Target:
https://forum.tuts4you.com/topic/39325-quick-unpacking-safengine-shielden-239
magicjump5: 004D30FB
magicjump5 may be wrong!
magicjump2: 004D28E4
JumpDestination: 004D28C8 | Entry address
magicjump2: 004D3349
JumpDestination: 004D3308 | Entry address
magicjump2: 004D80BB
JumpDestination: 004D80D7 | Entry address
magicjump2: 004D81DC
JumpDestination: 004D81F8 | Entry address
magicjump2: 004DA58A
JumpDestination: 004DA54C | Entry address
magicjump2: 004DB025
JumpDestination: 004DB056 | Entry address
magicjump2: 004DB9C9
JumpDestination: 004DB9AE | Entry address
magicjump2: 0054A8FD
JumpDestination: 0054A903
Unfortunately none of those address are not the magic jump (sorry)!
Log data, item 1
Message=ImportTableAddress: 00464000
First time gets the kernel32.GetModuleHandleA RVA = B741 (41B70000)
Export table address: 7C802C2C 41 B7 00 00
so set breakpoint on read to address 7C802C2C
You will should lead here:
004FDA27 . 8B3E MOV EDI, DWORD PTR DS:[ESI]
004FDA29 . 5E POP ESI ; kernel32.7C80262C
004FDA2A . 9C PUSHFD
004FDA2B .^ EB DD JMP SHORT 004FDA0A
// Step in needed:
004FDBF3 > \3BFE CMP EDI, ESI ; kernel32.7C80262C
004FDBF5 . 8D6424 04 LEA ESP, DWORD PTR SS:[ESP+0x4]
004FDBF9 ^ 0F82 00F9FFFF JB 004FD4FF
// No, is not this magic jump since is not the ntdll base address!
After step in a lot:
004A5D18 > \4A DEC EDX ; kernel32.7C807C3B
004A5D19 . 8B11 MOV EDX, DWORD PTR DS:[ECX]
004A5D1B . 3BD0 CMP EDX, EAX
004A5D1D . 60 PUSHAD
004A5D1E . E9 B5760500 JMP 004FD3D8
At 004A5D19 get the ntdll base address in edx
004FD3D8 > \8D6424 20 LEA ESP, DWORD PTR SS:[ESP+0x20]
004FD3DC .^ 0F83 C088FAFF JNB 004A5CA2
This is the magic jump which should be changed to jump! And now we have clean import table!
Is still hard for me to automatize things!
|