Manual Unpacking Re-Crypt v0.741

Monday, May 09 2005 @ 11:54 PM CEST

Contributed by: LaFarge

Level : newbie

Dumping a process and rebuilding the IAT with ImpRec.

Hello all!

I know this isn't the last version of this packer but... I think v0.75 is out.

Anyway, here we go:

Tools needed:

- OllyDbg v1.10 + OllyDump
- ImpRec 1.6 FiNAL


After we load packed app in Olly we're here:

00408000 >  60              PUSHAD
00408001    E8 00000000     CALL    packed.00408006
00408006    5D              POP     EBP
00408007    81ED F31D4000   SUB     EBP, packed.00401DF3
0040800D    B9 7B090000     MOV     ECX, 97B
00408012    8DBD 3B1E4000   LEA     EDI, DWORD PTR SS:[EBP+401E3B]
00408018    8BF7            MOV     ESI, EDI
Now we set a BP on .code section of our process and we press Shift+F9. We are here:
004086CD    8B17            MOV     EDX, DWORD PTR DS:[EDI]
004086CF    81F2 13151415   XOR     EDX, 15141513
004086D5    8917            MOV     DWORD PTR DS:[EDI], EDX
004086D7    83C7 04         ADD     EDI, 4
004086DA    83C0 FC         ADD     EAX, -4
004086DD  ^ EB E9           JMP     SHORT packed.004086C8
004086DF    C9              LEAVE
004086E0    C2 0400         RETN    4
Now we set a BP on RETN and press F9. Execute RETN and we are here:
00408312    E8 01000000     CALL    packed.00408318
00408317    6A 8B           PUSH    -75
00408319    75 68           JNZ     SHORT packed.00408383
0040831B    8B5D 3C         MOV     EBX, DWORD PTR SS:[EBP+3C]
0040831E    03F3            ADD     ESI, EBX
00408320    33C0            XOR     EAX, EAX
00408322    50              PUSH    EAX
Now we again set BP on .code section and press Shift+F9. We should be here:
00401416      55            DB      55                               ;  CHAR 'U'
00401417      8B            DB      8B
00401418      EC            DB      EC
00401419      6A            DB      6A                               ;  CHAR 'j'
0040141A      FF            DB      FF
0040141B      68            DB      68                               ;  CHAR 'h'
0040141C      E0            DB      E0
0040141D      50            DB      50                               ;  CHAR 'P'
0040141E      40            DB      40                               ;  CHAR '@'
After we press Ctrl+A we get this code:
00401416   .  55            PUSH    EBP
00401417   .  8BEC          MOV     EBP, ESP
00401419   .  6A FF         PUSH    -1
0040141B   .  68 E0504000   PUSH    packed.004050E0
00401420   .  68 0C204000   PUSH    packed.0040200C                  ;  SE handler installation
00401425   .  64:A1 0000000>MOV     EAX, DWORD PTR FS:[0]
0040142B   .  50            PUSH    EAX
0040142C   .  64:8925 00000>MOV     DWORD PTR FS:[0], ESP
Yup, looks like standard VC++ progie.

Anyway, we dump the process WITHOUT import rebuilding option checked.
We have to do fix IAT manually.

Now, i think u all know how to work with ImpRec. :)

After we clicked on Show Invalid button, Imprec gives us this info:
Current imports:
0 (decimal:0) valid module(s)
35 (decimal:53) imported function(s). (added: +35 (decimal:+53))
(1A (decimal:26) unresolved pointer(s)) (added: +1A (decimal:+26))
So, we have 26 invalid pointers.

Easy way to fix:

Rightclick on first invalid pointer, select Dissasemble / HEX View:
00173517    68 F294E677     PUSH    kernel32.GetEnvironmentStringsA
0017351C  ^ E9 CFFFFFFF     JMP     001734F0
Heh, so the first import is GetEnvironmentStringsA.

Repeat the above procedure untill u have fixed all bad pointers.

Save the new IAT in dumped file and run it!.


Have phun!