Help: Unpack

ivanov · #1 11-22-2004, 23:43

Anyone can help me to find the correct OEP for attached target? I have tried using PEiD Generic OEP Finder plugin, not worked (OEP: 004e14ac). Then, using Olly Dump Plugins (Find OEP by Trace Over:0059780C and Trace Into:
00591C90) also failed, the fixed dumped file still cannot run. I can't find any tut that suitable for this target. If found, how to find it using Olly? It is packed by unknown packer and a Delphi program. Some said it is easy to find OEP on Delphi's, but I don't find the correct one using their methodes.

#2 11-23-2004, 01:42

your program is protected with some kind of exe stealth and Neolite 2.0,here is your oep:

load program in olly,you shoud be here:

00597800 > 40 INC EAX
00597801 92 XCHG EAX,EDX
00597802 90 NOP
00597803 4A DEC EDX
00597804 92 XCHG EAX,EDX
00597805 B8 901C5900 MOV EAX,CATCount.00591C90
0059780A 50 PUSH EAX
0059780B C3 RETN

push F8,execute RETN and you land here:

00591C90 . BA 0C785900 MOV EDX,CATCount.0059780C
00591C95 . 52 PUSH EDX
00591C96 . C3 RETN

F8 execute RETN and you are here:

0059780C BA 901C5900 MOV EDX,CATCount.00591C90
00597811 B8 60BE00B0 MOV EAX,B000BE60
00597816 8902 MOV DWORD PTR DS:[EDX],EAX
00597818 42 INC EDX
00597819 42 INC EDX
0059781A 42 INC EDX
0059781B B8 B052008D MOV EAX,8D0052B0
00597820 8902 MOV DWORD PTR DS:[EDX],EAX
00597822 4A DEC EDX
00597823 4A DEC EDX
00597824 4A DEC EDX
00597825 FFD2 CALL EDX-----------------------> trace this call
00597827 B0 F2 MOV AL,0F2
00597829 42 INC EDX
0059782A 7A F2 JPE SHORT CATCount.0059781E

now F8 till 00597825 CALL EDX, then F7 step into call, you land here:

00591C90 . 60 PUSHAD
00591C91 ? BE 00B05200 MOV ESI,CATCount.0052B000
00591C96 . 8DBE 0060EDFF LEA EDI,DWORD PTR DS:[ESI+FFED6000]
00591C9C . 57 PUSH EDI
00591C9D . 83CD FF OR EBP,FFFFFFFF
00591CA0 . EB 10 JMP SHORT CATCount.00591CB2
00591CA2 90 NOP
00591CA3 90 NOP
00591CA4 90 NOP
00591CA5 90 NOP
00591CA6 90 NOP
00591CA7 90 NOP

now look at register and notice the value of ESP its 0012FFC0 in my case.

click on dump section,ctrl+G and in expression to follow box select 12FFC0,you are here:

0012FFC0 27 78 59 00

now highlight these four value and right click,select breakpoint hardware,on access----> Dword

now shift+F9 once and you land here:

00591DDF .-E9 C8F6F4FF JMP CATCount.004E14AC-----> execute this jump and you are at OEP
00591DE4 FC1D5900 DD CATCount.00591DFC
00591DE8 0C1E5900 DD CATCount.00591E0C
00591DEC 10474E00 DD CATCount.004E4710

execute jump at 00591DDF with F8 and you land at oep:

004E14AC 55 PUSH EBP
004E14AD 8BEC MOV EBP,ESP
004E14AF 83C4 F0 ADD ESP,-10
004E14B2 B8 4C114E00 MOV EAX,CATCount.004E114C
004E14B7 E8 2C5AF2FF CALL CATCount.00406EE8
004E14BC A1 DC3A4E00 MOV EAX,DWORD PTR DS:[4E3ADC]
004E14C1 8B00 MOV EAX,DWORD PTR DS:[EAX]
004E14C3 E8 00CBF8FF CALL CATCount.0046DFC8
004E14C8 B8 38154E00 MOV EAX,CATCount.004E1538 ; ASCII "/ret"
004E14CD E8 AE05F9FF CALL CATCount.00471A80
004E14D2 84C0 TEST AL,AL
004E14D4 75 05 JNZ SHORT CATCount.004E14DB
004E14D6 E8 3567FDFF CALL CATCount.004B7C10
004E14DB A1 DC3A4E00 MOV EAX,DWORD PTR DS:[4E3ADC]
004E14E0 8B00 MOV EAX,DWORD PTR DS:[EAX]
004E14E2 BA 48154E00 MOV EDX,CATCount.004E1548 ; ASCII "CATCount"
004E14E7 E8 E8C6F8FF CALL CATCount.0046DBD4
004E14EC 8B0D 2C384E00 MOV ECX,DWORD PTR DS:[4E382C] ; CATCount.004E5070
004E14F2 A1 DC3A4E00 MOV EAX,DWORD PTR DS:[4E3ADC]
004E14F7 8B00 MOV EAX,DWORD PTR DS:[EAX]
004E14F9 8B15 24A34D00 MOV EDX,DWORD PTR DS:[4DA324] ; CATCount.004DA370
004E14FF E8 DCCAF8FF CALL CATCount.0046DFE0
004E1504 8B0D B83C4E00 MOV ECX,DWORD PTR DS:[4E3CB8] ; CATCount.004E508C
004E150A A1 DC3A4E00 MOV EAX,DWORD PTR DS:[4E3ADC]
004E150F 8B00 MOV EAX,DWORD PTR DS:[EAX]
004E1511 8B15 48F34D00 MOV EDX,DWORD PTR DS:[4DF348] ; CATCount.004DF394
004E1517 E8 C4CAF8FF CALL CATCount.0046DFE0
004E151C A1 DC3A4E00 MOV EAX,DWORD PTR DS:[4E3ADC]
004E1521 8B00 MOV EAX,DWORD PTR DS:[EAX]
004E1523 E8 38CBF8FF CALL CATCount.0046E060
004E1528 E8 CF31F2FF CALL CATCount.004046FC

thats it now you can fix IAT withImprec.

ivanov · #3 11-24-2004, 20:05

Quote:

Originally Posted by el-kiwi

your program is protected with some kind of exe stealth and Neolite 2.0,here is your oep:

click on dump section,ctrl+G and in expression to follow box select 12FFC0,you are here:

0012FFC0 27 78 59 00

now highlight these four value and right click,select breakpoint hardware,on access----> Dword

now shift+F9 once and you land here:

00591DDF .-E9 C8F6F4FF JMP CATCount.004E14AC-----> execute this jump and you are at OEP

004E14AC 55 PUSH EBP
.

Here I have to [F8] 00591C90 first, then ESP: 0012FFA0. After [Ctrl+F9], I am at: 00591DDF.

Result: GREATTT! Thanks el-kiwi. ImpRec found all Imports and the file run normally.

You said it was packed by 2 packers. That's why Olly breaks 2 times at the same EP of SFX before OEP?

Just one question, why I have to re-normalize Exports in W98 to have a good dumped file, but not needed on XP since it run OK?