Manually unpacking Morphine.

"Tell morphine that I'm Still Looking For Her"

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ @
@ ~ WeLcOmE To ~ @
@ ~ Morphine manually unpack tutorial by KaGra ~ @
@ ~ ~ @
@ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@




Well the usual tools used:Olly v1.10,PEid v0.93,LordPE deluxe,
OllyDump PLugin,HideOlly plugin.


So open the exe target.Load it into PEid.It says:

Morphine 1.4 - 2.7 -> Holy_Father & Ratter/29A

It uses IsDebuggerPresent only,so OllyHide will hie U...

Well,now load it into Olly (press yes if a messagebox appearz)
and U are at the Entry Point,HeRe(addresses may be different in your
version of Windowz):


00401596 > $ 7A 08 JPE SHORT NOTEPAD.004015A0
00401598 . 78 06 JS SHORT NOTEPAD.004015A0
0040159A . 7D 04 JGE SHORT NOTEPAD.004015A0
0040159C . 66:C1C5 60 ROL BP,60 ; Shift constant out of range 1..31
004015A0 > 66:83C8 00 OR AX,0
004015A4 . 50 PUSH EAX
004015A5 . 56 PUSH ESI
004015A6 . 81CE 00000000 OR ESI,0
004015AC . 5E POP ESI
004015AD . 58 POP EAX
004015AE . 81C7 00000000 ADD EDI,0
004015B4 . 55 PUSH EBP
004015B5 . 73 06 JNB SHORT NOTEPAD.004015BD
004015B7 . 55 PUSH EBP
004015B8 . 66:BD 8279 MOV BP,7982
004015BC . 5D POP EBP
004015BD > 5D POP EBP
004015BE . 83EA 00 SUB EDX,0
004015C1 . 60 PUSHAD
004015C2 . 8D05 2C010000 LEA EAX,DWORD PTR DS:[12C]
004015C8 . E9 1E000000 JMP NOTEPAD.004015EB



Set a breakpoint at 004015C1,and press run.Olly pauses at 004015C1.Disable the
breakpoint.Execute (F7) the PUSHAD opcode.Now go to ESP register,right click and Follow
in Dump.See the data window in Olly under the Code,U are HeRe (if addresses do
not match is becasue if a different version of Windows):


0012FFA4 F7 03 00 00 D4 BB 12 00 F0 FF 12 00 C4 FF 12 00 ÷..Ô».ðÿ.Äÿ.
0012FFB4 00 F0 FD 7F 04 03 FE 7F B0 FF 12 00 00 00 00 00 .ðýþ°ÿ.....
0012FFC4 C7 14 E8 77 F7 03 00 00 D4 BB 12 00 00 F0 FD 7F Çèw÷..Ô»..ðý
0012FFD4 F0 0C DF F2 C8 FF 12 00 8F C8 53 80 FF FF FF FF ð.ßòÈÿ.�ÈS€ÿÿÿÿ
0012FFE4 09 48 E9 77 10 12 E9 77 00 00 00 00 00 00 00 00 .Héwéw........
0012FFF4 00 00 00 00 96 15 40 00 00 00 00 00 ....–@.....



Highlight the four bytes at 0012FFA4 with mouse,right click and choose
breakpoint->Hardware on access->DWORD.just Ctrl+F9,F7 and U are HeRe:


Now,continue executing with F9 and Olly pauses HeRe:


004010E9 5E POP ESI ; 0012BBD4
004010EA 5D POP EBP
004010EB 83C4 04 ADD ESP,4
004010EE 5B POP EBX
004010EF 5A POP EDX
004010F0 83C4 08 ADD ESP,8
004010F3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
004010F7 FFE0 JMP EAX


Well,at 004010F7 is the MaGic jamp at OEP.Disable the Hardware breakpoint
choosing Debug->Hardware Breakpoints->Delete from Olly'z menu.Now,execute the jamp
at 004010F7 and U are at OEP,HeRe:


01006AE0 6A 70 PUSH 70
01006AE2 68 88180001 PUSH NOTEPA_1.01001888
01006AE7 E8 BC010000 CALL NOTEPA_1.01006CA8
01006AEC 33DB XOR EBX,EBX
01006AEE 53 PUSH EBX
01006AEF 8B3D 4C110001 MOV EDI,DWORD PTR DS:[100114C] ; kernel32.GetModuleHandleA
01006AF5 FFD7 CALL EDI
01006AF7 66:8138 4D5A CMP WORD PTR DS:[EAX],5A4D



Now try to dump it with Olly Plugin.What the *censored*?In the Plug U see those
values:


Start address:00400000 Size: 15000
Entry Point: 1596 Modify:C06AE0


Well,change the Modify value to our OEP (01000000-01006AE0=6AE0) and the
Start address to 01000000.Uncheck the Rebuilding Import option and try to
Dump.What?It cannot dump it.Well,try do dump it using LordPE and dump
Full.Well,it doesn't run and it is not because of the IAT (well,this packer
doesn't do anything with IAT,like UPX).Why all those thingz are happening?

