EXE32Pack

Sunday, September 18 2005 @ 11:12 PM CEST

Contributed by: Soul12

Level : newbie

Brief walkthrough of generic EXE32Pack v1.43 unpacking.

-=Soul12's Unpacking EXE32pack=- v0.1

Target: EXE32Pack v1.43
Generic: yes!

This Packer is a sligthy differnt packer compared to UPX is has a Limited amouny of protection
It Scrambles Imports(poorly) and attemts to hide OEP(again poorly) and tries to detect olly with IsDebuggerPresent ..
(why write about this packer, well knowledge is power..)

tools needed:
1. Olly+Ollydumb(imprec cant locate the imports)


Okay lets start load the file into olly and you see this:

0041500C > $ 3BC0 CMP EAX,EAX
0041500E 74 DB 74 ; CHAR 't'
0041500F 02 DB 02
00415010 81 DB 81
00415011 83 DB 83
00415012 . 55 PUSH EBP
00415013 . 3BC0 CMP EAX,EAX
00415015 . 74 02 JE SHORT exe32pac.00415019
00415017 . 8183 533BC974 >ADD DWORD PTR DS:[EBX+74C93B53],3B56BC01

Press f7 until you pass the push ebp and land on CMP EAX,EAX. if you look the Registers Window
youl notice that ESP has changed, right click on it and choose Follow in dump, Select the first 4 bytes and right click ->breakpoint ->hardware on access -> dword and press f9 you will break here:

00420156 3BE4 CMP ESP,ESP
00420158 74 01 JE SHORT exe32pac.0042015B
0042015A BF FFE0B801 MOV EDI,1B8E0FF
0042015F 0000 ADD BYTE PTR DS:[EAX],AL
00420161 003B ADD BYTE PTR DS:[EBX],BH
00420163 C9 LEAVE

now all you gotta do is press 3x f7 and your at OEP :) you will have to press ctrl+a in order to see it, now dump with ollydumb and youl have a fully working .exe .. the imports are still bit *censored*ed(maby somebody will borther fixing) but program runs and you can disassemble now :)

Have Fun , Play safe

//Soul1

2 comments



http://www.reversing.be/article.php?story=20050918231238321