Sunday, September 18 2005 @ 11:12 PM CEST Contributed by: Soul12 Views: 8871
Level : newbie
Brief walkthrough of generic EXE32Pack v1.43 unpacking.
-=Soul12's Unpacking EXE32pack=- v0.1
Target: EXE32Pack v1.43
This Packer is a sligthy differnt packer compared to UPX is has a Limited amouny of protection
It Scrambles Imports(poorly) and attemts to hide OEP(again poorly) and tries to detect olly with IsDebuggerPresent ..
(why write about this packer, well knowledge is power..)
1. Olly+Ollydumb(imprec cant locate the imports)
Okay lets start load the file into olly and you see this:
0041500C > $ 3BC0 CMP EAX,EAX
0041500E 74 DB 74 ; CHAR 't'
0041500F 02 DB 02
00415010 81 DB 81
00415011 83 DB 83
00415012 . 55 PUSH EBP
00415013 . 3BC0 CMP EAX,EAX
00415015 . 74 02 JE SHORT exe32pac.00415019
00415017 . 8183 533BC974 >ADD DWORD PTR DS:[EBX+74C93B53],3B56BC01
Press f7 until you pass the push ebp and land on CMP EAX,EAX. if you look the Registers Window
youl notice that ESP has changed, right click on it and choose Follow in dump, Select the first 4 bytes and right click ->breakpoint ->hardware on access -> dword and press f9 you will break here:
now all you gotta do is press 3x f7 and your at OEP :) you will have to press ctrl+a in order to see it, now dump with ollydumb and youl have a fully working .exe .. the imports are still bit *censored*ed(maby somebody will borther fixing) but program runs and you can disassemble now :)