Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Thursday, November 27 2014 @ 10:31 PM CET

Unpack UPX

   

TutorialsLevel : newbie

Unpacking UPX packed Gamemon.des
By: g3nuin3




Sup all, bored so I thought id write this one up right quick..In this tutorial ill go through the process of successfully Unpacking the UPX packed gamemon.des file, its really simple because UPX is probably the easiest packer on the inet, well, enough crap. Lets get to work



Tools
PEID - > (optional)
OllyDBG -> (mandatory)
Gamemon.des -> (mandatory)
Imprec ->Mandatory
OllyDump plugin ->(you can use, lordpe too if you want)


Lets Go

Ok the first thing I always do is check to see what kind of packer were working with So fire up PEID and see what it is.

Yep, so we have our UPX there, doesn’t seem to be much of anything wrong. I wrote this tut because I read Shub-Nigguraths 10 easy steps, they actually work :p

Well ill use this file to show you something, What UPX and most packers/protectors do is, they more than likely compress the IAT, or redirecting it, making it hard for us to Unpack or clearly analyze the file.. to show you what I mean I’m going to show you what the packed gamemon’s Imports looks like packed and after its Unpacked.



In PEID I load the packed file and I take a look at the kernels first imported functions.

Well that’s odd, it only has three imported functions from kernel… but we sure do know there are many more than this from the kernel module right?
Hmmm, now look at the file after its Unpacked.



Big change huh?! This is what we want it to look like... Well be patient, now well get to the fun part, actually Unpacking it!

Ok, assuming you have your tools prepared, lets go to battle.. First thing we will do it load the gamemon.des into Olly Debugger…After it analyzes We are at a screen similar to this here.



Ok, the next thing you want to do is Set a BREAKPOINT on LoadLibraryA. You can use the commandline plugin to do this in Olly debugger.

Ok, once you are familiar with UPX you will understand why this is so, many of them are the same =)

NOW, that our breakpoint is set we would like to continue until we break at this BREAKPOINT So please everyone , push F9 on ollydebugger, this will continue execution of the program

BAM we break on it ! break means we hit the breakpoint we set and we are now ready to analyze whats going on!

So Look at the bottom right window of olly debugger! We will see THIS!



We are interested at What called this function, hmm well here we have it CALL to LoadLibraryA from Gamemon.0049470E

Hah so lets follow this and see whats goin on in this section of code.

In olly debugger press Ctrl + G, this will bring up a window and we go to the expression, which is 0049470E, or we can right click that line in the window and go to Follow in dissassembler.

Ok now that we have gone to this expression lets check out the code there. Well we are not much interested in the place where it was called rather a few instructions down, we will see a few conditional jumps, then a definite JUMP, (JMP) this will be the magic jump to our OEP. Look here.




ok so look there, we found a small encryption stuff, a few Juump if equals and stuff, but after this we have the real jump to the real original entry point of gamemon.des, how do I know? Well

Lets go to the expression where it jumps to J JMP Gamemon. 0043C327 , right click this expression and go to Follow or press Enter if you are at that address, And well well what do we know, its our real ENTRY POINT



NOTE: When you reach here make sure you make it the origin point! Right click “New origin” Some of you might be wondering… how do you know what the OEP is!!? Well from my experience Any valid PE program always starts with this instruction


Push EBP
MOV EBP, ESP
PUSH -1


….. (Push -1 is not always the case(language specific) but after reading Goppits explanation on the PE I know and other resources I cant remember :S)
here
Don’t know if this is the valid explanation for it, but its what ive seen Unpacking files or reversing them. (if you know why, please tell me J )

Anyways, now that we have the address of where our OEP is, we must calculate this and get the offset…

Fom Shubs tutorial:
“EP = OEP - base Remember that the values in the PE header are always file offsets and not addresses.”
And he is correct. What were attempting to do is get the valid ENTRY POINT of the program, so we calculate the ORIGINAL ENTRY POINT we get and subtract this by the BASE IMAGE.. which is USUALLY 00400000. ( don’t know about the cases where its not.)

So now we know that lets calculate it
EP = 0043C327 - 00400000. EP = 3C327 (If youre confused on how this is done, just use the trusty windows calculator and input this under the hex format ; ) )

Now, we have our OEP, EP calculated, lets dump this baby =) Dumping window of olly should look like this:



As you can see olly has already calculated the ENTRY POINT for us =) Make sure that Rebuild Imports is NOT checked.. I personally trust Imprec, but if you feel you can trust it then if you c3hcked that and dumped the file, you are officially done, for the smarter people, lets get Dump this File, LEAVE OLLY ON, and open up imprec.

Once you have imprec open, target the gamemon file, now look at the screenshot:




Where it says OEP we enter the offset we calculated from the previous part. Remember, the PE works with offsets not actual addresses!

After this we click IAT autoSearch.. We will hopefully get a successful message and it tells us to try to Get Imports..
So lets GetImports!
Press GetImports!
We should be greeted with our imports and they should have YES next to them meaning they are all valid thunks =D..

Now We press Fix Dump, search for the file you dumped with Ollydebugger earlier and then it will successfully fix the dump file and save it…

WE ARE DONE!!!!!
We have successfully dumped and everything went A OK>!

See, Unpacking UPX is nothing, now try your luck with the nppgnt.des file =) its just as easy :=)

Greetz and shouts:


shub(ARTEAM), DieselMusa, evobyte, luap, kemizca, ILA, [sheep], tokels, ARTEAM in general, everyone in #gamehacking , #Unpacking , #biw, #arteam, lazyKey, Detten and the Biw staff,and to Team DEVOTED And whoever else I missed Arteam and biw are awesome places to learn Unpacking and reversing, please take advantage of them at :
Biw : http://www.reversing.be
Arteam: http://cracking.accessroot.com

Over n out. The File Gaemon.des will be attached also with another file packed with UPX so u can practice :D attachment




What's Related

Story Options

Unpack UPX | 4 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Unpack UPX
Authored by: Fredro on Wednesday, January 18 2006 @ 10:16 AM CET
Nice tutor man, now I might be able to take UPX down ;>

Yours,
LazykEY
Unpack UPX
Authored by: nilrem on Saturday, January 28 2006 @ 01:55 AM CET
Very well explained. Good work mate.
-Nilrem of ARTeam.
Unpack UPX
Authored by: unterhunde on Tuesday, January 09 2007 @ 09:46 PM CET
Great Tutorial by the way.
For newer people:
To use CommandLine Plugin:
1.In the little box type BP LoadLibraryA
2. Press Enter
3. Press F9 to run the program and itll stop when it hits that point.

To avoid detection:
HideDebugger plugin for OllyDBG. its also has a check box in options to protect from IsDebuggerPresent.

Now my question to the auther:

Ok I didnt follow your tut to a \\"T\\" because my gamemon.des is a different version. HOWEVER I did manage to get a successful Import with all YES's.

My question now mainly would be...what do I do with gamemon.des after I have Unpacked it? I am not sure of the purpose of this as of yet.

I have also successfully Unpacked gamguard.des as well.
 Copyright © 2014 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.10 seconds