Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-28-2006, 03:46
hobgoblin hobgoblin is offline
Friend
 
Join Date: Jan 2002
Posts: 124
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 5 Times in 5 Posts
hobgoblin Reputation: 0
A nice challenge....

Greetings to all you unpackers.
It's been quite a while since I posted something here. But now I have found a nice challenge for people interested in unpacking targets. Go to hxxp:\\www.autodebug.com and download Autodebug pro 3.6 for windows.
I have tried to unpack it, and seems to succeed but when I run it it crashes.
It is packed with both Aspack and PeCompact. First with pecompact then wrapped once more with Aspack. It is no problem solving this two things, but then the fun starts. There are calls to IsDebuggerPresent, and there are some other stuff that makes the program crash via int3 exceptions. But after solving these things, the program still don't run properly. It just excits after a few seconds. When you run the prorgam in Olly, it detects bp's (at least in the code section). When you succeed solving this in Olly, you will see that it crashes in a place where it seems that some code is overwritten when you try to run it in a debugger.
Anyone interrested in taking a look?
And for the record: I don't care in breaking the serialprotection. I'm just after unpacking it until it runs just fine.

regards,
hobgoblin
Reply With Quote
  #2  
Old 01-28-2006, 11:00
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
well I've made a little walkaround and forced CreateFileA at 420155 to read DebugApiSpy.exe instead of dumped file itself.

Code:
.00400510: E91A000000                   jmp        .00040052F  ---¡ý (1)
.00400515: B88D85FCFB                   mov         eax,0FBFC858D
.0040051A: AB                           stosd
.0040051B: 66B8FFFF                     mov         ax,-1
.0040051F: 66AB                         stosw
.00400521: B050                         mov         al,050 ;'P'
.00400523: AA                           stosb
.00400524: 5F                           pop         edi
.00400525: 6800054000                   push        000400500 ;'DebugApiSpy.exe
.0040052A: E926FC0100                   jmp        .000420155  ---¡ý (3)
.0040052F: 57                           push        edi
.00400530: BF4E014200                   mov         edi,00042014E  ---¡ý (4)
.00400535: E9DBFFFFFF                   jmp        .000400515  ---¡ü (5)
.0040053A: 0000                         add         [eax],al
sorry for too many jmps in patch but I've forgot to save edi and didn't wanna write everything from the beginning
you have to restore opcodes rewriten by jmp or progy will fail, or patch integrity check latter on

This is my fast solution probably someone will come up with better solution =)
Anyway you may use original exe and inject into last section with code that will dump file to disk and pass that fname to CreateFileA

cheers
__________________
http://accessroot.com
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Very nice tool collection Antitrack Community Tools 3 01-25-2018 18:27
Nice! ManSun General Discussion 2 04-22-2004 16:12


All times are GMT +8. The time now is 18:25.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )