Solution for KLiZMA’s UnpackMe #1

May 2024
M	T	W	T	F	S	S
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Archive for the ‘Solution for KLiZMA’s UnpackMe #1’ Category

Solution for KLiZMA’s UnpackMe #1

Posted: September 19, 2008 in My Tutorials, Solution for KLiZMA's UnpackMe #1

After 2 months…
KLiZMA wrote another unpackme for you.

Rulz:

1. Unpack it maliciously…
2. Change “UNREGISTERED” to “REGISTERED”
3. Write tutorial about…

Download unpackme here: http://www.crackmes.de/users/klizma/unpackme_1

——

Solution by me:

Tools: Ollydbg, PEid v0.94, RDG Packer Detector v0.6.3 Beta, ImpRec v1.6

ÛÛÛ [ Manual Unpacking ] ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ

Try to detect this Unpackme with PEid and RDG, i get some information :

PEiD :
+ Normal Scan : Nothing found *
+ Hardcore Scan : UPolyX v0.5 *

RDG :
+ Normal Scan : UG2002 Cruncher v0.3b3
+ Advanced Scan : UPX v0.8x (UPX Heuristico Scrambler)

With these information, i don’t know what exactly packer in which this UnpackMe used. So I use PEid plugin (Generic OEP Finder)to find OEP of UnpackMe, It gives me : 00463C80. Okie 🙂 may be this is the right OEP!!!

Close PeID and open Ollydbg to load this UnpackMe in. A messagebox apears, choose No. I have :

0047E000 > 60 pushad <== Stop here (EP) 0047E001 E8 00000000 call unpackme.0047E006 0047E006 5D pop ebp 0047E007 81ED 48124000 sub ebp, unpackme.00401248 0047E00D 60 pushad 0047E00E E8 2B030000 call unpackme.0047E33E 0047E013 61 popad 0047E014 8A7D 60 mov bh, byte ptr ss:[ebp+60] 0047E017 6262 DB bound esp, qword ptr ds:[edx-25] 0047E01A 6A 62 push 62 0047E01C 6262 EF bound esp, qword ptr ds:[edx-11] 0047E01F D7 xlat byte ptr ds:[ebx+al] 0047E020 EA 7022628A 496>jmp far 6049:8A622270 0047E027 6262 9D bound esp, qword ptr ds:[edx-63] 0047E02A F7 ??? ; Unknown command 0047E02B 8D70 22 lea esi, dword ptr ds:[eax+22] 0047E02E 62E9 bound ebp, ecx ; Illegal use of register 0047E030 BA F2F29DF7 mov edx, F79DF2F2

Oh !! I see Pushad signature, like UPX. Press Alt + M to open Memory map Window.

Memory map Address Size ( Owner Section Contains Type Access Initial Mapped as ................................................................................................ 00370000 00003000 ( 0 Map R R 00400000 00001000 ( unpackme 0 PE header Imag R RWE 00401000 0004B000 ( unpackme 0 .KLiZMA Imag R RWE 0044C000 00031000 ( unpackme 0 .KLiZMA code Imag R RWE 0047D000 00001000 ( unpackme 0 .rsrc data,imports Imag R RWE 0047E000 00001000 ( unpackme 0 .KLiZMA SFX Imag R RWE 00480000 00004000 ( 0 Map R E R E 00540000 00002000 ( 0 Map R E R E 00550000 00103000 ( 0 Map R R 00660000 0006A000 ( 0 Map R E R E .................................................................................................

In this Window, select section :

00401000 0004B000 ( unpackme 0 .KLiZMA Imag R RWE

And Right click and set a Memory Breakpoint on Access.And then Press F9 to Run, Olly breaks here :

0047CCA3 8807 mov byte ptr ds:[edi], al <== Stop here after Press F9 (1st) 0047CCA5 47 inc edi 0047CCA6 01DB add ebx, ebx 0047CCA8 75 07 jnz short unpackme.0047CCB1 0047CCAA 8B1E mov ebx, dword ptr ds:[esi] 0047CCAC 83EE FC sub esi, -4 0047CCAF 11DB adc ebx, ebx 0047CCB1 ^ 72 ED jb short unpackme.0047CCA0

Come back Memory Map Window and clear Memory BP.And then back to CPU Window, scroll down to find the signature 🙂 :

0047CDEB 83C3 04 add ebx, 4 0047CDEE ^ EB E1 jmp short unpackme.0047CDD1 0047CDF0 FF96 84CE0700 call near dword ptr ds:[esi+7CE84] 0047CDF6 61 popad <=== Aha Popad 0047CDF7 ^ E9 846EFEFF jmp unpackme.00463C80 <=== Jmp to OEP (Like OEP found in Peid)

