Solution for KLiZMA’s UnpackMe #1

Posted: September 19, 2008 in My Tutorials, Solution for KLiZMA's UnpackMe #1

After 2 months…
KLiZMA wrote another unpackme for you.


1. Unpack it maliciously…
3. Write tutorial about…

Download unpackme here:


Solution by me:

| Solution:     UnpackMe#1_by_KLiZMA           |
| Author:     kienmanowar                    |
| Protection:    Unknown packer (like Upx)      |
| Language:      Borland Delphi                 |
| Date:        05/13/06               |
| Great thanx to iamidiot for give me your hint |

Tools: Ollydbg, PEid v0.94, RDG Packer Detector v0.6.3 Beta, ImpRec v1.6


Try to detect this Unpackme with PEid and RDG, i get some information :

PEiD :
+ Normal Scan : Nothing found *
+ Hardcore Scan : UPolyX v0.5 *

+ Normal Scan : UG2002 Cruncher v0.3b3
+ Advanced Scan : UPX v0.8x (UPX Heuristico Scrambler)

With these information, i don’t know what exactly packer in which this UnpackMe used. So I use PEid plugin (Generic OEP Finder)to find OEP of UnpackMe, It gives me : 00463C80. Okie 🙂 may be this is the right OEP!!!

Close PeID and open Ollydbg to load this UnpackMe in. A messagebox apears, choose No. I have :

0047E000 >  60              pushad            <== Stop here (EP)
0047E001    E8 00000000     call    unpackme.0047E006
0047E006    5D              pop     ebp
0047E007    81ED 48124000   sub     ebp, unpackme.00401248
0047E00D    60              pushad
0047E00E    E8 2B030000     call    unpackme.0047E33E
0047E013    61              popad
0047E014    8A7D 60         mov     bh, byte ptr ss:[ebp+60]
0047E017    6262 DB         bound   esp, qword ptr ds:[edx-25]
0047E01A    6A 62           push    62
0047E01C    6262 EF         bound   esp, qword ptr ds:[edx-11]
0047E01F    D7              xlat    byte ptr ds:[ebx+al]
0047E020    EA 7022628A 496>jmp     far 6049:8A622270
0047E027    6262 9D         bound   esp, qword ptr ds:[edx-63]
0047E02A    F7              ???                                      ; Unknown command
0047E02B    8D70 22         lea     esi, dword ptr ds:[eax+22]
0047E02E    62E9            bound   ebp, ecx                         ; Illegal use of register
0047E030    BA F2F29DF7     mov     edx, F79DF2F2

Oh !! I see Pushad signature, like UPX. Press Alt + M to open Memory map Window.

Memory map
Address    Size     (  Owner       Section    Contains      Type   Access    Initial   Mapped as
00370000   00003000 (           0                           Map    R         R
00400000   00001000 (  unpackme 0             PE header     Imag   R         RWE
00401000   0004B000 (  unpackme 0  .KLiZMA                  Imag   R         RWE
0044C000   00031000 (  unpackme 0  .KLiZMA    code          Imag   R         RWE
0047D000   00001000 (  unpackme 0  .rsrc      data,imports  Imag   R         RWE
0047E000   00001000 (  unpackme 0  .KLiZMA    SFX           Imag   R         RWE
00480000   00004000 (           0                           Map    R E       R E
00540000   00002000 (           0                           Map    R E       R E
00550000   00103000 (           0                           Map    R         R
00660000   0006A000 (           0                           Map    R E       R E

In this Window, select section :

00401000   0004B000 (  unpackme 0  .KLiZMA                  Imag   R         RWE

And Right click and set a Memory Breakpoint on Access.And then Press F9 to Run, Olly breaks here :

0047CCA3    8807            mov     byte ptr ds:[edi], al    <== Stop here after Press F9 (1st)
0047CCA5    47              inc     edi
0047CCA6    01DB            add     ebx, ebx
0047CCA8    75 07           jnz     short unpackme.0047CCB1
0047CCAA    8B1E            mov     ebx, dword ptr ds:[esi]
0047CCAC    83EE FC         sub     esi, -4
0047CCAF    11DB            adc     ebx, ebx
0047CCB1  ^ 72 ED           jb      short unpackme.0047CCA0