Well,in Olly check the "M" button and see the contents of memory Image.U see this:


Memory map
Address Size Owner Section Contains Type Access Initial Mapped as
00010000 00001000 Priv RW RW
00020000 00001000 Priv RW RW
0011F000 00001000 Priv RW Guar RW
00120000 00010000 stack of mai Priv RW Guar RW
00130000 00001000 Map R R
00140000 00010000 Priv RW RW
00240000 00006000 Priv RW RW
00250000 00001000 Map RW RW
00260000 00016000 Map R R DeviceHarddiskVolume1WINDOWSsystem32unicode.nls
00280000 00034000 Map R R DeviceHarddiskVolume1WINDOWSsystem32locale.nls
002C0000 00041000 Map R R DeviceHarddiskVolume1WINDOWSsystem32sortkey.nls
00310000 00006000 Map R R DeviceHarddiskVolume1WINDOWSsystem32sorttbls.nls
00320000 00004000 Priv RW RW
00330000 00003000 Map R R DeviceHarddiskVolume1WINDOWSsystem32ctype.nls
00340000 00001000 Priv RW RW
00350000 00001000 Priv RW RW
00360000 00002000 Map R R
00370000 00003000 Priv RW RW
00380000 00002000 Map R R
00400000 00015000 Imag R RWE
00420000 00005000 Map R E R E
004E0000 00002000 Map R E R E
004F0000 00103000 Map R R
00600000 00066000 Map R E R E
01000000 00013000 NOTEPA_1 PE header Priv RWE RWE
70A70000 00001000 SHLWAPI PE header Imag R RWE
70A71000 0005B000 SHLWAPI .text code,imports Imag R RWE
70ACC000 00001000 SHLWAPI .data data Imag R RWE

bla...bla...bla...


Well,what actually this packer has done is changing the contents of memory and
Olly thinks now that there is only one section of the running exe,starting at Address
01000000 and having size 13000.Well,open another Olly,load out target and check the
memory Image (DO NOT execute the exe),u see this:


Memory map
Address Size Owner Section Contains Type Access Initial Mapped as
00010000 00001000 Priv RW RW
00020000 00001000 Priv RW RW
0011F000 00001000 Priv RW Guar RW
00120000 00010000 stack of mai Priv RW Guar RW
00130000 00001000 Map R R
00140000 00010000 Priv RW RW
00240000 00006000 Priv RW RW
00250000 00001000 Map RW RW
00260000 00016000 Map R R DeviceHarddiskVolume1WINDOWSsystem32unicode.nls
00280000 00034000 Map R R DeviceHarddiskVolume1WINDOWSsystem32locale.nls
002C0000 00041000 Map R R DeviceHarddiskVolume1WINDOWSsystem32sortkey.nls
00310000 00006000 Map R R DeviceHarddiskVolume1WINDOWSsystem32sorttbls.nls
00400000 00001000 NOTEPAD PE header Imag R RWE
00401000 00013000 NOTEPAD .text code Imag R RWE
00414000 00001000 NOTEPAD .idata imports Imag R RWE
77E60000 00001000 kernel32 PE header Imag R RWE

bla...bla...bla...



Well,we see the header starting from 00400000 with size 1000,a code section
of 13000 size and an import section of 1000 size (total 15000).Well,seing those thingz
I assumed that the only section at the first memory Image may contains all those
sections (PE header,code and imports),althought it is 2000 size smaller (13000=
for sure 1000 the PE header and 12000 for otherz two).So,I will dump it using
lordPE with a partial Dump,and then I will correct the values of the sections
that lordPE will create from the partial Dump.So,open LordPE and select the
process.Now,right click on it,choose Dump partial and fill address value with
01000000 and size with 13000.

Now use Lord PE Editor,and see the sections that LordPE created from the dumped file.
U see three sections.Change the .text (first section) section values to the following:

Virtual address=1000=Raw address => rember that in memory Image the only one
segment U saw was starting at 01000000,so add 1000 of the PE header that's inside it
and U have 01001000 so 01001000-01000000=1000

Virtual Size=Raw Size=12000 =>all the segment was 13000 and assuming a 1000 PE header
inside it, is left 13000-1000=12000

Flags:Becasue in the section of code is also the import section,we have to set
the write flag also.Well the flags in our case are E0000020.

Now,just wipe the rest of the section headers.Run the dumped exe and...
yeap!!!It works just fine...


Was nothing hard about this packer,only a little imagination when dumping...

This is it...Just waiting to pass the examz right now...See AvP in DvD...