Level : newbie
Unpacking UPX packed Gamemon.des
PEID - > (optional)
OllyDBG -> (mandatory)
Gamemon.des -> (mandatory)
OllyDump plugin ->(you can use, lordpe too if you want)
Ok the first thing I always do is check to see what kind of packer were working with So fire up PEID and see what it is.
Yep, so we have our UPX there, doesn’t seem to be much of anything wrong. I wrote this tut because I read Shub-Nigguraths 10 easy steps, they actually work :p
Well ill use this file to show you something, What UPX and most packers/protectors do is, they more than likely compress the IAT, or redirecting it, making it hard for us to unpack or clearly analyze the file.. to show you what I mean I’m going to show you what the packed gamemon’s Imports looks like packed and after its unpacked.
Well that’s odd, it only has three imported functions from kernel… but we sure do know there are many more than this from the kernel module right?
Hmmm, now look at the file after its unpacked.
Ok, assuming you have your tools prepared, lets go to battle.. First thing we will do it load the gamemon.des into Olly Debugger…After it analyzes We are at a screen similar to this here.
Ok, the next thing you want to do is Set a BREAKPOINT on LoadLibraryA. You can use the commandline plugin to do this in Olly debugger.
Ok, once you are familiar with UPX you will understand why this is so, many of them are the same =)
NOW, that our breakpoint is set we would like to continue until we break at this BREAKPOINT So please everyone , push F9 on ollydebugger, this will continue execution of the program
BAM we break on it ! break means we hit the breakpoint we set and we are now ready to analyze whats going on!
So Look at the bottom right window of olly debugger! We will see THIS!
We are interested at What called this function, hmm well here we have it
CALL to LoadLibraryA from Gamemon.0049470E
Hah so lets follow this and see whats goin on in this section of code.
In olly debugger press Ctrl + G, this will bring up a window and we go to the expression, which is 0049470E, or we can right click that line in the window and go to Follow in dissassembler.
Ok now that we have gone to this expression lets check out the code there. Well we are not much interested in the place where it was called rather a few instructions down, we will see a few conditional jumps, then a definite JUMP, (JMP) this will be the magic jump to our OEP. Look here.
ok so look there, we found a small encryption stuff, a few Juump if equals and stuff, but after this we have the real jump to the real original entry point of gamemon.des, how do I know? Well
Lets go to the expression where it jumps to J JMP Gamemon. 0043C327 , right click this expression and go to Follow or press Enter if you are at that address, And well well what do we know, its our real ENTRY POINT
NOTE: When you reach here make sure you make it the origin point! Right click “New origin”
Some of you might be wondering… how do you know what the OEP is!!?
Well from my experience Any valid PE program always starts with this instruction
Push EBP MOV EBP, ESP PUSH -1
“EP = OEP - base Remember that the values in the PE header are always file offsets and not addresses.”
EP = 0043C327 - 00400000. EP = 3C327(If youre confused on how this is done, just use the trusty windows calculator and input this under the hex format ; ) )
As you can see olly has already calculated the ENTRY POINT for us =) Make sure that Rebuild Imports is NOT checked.. I personally trust Imprec, but if you feel you can trust it then if you c3hcked that and dumped the file, you are officially done, for the smarter people, lets get Dump this File, LEAVE OLLY ON, and open up imprec.
Once you have imprec open, target the gamemon file, now look at the screenshot:
Greetz and shouts: