Results 1 to 8 of 8

Thread: Unpacking ASPack, Neolite, Pe-Pack, Petite, andUPX tutorial

  1. #1
    mmhckb
    Guest

    Unpacking ASPack, Neolite, Pe-Pack, Petite, andUPX tutorial

    I found this old file that I wrote up quite awhile ago. It may be of use to someone:


    How to Unpack Various EXE Packers using OllyDBG
    In fucking alphabetic order even!

    ------------------------------------------------------------------------
    ASPack 2.12:

    Load the exe, you will have to Shift+F9 several times. Upwards of 50
    times is normal. Use Ctrl+G ESP BP technique. You'll land on a JNZ.
    Trace into jump, it is pushing the oep. Trace into the ret. This
    is the OEP. Dump then fix IAT. Fix dump. done.

    ------------------------------------------------------------------------
    EZIP 1.0:

    You start out on a JMP, trace into it. Ctrl+F9 (exec til ret). Scroll
    down and you should find a large loop. Past that, there is a JMP EAX.
    Trace into this JMP, this is the OEP. Dump, fix IAT, fix dump.

    ------------------------------------------------------------------------
    Neolite 2.0:

    Scroll down until you see JMP EAX. Put BP here. Step into
    JMP. You're at the OEP. Dump and rebuild just as you would
    with UPX.

    ------------------------------------------------------------------------
    PE-PaCK 1.0:

    You start on a JE with JMP right below it. Trace into the JMP. Now
    you're on a PUSHAD. Use the Dump window Ctrl+G esp bp. You stop on
    a JMP EAX. Trace into the JMP and you're at the OEP. Dump, rebuild
    IAT, fix dump. Done.

    ------------------------------------------------------------------------
    Petite 2.2:

    Trace until you go over the PUSHAD. Click in dump window. Ctrl+G.
    Type ESP. Select first two bytes in dump, set breakpoint on memory
    access -> word. Back in CPU window, hit F9. Shift+F9 until you
    reach POPAD/POPFW. There should be a JMP soon after the POP. Trace
    into the JMP, this is the OEP. Dump process with LordPE. Open process
    with imprec. Set correct OEP/IAT autotrace. Hit show invalid. Right
    click and do a level 1. Fix the dump.


    ------------------------------------------------------------------------
    UPX:

    Scroll down until you reach something that looks like this:

    004142C7 > 61 POPAD
    004142C8 .-E9 BE6CFFFF JMP wrap.0040AF8B
    004142CD 00 DB 00
    004142CE 00 DB 00

    Set a breakpoint on the JMP and run. Step into the JMP.
    You're at the OEP. Dump with LordPE. Open process
    with impRec. Set OEP with the one you just found.
    Hit IAT AutoSearch. Hit Get Imports. Delete the bad
    thunks. Fix the dump. Done.

    ------------------------------------------------------------------------

    ------------------------------------------------------------------------

    OEP Finding Techniques

    #1 is just scroll down till u see
    0040E23F .-E9 A479FFFF JMP upxs306.00405BE8
    0040E244 5CE24000 DD upxs306.0040E25C
    0040E248 60E24000 DD upxs306.0040E260
    0040E24C C8734000 DD upxs306.004073C8

    JMP and some shit with a bunch of 0's.

    #2
    F7 on the PUSHAD
    goto the dump
    CTRL + G
    goto ESP
    Set a hardware Breakpoint on WORD
    that will take u straight to the jump

    #3
    F7 onto the PUSHAD
    ctrl + T
    COMMAND is one of the following "POPAD"
    then CTRL + F11
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    Lightbulb

    hi mmhckb :
    [Name and URL of target deleted by JMI because post contains target specific code]
    upx 1.24 packer .

    Set a breakpoint on the JMP and run. Step into the JMP.
    You're at the OEP
    can u explain this point plz , thx .

  3. #3
    mmhckb
    Guest
    That doesn't appear to be a normal OEP... generally they start with

    PUSH EBP
    MOV EBP, ESP

    Nonetheless, you could try dumping from there and rebuilding. I'm not very good with start up routeins and that could just be some weird ass one... but, well, shit, i dunno.

    Sorry bud.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4

    Lightbulb

    u know , cracking itself is so hard
    they dont need 4 another hard
    method called packing , anyway
    mmhckb thx 4 reply .

  5. #5
    Forum_Destroyer
    Guest
    for petite do i use a hardware,on access > word or memory access? also what if when i keep doing shift+f9 it never goes to a popad or popfw? thanks for posting this i was looking all over..
    Last edited by Forum_Destroyer; July 24th, 2007 at 13:23.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6

    sage

    What do you think you're doing reviving a thread that is three years and four months old?!?!

    Stop posting and start using your brain.

  7. #7
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647

    The Answer:

    Attached Images Attached Images  

  8. #8
    Now EVERYBODY is stealing my lines! Even the dead!



    Regards,
    JMI

Similar Threads

  1. Petite 2.3 -> how to rebuild the import table ?
    By DeViaN in forum The Newbie Forum
    Replies: 6
    Last Post: March 24th, 2007, 15:44
  2. Unpacking Neolite 2 (exe, dll)
    By Panemuckl in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: June 27th, 2004, 07:40
  3. Unpacking a with Petite v2.2 packed DLL file
    By nitr8 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: June 15th, 2004, 08:15
  4. Another ASPack problem
    By Soldat in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: September 13th, 2002, 09:32
  5. Windows 2K S Pack 1 HELP
    By DarkSky in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: April 2nd, 2001, 06:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •