#1
|
|||
|
|||
Unpackme
just an unpackme from me,read the rules in zip...U may post the solution here,or just tell us the link to find it...
difficulty:2/10 |
#2
|
|||
|
|||
and something more...
I packed it in XP SP1 English and not tested in any other...But normally would run fine...
|
#3
|
|||
|
|||
ok done...but i never post a solution because it packed with telock...u can find a lot of tutorials on this packer and u can even find an unpacker for it...
Last edited by stephenteh; 04-23-2005 at 02:50. |
#4
|
|||
|
|||
well done
thankz for the time man...
but didin't really got it when saying packed with telock so no quide...anyway,easilly made easilly Dumped |
#5
|
|||
|
|||
...
and cause i'm never sure if u solved it right using your mind,would u tell us a small quide to follow and make our dump?if u would of course...
|
#6
|
|||
|
|||
Quote:
But what is wrong with a guide 'bout telock . Anyway Quote:
__________________
{RES} |
#7
|
|||
|
|||
Its not packed with teLock .. i guess its UPolyX ...
Looks like UPX and UPolyX scrambles the stub a bit ... KaGra correct me if i am wrong ... _veDc |
#8
|
||||
|
||||
it is tElock. KaGra, you should have deleted the real OEP-bytes, else you just need to set correct EP and fix one call
|
#9
|
|||
|
|||
You start here:
Code:
01007D80 > 9C PUSHFD 01007D81 60 PUSHAD 01007D82 B8 E4190001 MOV EAX,final.010019E4 01007D87 8030 66 XOR BYTE PTR DS:[EAX],66 01007D8A 40 INC EAX 01007D8B 3D 8B6A0001 CMP EAX,final.01006A8B 01007D90 ^ 75 F5 JNZ SHORT final.01007D87 ; Set BP after this JNZ to exit the loop 01007D92 BB 00800001 MOV EBX,final.01008000 01007D97 8033 77 XOR BYTE PTR DS:[EBX],77 01007D9A 43 INC EBX 01007D9B 81FB F09F0001 CMP EBX,final.01009FF0 01007DA1 ^ 75 F4 JNZ SHORT final.01007D97 ; Set BP after this JNZ to exit the loop 01007DA3 36:C705 FCFF060>MOV DWORD PTR SS:[6FFFC],final.01002801 ; Keep in mind the address which is MOV to Stack address 0006FFFC... 01007DAE 68 BA7D0001 PUSH final.01007DBA ; ASCII "hÆ}" 01007DB3 E8 01000000 CALL final.01007DB9 01007DB8 C3 RETN 01007DB9 C3 RETN 01007DBA 68 C67D0001 PUSH final.01007DC6 ; ASCII "hÒ}" 01007DBF E8 01000000 CALL final.01007DC5 01007DC4 C3 RETN 01007DC5 C3 RETN 01007DC6 68 D27D0001 PUSH final.01007DD2 ; ASCII "hÞ}" 01007DCB E8 01000000 CALL final.01007DD1 01007DD0 C3 RETN 01007DD1 C3 RETN 01007DD2 68 DE7D0001 PUSH final.01007DDE ; ASCII "h¨º}" 01007DD7 E8 01000000 CALL final.01007DDD 01007DDC C3 RETN 01007DDD C3 RETN 01007DDE 68 EA7D0001 PUSH final.01007DEA ; ASCII "hö}" 01007DE3 E8 01000000 CALL final.01007DE9 01007DE8 C3 RETN 01007DE9 C3 RETN 01007DEA 68 F67D0001 PUSH final.01007DF6 ; ASCII "a?h¨¤j" 01007DEF E8 01000000 CALL final.01007DF5 01007DF4 C3 RETN 01007DF5 C3 RETN 01007DF6 61 POPAD 01007DF7 9D POPFD 01007DF8 68 E06A0001 PUSH final.01006AE0 01007DFD C3 RETN ; After this RETN you are on OEP - Dump with your favorite dumper (lord pe / dump full) - Use OEP 01006AE0 sub ImageBase (1000000) and fill your ImpRec with it - Fix the dump with it Fix the not starting dump: Remember the Address which was MOV onto Stack at the beginning? This is the reason why our dump is not working .. find this in your dump: Code:
01006C45 > \6A 0A PUSH 0A 01006C47 . 58 POP EAX 01006C48 > 50 PUSH EAX 01006C49 . 56 PUSH ESI 01006C4A . 53 PUSH EBX 01006C4B . 53 PUSH EBX 01006C4C . FFD7 CALL EDI 01006C4E . 50 PUSH EAX 01006C4F . E8 9C130000 CALL dumped_.01007FF0 Code:
01007FF0 $ 36:FF25 FCFF0>JMP DWORD PTR SS:[6FFFC] What we have to do now? We fix the CALL to the real Destination and have a working dump... Change Code:
01006C4F . E8 9C130000 CALL dumped_.01007FF0 Code:
01006C4F E8 ADBBFFFF CALL dumped_.01002801 thx to KaGra for this .. i hope this is the solution you wanted to hear .. and its the same unpackme you send me .. have a nice day |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
NETShieldRT unpackme | mcr4ck | General Discussion | 1 | 10-08-2022 12:03 |