Thursday, January 12 2006 @ 08:34 PM CET Contributed by: g3nuin3 Views: 33405
Level : newbie
Unpacking UPX packed Gamemon.des
Sup all, bored so I thought id write this one up right quick..In this tutorial ill go through the process of successfully Unpacking the UPX packed gamemon.des file, its really simple because UPX is probably the easiest packer on the inet, well, enough crap. Lets get to work
PEID - > (optional)
OllyDBG -> (mandatory)
Gamemon.des -> (mandatory)
OllyDump plugin ->(you can use, lordpe too if you want)
Ok the first thing I always do is check to see what kind of packer were working with
So fire up PEID and see what it is.
Yep, so we have our UPX there, doesn’t seem to be much of anything wrong.
I wrote this tut because I read Shub-Nigguraths 10 easy steps, they actually work :p
Well ill use this file to show you something, What UPX and most packers/protectors do is, they more than likely compress the IAT, or redirecting it, making it hard for us to Unpack or clearly analyze the file.. to show you what I mean I’m going to show you what the packed gamemon’s Imports looks like packed and after its Unpacked.
In PEID I load the packed file and I take a look at the kernels first imported functions.
Well that’s odd, it only has three imported functions from kernel… but we sure do know there are many more than this from the kernel module right? Hmmm, now look at the file after its Unpacked.
Big change huh?! This is what we want it to look like... Well be patient, now well get to the fun part, actually Unpacking it!
Ok, assuming you have your tools prepared, lets go to battle..
First thing we will do it load the gamemon.des into Olly Debugger…After it analyzes
We are at a screen similar to this here.
Ok, the next thing you want to do is Set a BREAKPOINT on LoadLibraryA. You can use the commandline plugin to do this in Olly debugger.
Ok, once you are familiar with UPX you will understand why this is so, many of them are the same =)
NOW, that our breakpoint is set we would like to continue until we break at this BREAKPOINT
So please everyone , push F9 on ollydebugger, this will continue execution of the program
BAM we break on it ! break means we hit the breakpoint we set and we are now ready to analyze whats going on!
So Look at the bottom right window of olly debugger! We will see THIS!
We are interested at What called this function, hmm well here we have it
CALL to LoadLibraryA from Gamemon.0049470E
Hah so lets follow this and see whats goin on in this section of code.
In olly debugger press Ctrl + G, this will bring up a window and we go to the expression, which is 0049470E, or we can right click that line in the window and go to Follow in dissassembler.
Ok now that we have gone to this expression lets check out the code there.
Well we are not much interested in the place where it was called rather a few instructions down, we will see a few conditional jumps, then a definite JUMP, (JMP) this will be the magic jump to our OEP. Look here.
ok so look there, we found a small encryption stuff, a few Juump if equals and stuff, but after this we have the real jump to the real original entry point of gamemon.des, how do I know? Well
Lets go to the expression where it jumps to J JMP Gamemon. 0043C327 , right click this expression and go to Follow or press Enter if you are at that address, And well well what do we know, its our real ENTRY POINT
NOTE: When you reach here make sure you make it the origin point! Right click “New origin”
Some of you might be wondering… how do you know what the OEP is!!?
Well from my experience Any valid PE program always starts with this instruction
MOV EBP, ESP
(Push -1 is not always the case(language specific) but after reading Goppits explanation on the PE I know and other resources I cant remember :S) here Don’t know if this is the valid explanation for it, but its what ive seen Unpacking files or reversing them. (if you know why, please tell me J )
Anyways, now that we have the address of where our OEP is, we must calculate this and get the offset…
Fom Shubs tutorial:
“EP = OEP - base Remember that the values in the PE header are always file offsets and not addresses.”
And he is correct. What were attempting to do is get the valid ENTRY POINT of the program, so we calculate the ORIGINAL ENTRY POINT we get and subtract this by the BASE IMAGE.. which is USUALLY 00400000. ( don’t know about the cases where its not.)
So now we know that lets calculate it
EP = 0043C327 - 00400000.
EP = 3C327
(If youre confused on how this is done, just use the trusty windows calculator and input this under the hex format ; ) )
Now, we have our OEP, EP calculated, lets dump this baby =)
Dumping window of olly should look like this:
As you can see olly has already calculated the ENTRY POINT for us =) Make sure that Rebuild Imports is NOT checked.. I personally trust Imprec, but if you feel you can trust it then if you c3hcked that and dumped the file, you are officially done, for the smarter people, lets get Dump this File, LEAVE OLLY ON, and open up imprec.
Once you have imprec open, target the gamemon file, now look at the screenshot:
Where it says OEP we enter the offset we calculated from the previous part.
Remember, the PE works with offsets not actual addresses!
After this we click IAT autoSearch.. We will hopefully get a successful message and it tells us to try to Get Imports..
So lets GetImports!
We should be greeted with our imports and they should have YES next to them meaning they are all valid thunks =D..
Now We press Fix Dump, search for the file you dumped with Ollydebugger earlier and then it will successfully fix the dump file and save it…
WE ARE DONE!!!!!
We have successfully dumped and everything went A OK>!
See, Unpacking UPX is nothing, now try your luck with the nppgnt.des file =) its just as easy :=)
Greetz and shouts:
shub(ARTEAM), DieselMusa, evobyte, luap, kemizca, ILA, [sheep], tokels, ARTEAM in general, everyone in #gamehacking , #Unpacking , #biw, #arteam, lazyKey, Detten and the Biw staff,and to
And whoever else I missed
Arteam and biw are awesome places to learn Unpacking and reversing, please take advantage of them at :
Biw : http://www.reversing.be
Over n out.
The File Gaemon.des will be attached also with another file packed with UPX so u can practice :D