Come back Memory Map Window and clear Memory BP.And then back to CPU Window, scroll down to find the signature 🙂 :

0047CDEB    83C3 04         add     ebx, 4
0047CDEE  ^ EB E1           jmp     short unpackme.0047CDD1
0047CDF0    FF96 84CE0700   call    near dword ptr ds:[esi+7CE84]
0047CDF6    61              popad                <=== Aha Popad
0047CDF7  ^ E9 846EFEFF     jmp     unpackme.00463C80        <=== Jmp to OEP (Like OEP found in Peid)

As you see, this signature like UPX. And now, set BP at : 0047CDF7  ^ E9 846EFEFF     jmp     unpackme.00463C80
Press F9 to Run, Break at this BP, remove this and Press F8 , kaka we stop at OEP of UnpackMe :

00463C80    55              push    ebp                <=== Right OEP
00463C81    8BEC            mov     ebp, esp
00463C83    83C4 F0         add     esp, -10
00463C86    B8 903A4600     mov     eax, unpackme.00463A90
00463C8B    E8 A41FFAFF     call    unpackme.00405C34
00463C90    A1 F8584600     mov     eax, dword ptr ds:[4658F8]
00463C95    8B00            mov     eax, dword ptr ds:[eax]
00463C97    E8 14B2FEFF     call    unpackme.0044EEB0

Now, dump with Ollydump Plugin, not check Rebuilt Import. Press Dump and Save as : dumped.exe. Fire up ImportRec, select Process, write OEP , Press IAT Auto Search, Get Imports and finally Fix Dump.We have dumped_.exe. Test it: kaka it runs before i double click 🙂 lol and detect again by PEid : Borland Delphi 6.0 – 7.0.


After MUP this UnpackMe, come to part 2 to change “UNREGISTERED” to “REGISTERED”. To do this task, Load dumped_.exe into Ollydbg. Press F9 to Run it, we’ll see a beautiful girl with “UNREGISTERED” string below. Back to Ollydbg, Press Alt+M to open Memory map Window, here we select :

Memory map, item 0
Size=00001000 (4096.)
Owner=         00010000 (itself)
Type=Priv 00021004
Initial access=RW

Right click and select Search (or Ctrl+B),then type : UNREGISTERED in Ascii textbox and Press OK to Search this string.After that Olly break at :

Memory map, item 25
Size=00001000 (4096.)
Owner=dumped_  00400000
Type=Imag 01001002
Initial access=RWE

and we have in Dump window :
00479140  55 4E 52 45 47 49 53 54 45 52 45 44 0C 46 6F 6E  UNREGISTERED.Fon
00479150  74 2E 43 68 61 72 73 65 74 07 0F 44 45 46 41 55  t.CharsetDEFAU
00479160  4C 54 5F 43 48 41 52 53 45 54 0A 46 6F 6E 74 2E  LT_CHARSET.Font.
00479170  43 6F 6C 6F 72 07 08 63 6C 57 69 6E 64 6F 77 0B  ColorclWindow

Okies, the string which we want to find is in Section : .rsrc (resource). So back to CPU Window, right click in Dump Window and Select Go to (Ctrl+G), we type the address of string : 00479140. Select UNREGISTERED string and edit this to REGISTERED. Finally, Save this edited file : dumped_edited.exe. Ok, Run this and see the result :).

Best Regards


–++–==[ Greatz Thanks To ]==–++–
My family, Computer_Angel, Moonbaby , Zombie_Deathman, Littleboy, Benina, QHQCrker, the_Lighthouse, Merc, Hoadongnoi, Nini … all REA’s members, TQN, HacNho, RongChauA, Deux, tlandn, light.phoenix, dqtln, ARTEAM …. all my friend, and YOU.

–++–==[ Thanks To ]==–++–
iamidiot, WhyNotBar, trickyboy, dzungltvn, takada, hurt_heart, haule_nth, hytkl v..v..

–++–==[ Special Thanks  ]==–++–
And then thanx to the Author : KLiZMA and all the people read my tutor!

If you have any suggestions, comments or corrections email me: kienbigmummy[at]

Sorry in my bad English. Because English is not my mother language, I’m VietNamese.

Welcome all to :

³    °±²Û CONTACT INFORMATION                                                ³

contact me :

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.