Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page CrypKey + PEBundle = Mess
Register Forum Rules FAQ Calendar

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-19-2006, 23:42
TmC TmC is offline
VIP
  
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
CrypKey + PEBundle = Mess
Hi all, I searched throughout all the forum but cannot find an answer to my questions.

PREMISSES:

The target I am unpacking is SwishJukeBox. I am trying to unpack it because the Markus generic crack works only in part.
The program is packed 3 times with PEBUNDLE and once with CRYPKEY.

OPERATIONS PERFORMED:

Unpacking PE Bundle is easy, F8, F8, Follow ESP in dump, HWBP on Execution, F8F8 and we land on the next shell OEP.

This done 3 times leads to the Crypkey OEP.

To find the REAL OEP, it is a piece of cake, i just need to trace with f8 till i reach weired unpacking sequence. bypassing it studying just a bit the code leads to some final code and to a JMP EAX, F7 on that and we are at the OEP.

IAT seems good, so Run LordPE and dump. Run ImpREC, type in OEP and all thunks are OK, except the Kernel32 one that has 4 invalid pointers.

QUESTIONS AND CONCERNS:

Tracing 1, 2 and 3 does not take to the solution. I tried to go to one invalid thunk in Olly, it leads to code stored in pebundle section where there is some weired code but no signals of real API funcions (maybe are custom coded ones)

Now the questions are two:

1) Is it CrypKey or PEBundle responsibles of this IAT mangling? To this question i'm fairly sure that it is PEBundle, since i read on other tutorials that crypkey does not corrupt the IAT.

2) How can i find what API functions have been stolen by PEBundle and restore them?

NOTE: If I fix IAT with invalid pointers and leave everything untouched, the executable runs like a charm, but i want to CUT out all pebundle sections, and if i do that, it does not matter if i cut out invalid thunks or not, but the executable crashed reading those thunks.

Have anyone encountered this problem again and came up with a solution?
--------------------------------------------------------------------------
Second question: (banal)

The resource section is a bit mangled and when i open it with reshacker it is not able to display dialogs.

What do you advice as resource viewer OR /how can i rebuild resource section?

EDIT: Used Res Tuner but discovered that the disabling function is performed at runtime so no need of a resource editor.

Thanks to all

TmC
Last edited by TmC; 11-20-2006 at 01:45.
Reply With Quote
  #2  
Old 11-20-2006, 00:05
DCA's Avatar
DCA DCA is offline
VIP
  
Join Date: Aug 2005
Posts: 137
Rept. Given: 36
Rept. Rcvd 29 Times in 13 Posts
Thanks Given: 20
Thanks Rcvd at 37 Times in 16 Posts
DCA Reputation: 29
@TmC

Try ResScope at restools.com
Maybe this resource viewer/editor can help.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Microsoft starts to mess with Sysinternals tools MarkusO General Discussion 18 12-07-2006 19:04


All times are GMT +8. The time now is 13:28.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )