Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 01-29-2003, 07:20 AM
Acid_Cool_178 Acid_Cool_178 is offline
Member
 
Join Date: Dec 2002
Location: Planet Earth
Posts: 35
Default Unpacking

Target is: h**p://ngenworld.free.fr/Crackmes/CrackMe2_syn.zip
It is packed and have one NAG (MessageBoxA)

I have tried to unpack it and then rebuilted the dumped.exe file but with no luck. I have founded out that the OEP is 1000 so I guess that this is one ASM program.

After some tracing with OllyDbg then I came up here

00406112 . /EB 09 JMP SHORT Crackme.0040611D
00406114 > |FE0E DEC BYTE PTR [ESI]
00406116 .-|0F84 E4AEFFFF JE Crackme.00401000 <-- OEP
0040611C . |56 PUSH ESI
0040611D > 55 PUSH EBP
0040611E . FF53 04 CALL DWORD PTR [EBX+4]

I jumped over there and used the plugin for OllyDbg, dumping debugged process, and changed the OEP to 1000

I'm standing still on this little project right now. anyone that got any clues or good references ?

Acid
Reply With Quote
  #2  
Old 01-29-2003, 03:23 PM
ZaiRoN ZaiRoN is offline
Junior Member
 
Join Date: Jan 2003
Posts: 2
Default

Hi Acid_Cool_178,

why you have need to unpack the file?
I have take a little glance to the target and a 1-byte patch will solve the problem. Your eip is right, try to understand how the program fills the first section of code

Regards,
ZaiRoN
Reply With Quote
  #3  
Old 01-29-2003, 03:47 PM
Acid_Cool_178 Acid_Cool_178 is offline
Member
 
Join Date: Dec 2002
Location: Planet Earth
Posts: 35
Default

urk, then i'll finsih the job in about 1 year... wellwell, time to gain all tutorials that i can find. tnx for hint.

U didn't find any special tricks that could be hard for an newbie ? or is it simple ? your rating on thisoe is ?

Acid
Reply With Quote
  #4  
Old 01-29-2003, 05:17 PM
ZaiRoN ZaiRoN is offline
Junior Member
 
Join Date: Jan 2003
Posts: 2
Default

Hi Acid_Cool_178,
Quote:
U didn't find any special tricks that could be hard for an newbie ? or is it simple ? your rating on thisoe is ?
the crackme is very simple (no special tricks) and I think you don't need special tutorials to solve this one. All the code is in front of you and the core of the crackme is in the first lines.

Good luck,
ZaiRoN
Reply With Quote
  #5  
Old 10-10-2003, 02:06 PM
LAS3R LAS3R is offline
Junior Member
 
Join Date: Oct 2003
Posts: 1
Default

Sorry problay bit late posting this hehe! :P

here is some info how to solve this:

bpx on 00406116 , press F9 for olly or F5/X for softice 3 times, 3rd time it should jump to OEP, if u in olly then when u on OEP, right click and analyze the code, otherwise it won't show correct state!

and dump it, then for import (will only get error msg if u try run it), i used imprec and OEP imprec want isn't 1000....it's 1009 , beacuse of RET , it fools imprec think code is over, of course in 3 lines u won't find any imports, so just enter 1009 beacuse that is line "after" RET and it will find them, then u can run program without problems!
Reply With Quote
  #6  
Old 10-15-2003, 02:03 PM
netstavi netstavi is offline
Junior Member
 
Join Date: May 2003
Posts: 1
Default Re: Unpacking

Quote:
After some tracing with OllyDbg then I came up here

00406112 * . /EB 09 * * * * JMP * * SHORT Crackme.0040611D
00406114 * > |FE0E * * * * *DEC * * BYTE PTR [ESI]
00406116 * .-|0F84 E4AEFFFF JE * * *Crackme.00401000 *<-- OEP
0040611C * . |56 * * * * * *PUSH * *ESI
0040611D * > 55 * * * * * *PUSH * *EBP
0040611E * . *FF53 04 * * * CALL * *DWORD PTR [EBX+4]

I jumped over there and used the plugin for OllyDbg, dumping debugged process, and changed the OEP to 1000

I'm standing still on this little project right now. anyone that got any clues or good references ?

Acid
Next Step

1. open imprec , enter the oep without imagebase
2. press iat autosearch
3. press get imports
4. fix dump
Reply With Quote
  #7  
Old 10-23-2003, 02:23 PM
Acid_Cool_178 Acid_Cool_178 is offline
Member
 
Join Date: Dec 2002
Location: Planet Earth
Posts: 35
Default

Slow response but cool enough... Thanx a freaking lot ppl, I will look at this when Im at home... In army now and it`s freaking cool, back in the x-mas time... Have allot of fun )
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.