Unpacking

[Acid_Cool_178]

Target is: h**p://ngenworld.free.fr/Crackmes/CrackMe2_syn.zip
It is packed and have one NAG (MessageBoxA)

I have tried to unpack it and then rebuilted the dumped.exe file but with no luck. I have founded out that the OEP is 1000 so I guess that this is one ASM program.

After some tracing with OllyDbg then I came up here

00406112 . /EB 09 JMP SHORT Crackme.0040611D
00406114 > |FE0E DEC BYTE PTR [ESI]
00406116 .-|0F84 E4AEFFFF JE Crackme.00401000 <-- OEP
0040611C . |56 PUSH ESI
0040611D > 55 PUSH EBP
0040611E . FF53 04 CALL DWORD PTR [EBX+4]

I jumped over there and used the plugin for OllyDbg, dumping debugged process, and changed the OEP to 1000

I'm standing still on this little project right now. anyone that got any clues or good references ?

Acid

[ZaiRoN]

Hi Acid_Cool_178,

why you have need to unpack the file?
I have take a little glance to the target and a 1-byte patch will solve the problem. Your eip is right, try to understand how the program fills the first section of code

Regards,
ZaiRoN

[Acid_Cool_178]

urk, then i'll finsih the job in about 1 year... wellwell, time to gain all tutorials that i can find. tnx for hint.

U didn't find any special tricks that could be hard for an newbie ? or is it simple ? your rating on thisoe is ?

Acid

[ZaiRoN]

Hi Acid_Cool_178,

Quote:

U didn't find any special tricks that could be hard for an newbie ? or is it simple ? your rating on thisoe is ?

the crackme is very simple (no special tricks) and I think you don't need special tutorials to solve this one. All the code is in front of you and the core of the crackme is in the first lines.

Good luck,
ZaiRoN

[LAS3R]

Sorry problay bit late posting this hehe! :P

here is some info how to solve this:

bpx on 00406116 , press F9 for olly or F5/X for softice 3 times, 3rd time it should jump to OEP, if u in olly then when u on OEP, right click and analyze the code, otherwise it won't show correct state!

and dump it, then for import (will only get error msg if u try run it), i used imprec and OEP imprec want isn't 1000....it's 1009 , beacuse of RET , it fools imprec think code is over, of course in 3 lines u won't find any imports, so just enter 1009 beacuse that is line "after" RET and it will find them, then u can run program without problems!

[netstavi]

Quote:

After some tracing with OllyDbg then I came up here

00406112 * . /EB 09 * * * * JMP * * SHORT Crackme.0040611D
00406114 * > |FE0E * * * * *DEC * * BYTE PTR [ESI]
00406116 * .-|0F84 E4AEFFFF JE * * *Crackme.00401000 *<-- OEP
0040611C * . |56 * * * * * *PUSH * *ESI
0040611D * > 55 * * * * * *PUSH * *EBP
0040611E * . *FF53 04 * * * CALL * *DWORD PTR [EBX+4]

I jumped over there and used the plugin for OllyDbg, dumping debugged process, and changed the OEP to 1000

I'm standing still on this little project right now. anyone that got any clues or good references ?

Acid

Next Step

1. open imprec , enter the oep without imagebase
2. press iat autosearch
3. press get imports
4. fix dump

[Acid_Cool_178]

Slow response but cool enough... Thanx a freaking lot ppl, I will look at this when Im at home... In army now and it`s freaking cool, back in the x-mas time... Have allot of fun )