After 2 months…
KLiZMA wrote another unpackme for you.
Rulz:
1. Unpack it maliciously…
2. Change “UNREGISTERED” to “REGISTERED”
3. Write tutorial about…
Download unpackme here: http://www.crackmes.de/users/klizma/unpackme_1
——
Solution by me:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
| Solution: UnpackMe#1_by_KLiZMA |
| Author: kienmanowar |
| Protection: Unknown packer (like Upx) |
| Language: Borland Delphi |
| Date: 05/13/06 |
| Great thanx to iamidiot for give me your hint |
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
Tools: Ollydbg, PEid v0.94, RDG Packer Detector v0.6.3 Beta, ImpRec v1.6
ÛÛÛ [ Manual Unpacking ] ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Try to detect this Unpackme with PEid and RDG, i get some information :
PEiD :
+ Normal Scan : Nothing found *
+ Hardcore Scan : UPolyX v0.5 *
RDG :
+ Normal Scan : UG2002 Cruncher v0.3b3
+ Advanced Scan : UPX v0.8x (UPX Heuristico Scrambler)
With these information, i don’t know what exactly packer in which this UnpackMe used. So I use PEid plugin (Generic OEP Finder)to find OEP of UnpackMe, It gives me : 00463C80. Okie 🙂 may be this is the right OEP!!!
Close PeID and open Ollydbg to load this UnpackMe in. A messagebox apears, choose No. I have :
0047E000 > 60 pushad <== Stop here (EP)
0047E001 E8 00000000 call unpackme.0047E006
0047E006 5D pop ebp
0047E007 81ED 48124000 sub ebp, unpackme.00401248
0047E00D 60 pushad
0047E00E E8 2B030000 call unpackme.0047E33E
0047E013 61 popad
0047E014 8A7D 60 mov bh, byte ptr ss:[ebp+60]
0047E017 6262 DB bound esp, qword ptr ds:[edx-25]
0047E01A 6A 62 push 62
0047E01C 6262 EF bound esp, qword ptr ds:[edx-11]
0047E01F D7 xlat byte ptr ds:[ebx+al]
0047E020 EA 7022628A 496>jmp far 6049:8A622270
0047E027 6262 9D bound esp, qword ptr ds:[edx-63]
0047E02A F7 ??? ; Unknown command
0047E02B 8D70 22 lea esi, dword ptr ds:[eax+22]
0047E02E 62E9 bound ebp, ecx ; Illegal use of register
0047E030 BA F2F29DF7 mov edx, F79DF2F2
Oh !! I see Pushad signature, like UPX. Press Alt + M to open Memory map Window.
Memory map
Address Size ( Owner Section Contains Type Access Initial Mapped as
................................................................................................
00370000 00003000 ( 0 Map R R
00400000 00001000 ( unpackme 0 PE header Imag R RWE
00401000 0004B000 ( unpackme 0 .KLiZMA Imag R RWE
0044C000 00031000 ( unpackme 0 .KLiZMA code Imag R RWE
0047D000 00001000 ( unpackme 0 .rsrc data,imports Imag R RWE
0047E000 00001000 ( unpackme 0 .KLiZMA SFX Imag R RWE
00480000 00004000 ( 0 Map R E R E
00540000 00002000 ( 0 Map R E R E
00550000 00103000 ( 0 Map R R
00660000 0006A000 ( 0 Map R E R E
.................................................................................................
In this Window, select section :
00401000 0004B000 ( unpackme 0 .KLiZMA Imag R RWE
And Right click and set a Memory Breakpoint on Access.And then Press F9 to Run, Olly breaks here :
0047CCA3 8807 mov byte ptr ds:[edi], al <== Stop here after Press F9 (1st)
0047CCA5 47 inc edi
0047CCA6 01DB add ebx, ebx
0047CCA8 75 07 jnz short unpackme.0047CCB1
0047CCAA 8B1E mov ebx, dword ptr ds:[esi]
0047CCAC 83EE FC sub esi, -4
0047CCAF 11DB adc ebx, ebx
0047CCB1 ^ 72 ED jb short unpackme.0047CCA0
Come back Memory Map Window and clear Memory BP.And then back to CPU Window, scroll down to find the signature 🙂 :
0047CDEB 83C3 04 add ebx, 4
0047CDEE ^ EB E1 jmp short unpackme.0047CDD1
0047CDF0 FF96 84CE0700 call near dword ptr ds:[esi+7CE84]
0047CDF6 61 popad <=== Aha Popad
0047CDF7 ^ E9 846EFEFF jmp unpackme.00463C80 <=== Jmp to OEP (Like OEP found in Peid)
As you see, this signature like UPX. And now, set BP at : 0047CDF7 ^ E9 846EFEFF jmp unpackme.00463C80
Press F9 to Run, Break at this BP, remove this and Press F8 , kaka we stop at OEP of UnpackMe :
00463C80 55 push ebp <=== Right OEP
00463C81 8BEC mov ebp, esp
00463C83 83C4 F0 add esp, -10
00463C86 B8 903A4600 mov eax, unpackme.00463A90
00463C8B E8 A41FFAFF call unpackme.00405C34
00463C90 A1 F8584600 mov eax, dword ptr ds:[4658F8]
00463C95 8B00 mov eax, dword ptr ds:[eax]
00463C97 E8 14B2FEFF call unpackme.0044EEB0
Now, dump with Ollydump Plugin, not check Rebuilt Import. Press Dump and Save as : dumped.exe. Fire up ImportRec, select Process, write OEP , Press IAT Auto Search, Get Imports and finally Fix Dump.We have dumped_.exe. Test it: kaka it runs before i double click 🙂 lol and detect again by PEid : Borland Delphi 6.0 – 7.0.
ÛÛÛ [ Cracking ] ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
After MUP this UnpackMe, come to part 2 to change “UNREGISTERED” to “REGISTERED”. To do this task, Load dumped_.exe into Ollydbg. Press F9 to Run it, we’ll see a beautiful girl with “UNREGISTERED” string below. Back to Ollydbg, Press Alt+M to open Memory map Window, here we select :
Memory map, item 0
Address=00010000
Size=00001000 (4096.)
Owner= 00010000 (itself)
Section=
Type=Priv 00021004
Access=RW
Initial access=RW
Right click and select Search (or Ctrl+B),then type : UNREGISTERED in Ascii textbox and Press OK to Search this string.After that Olly break at :
Memory map, item 25
Address=0047D000
Size=00001000 (4096.)
Owner=dumped_ 00400000
Section=.rsrc
Contains=data,resources
Type=Imag 01001002
Access=R
Initial access=RWE
and we have in Dump window :
00479140 55 4E 52 45 47 49 53 54 45 52 45 44 0C 46 6F 6E UNREGISTERED.Fon
00479150 74 2E 43 68 61 72 73 65 74 07 0F 44 45 46 41 55 t.CharsetDEFAU
00479160 4C 54 5F 43 48 41 52 53 45 54 0A 46 6F 6E 74 2E LT_CHARSET.Font.
00479170 43 6F 6C 6F 72 07 08 63 6C 57 69 6E 64 6F 77 0B ColorclWindow
Okies, the string which we want to find is in Section : .rsrc (resource). So back to CPU Window, right click in Dump Window and Select Go to (Ctrl+G), we type the address of string : 00479140. Select UNREGISTERED string and edit this to REGISTERED. Finally, Save this edited file : dumped_edited.exe. Ok, Run this and see the result :).
Finish!
Best Regards
_[Kienmanowar]_
ÛÛÛ [ Thanz ] ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
–++–==[ Greatz Thanks To ]==–++–
My family, Computer_Angel, Moonbaby , Zombie_Deathman, Littleboy, Benina, QHQCrker, the_Lighthouse, Merc, Hoadongnoi, Nini … all REA’s members, TQN, HacNho, RongChauA, Deux, tlandn, light.phoenix, dqtln, ARTEAM …. all my friend, and YOU.
–++–==[ Thanks To ]==–++–
iamidiot, WhyNotBar, trickyboy, dzungltvn, takada, hurt_heart, haule_nth, hytkl v..v..
–++–==[ Special Thanks ]==–++–
And then thanx to the Author : KLiZMA and all the people read my tutor!
If you have any suggestions, comments or corrections email me: kienbigmummy[at]gmail.com
Sorry in my bad English. Because English is not my mother language, I’m VietNamese.
Welcome all to : reaonline.net
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ °±²Û CONTACT INFORMATION ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
URL : http://www.reaonline.net
contact me : kienbigmummy@gmail.com