3. Strange Packer
    By LLXX in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: April 1st, 2007, 02:02
  4. Strange Packer
    By LLXX in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: October 9th, 2006, 09:19
  5. Help me Unpack this Packer!!!
    By AntiCrk in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: May 30th, 2003, 21:06

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •