Unpackme

just an unpackme from me,read the rules in zip...U may post the solution here,or just tell us the link to find it...

difficulty:2/10

I packed it in XP SP1 English and not tested in any other...But normally would run fine...

ok done...but i never post a solution because it packed with telock...u can find a lot of tutorials on this packer and u can even find an unpacker for it...

thankz for the time man...
but didin't really got it when saying packed with telock so no quide...anyway,easilly made easilly Dumped

and cause i'm never sure if u solved it right using your mind,would u tell us a small quide to follow and make our dump?if u would of course...

[codeX]

Quote:

Originally Posted by stephenteh

ok done...but i never post a solution becuase it packed with telock...

Ok nice work.

But what is wrong with a guide 'bout telock .

Anyway

Quote:

if u would of course....

Its not packed with teLock .. i guess its UPolyX ...

Looks like UPX and UPolyX scrambles the stub a bit ...

KaGra correct me if i am wrong ...

_veDc

[MaRKuS-DJM]

it is tElock. KaGra, you should have deleted the real OEP-bytes, else you just need to set correct EP and fix one call

You start here:

Code:

01007D80 >  9C              PUSHFD
01007D81    60              PUSHAD
01007D82    B8 E4190001     MOV EAX,final.010019E4
01007D87    8030 66         XOR BYTE PTR DS:[EAX],66
01007D8A    40              INC EAX
01007D8B    3D 8B6A0001     CMP EAX,final.01006A8B
01007D90  ^ 75 F5           JNZ SHORT final.01007D87                   ; Set BP after this JNZ to exit the loop
01007D92    BB 00800001     MOV EBX,final.01008000
01007D97    8033 77         XOR BYTE PTR DS:[EBX],77
01007D9A    43              INC EBX
01007D9B    81FB F09F0001   CMP EBX,final.01009FF0
01007DA1  ^ 75 F4           JNZ SHORT final.01007D97                   ; Set BP after this JNZ to exit the loop
01007DA3    36:C705 FCFF060>MOV DWORD PTR SS:[6FFFC],final.01002801    ; Keep in mind the address which is MOV to Stack address 0006FFFC...
01007DAE    68 BA7D0001     PUSH final.01007DBA                        ; ASCII "hÆ}"
01007DB3    E8 01000000     CALL final.01007DB9
01007DB8    C3              RETN
01007DB9    C3              RETN
01007DBA    68 C67D0001     PUSH final.01007DC6                        ; ASCII "hÒ}"
01007DBF    E8 01000000     CALL final.01007DC5
01007DC4    C3              RETN
01007DC5    C3              RETN
01007DC6    68 D27D0001     PUSH final.01007DD2                        ; ASCII "hÞ}"
01007DCB    E8 01000000     CALL final.01007DD1
01007DD0    C3              RETN
01007DD1    C3              RETN
01007DD2    68 DE7D0001     PUSH final.01007DDE                        ; ASCII "h¨º}"
01007DD7    E8 01000000     CALL final.01007DDD
01007DDC    C3              RETN
01007DDD    C3              RETN
01007DDE    68 EA7D0001     PUSH final.01007DEA                        ; ASCII "hö}"
01007DE3    E8 01000000     CALL final.01007DE9
01007DE8    C3              RETN
01007DE9    C3              RETN
01007DEA    68 F67D0001     PUSH final.01007DF6                        ; ASCII "a?h¨¤j"
01007DEF    E8 01000000     CALL final.01007DF5
01007DF4    C3              RETN
01007DF5    C3              RETN
01007DF6    61              POPAD
01007DF7    9D              POPFD
01007DF8    68 E06A0001     PUSH final.01006AE0
01007DFD    C3              RETN                                       ; After this RETN you are on OEP

- Just step with F8 in Ollydbg until you arrive @ OEP (exit the loops with F2/Shift+F9)
- Dump with your favorite dumper (lord pe / dump full)
- Use OEP 01006AE0 sub ImageBase (1000000) and fill your ImpRec with it
- Fix the dump with it

Fix the not starting dump:

Remember the Address which was MOV onto Stack at the beginning? This is the reason why our dump is not working ..

find this in your dump:

Code:

01006C45   > \6A 0A         PUSH 0A
01006C47   .  58            POP EAX
01006C48   >  50            PUSH EAX
01006C49   .  56            PUSH ESI
01006C4A   .  53            PUSH EBX
01006C4B   .  53            PUSH EBX
01006C4C   .  FFD7          CALL EDI
01006C4E   .  50            PUSH EAX
01006C4F   .  E8 9C130000   CALL dumped_.01007FF0

The marked CALL leads to this jump ..

Code:

01007FF0   $  36:FF25 FCFF0>JMP DWORD PTR SS:[6FFFC]

You should now understand why it is not working .. @ 0006FFFC is only 00000000 so it crashed ..

What we have to do now? We fix the CALL to the real Destination and have a working dump...

Change

Code:

01006C4F   .  E8 9C130000   CALL dumped_.01007FF0

to

Code:

01006C4F      E8 ADBBFFFF   CALL dumped_.01002801

and save with right click -> Copy to executable -> All modifications now save file and enjoy this great application ..

thx to KaGra for this .. i hope this is the solution you wanted to hear .. and its the same unpackme you send me ..

have a nice day