As you see, this signature like UPX. And now, set BP at : 0047CDF7 ^ E9 846EFEFF jmp unpackme.00463C80
Press F9 to Run, Break at this BP, remove this and Press F8 , kaka we stop at OEP of UnpackMe :

00463C80 55 push ebp <=== Right OEP 00463C81 8BEC mov ebp, esp 00463C83 83C4 F0 add esp, -10 00463C86 B8 903A4600 mov eax, unpackme.00463A90 00463C8B E8 A41FFAFF call unpackme.00405C34 00463C90 A1 F8584600 mov eax, dword ptr ds:[4658F8] 00463C95 8B00 mov eax, dword ptr ds:[eax] 00463C97 E8 14B2FEFF call unpackme.0044EEB0

Now, dump with Ollydump Plugin, not check Rebuilt Import. Press Dump and Save as : dumped.exe. Fire up ImportRec, select Process, write OEP , Press IAT Auto Search, Get Imports and finally Fix Dump.We have dumped_.exe. Test it: kaka it runs before i double click 🙂 lol and detect again by PEid : Borland Delphi 6.0 – 7.0.

ÛÛÛ [ Cracking ] ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ

After MUP this UnpackMe, come to part 2 to change “UNREGISTERED” to “REGISTERED”. To do this task, Load dumped_.exe into Ollydbg. Press F9 to Run it, we’ll see a beautiful girl with “UNREGISTERED” string below. Back to Ollydbg, Press Alt+M to open Memory map Window, here we select :

Memory map, item 0 Address=00010000 Size=00001000 (4096.) Owner= 00010000 (itself) Section= Type=Priv 00021004 Access=RW Initial access=RW

Right click and select Search (or Ctrl+B),then type : UNREGISTERED in Ascii textbox and Press OK to Search this string.After that Olly break at :

Memory map, item 25 Address=0047D000 Size=00001000 (4096.) Owner=dumped_ 00400000 Section=.rsrc Contains=data,resources Type=Imag 01001002 Access=R Initial access=RWE

and we have in Dump window :
00479140 55 4E 52 45 47 49 53 54 45 52 45 44 0C 46 6F 6E UNREGISTERED.Fon 00479150 74 2E 43 68 61 72 73 65 74 07 0F 44 45 46 41 55 t.CharsetDEFAU 00479160 4C 54 5F 43 48 41 52 53 45 54 0A 46 6F 6E 74 2E LT_CHARSET.Font. 00479170 43 6F 6C 6F 72 07 08 63 6C 57 69 6E 64 6F 77 0B ColorclWindow

Okies, the string which we want to find is in Section : .rsrc (resource). So back to CPU Window, right click in Dump Window and Select Go to (Ctrl+G), we type the address of string : 00479140. Select UNREGISTERED string and edit this to REGISTERED. Finally, Save this edited file : dumped_edited.exe. Ok, Run this and see the result :).

Finish!
Best Regards
_[Kienmanowar]_

ÛÛÛ [ Thanz ] ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ

–++–==[ Greatz Thanks To ]==–++–
My family, Computer_Angel, Moonbaby , Zombie_Deathman, Littleboy, Benina, QHQCrker, the_Lighthouse, Merc, Hoadongnoi, Nini … all REA’s members, TQN, HacNho, RongChauA, Deux, tlandn, light.phoenix, dqtln, ARTEAM …. all my friend, and YOU.

–++–==[ Thanks To ]==–++–
iamidiot, WhyNotBar, trickyboy, dzungltvn, takada, hurt_heart, haule_nth, hytkl v..v..

–++–==[ Special Thanks ]==–++–
And then thanx to the Author : KLiZMA and all the people read my tutor!

If you have any suggestions, comments or corrections email me: kienbigmummy[at]gmail.com

Sorry in my bad English. Because English is not my mother language, I’m VietNamese.

Welcome all to : reaonline.net

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ °±²Û CONTACT INFORMATION ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

URL : http://www.reaonline.net
contact me : kienbigmummy@gmail.com

	Week 19 – 2024… on [QuickNote] Qakbot 5.0 –…
	[QuickNote] Phishing… on [QuickNote] Decrypting the C2…
	Week 17 – 2024… on [QuickNote] Qakbot 5.0 –…
	[QuickNote] Qakbot 5… on Unveiling Qakbot: Exploring on…
	Week 15 – 2024… on [QuickNote] Phishing email dis…

0day in {REA_TEAM}

Lịch

Tìm kiếm

Recent Posts – Bài mới

Bình luận gần nhất

Pages

Chuyên mục

peonimusha Bl0g

Top Posts

Các bài đã đăng

Blogroll

Statistics - Lượt truy cập

Archive for the ‘Solution for KLiZMA’s UnpackMe #1’ Category

Solution for KLiZMA’s UnpackMe #1