deroko's unpackme
| Download unpackme.zip, 33 kb (password: crackmes.de) Browse contents of unpackme.zip pls read readme.txt,
Difficulty: 2 - Needs a little brain (or luck) | Send a message to deroko » View profile of deroko » |
Solutions
Solution by haggar, published 20. sep, 2006; download (31 kb), password: crackmes.de or browse.
haggar has rated this crackme as quite nice.
Solution by kao, published 19. sep, 2006; download (29 kb), password: crackmes.de or browse.
kao has not rated this crackme yet.
Discussion and comments
| red477 07. Sep 2006 | deroko presents, must be nice. I am looking into it and feeling it really great for newbie unpakers like me. |
|---|---|
| kao 07. Sep 2006 | Excellent unpackme. :) Solved in 1 1/2 hours, but I took the hard way. Skilled unpacker probably can do it in less than 1 hour. Deroko, how much details you want in tutorial? Is analysis of loader necessary? Description of junk code? |
| deroko Author 07. Sep 2006 | @kao, write what you did to unpack it =) No need for detailed analyze of loader part, actually my intension was to show some tricks that are used by some comercial protectors with small code and without too many obsfucation. Regards |
| red477 09. Sep 2006 | ha, at last I get a working unpackme too, but it is tooo ugly, coz I patched so much - I patched a little imagined oep into it and luckily it works. Since I dont know how to deal with the destroyed oep and imports properly. Waiting for a good tutorial. |
| EvOlUtIoN 09. Sep 2006 | yes, i'm waiting too...this for me is too difficult |
| warrantyVoider 09. Sep 2006 | Nice one, deroko, this one is full of surprises! |
| jB_ 09. Sep 2006 | Yup it is a really good one. Thanks deroko. |
| deroko Author 10. Sep 2006 | tnx guys, warranty I'm waiting for your next unpackme :) |
| bpx_ 10. Sep 2006 | Nice one deroko, Hope to see more like it soon =) |
| Maverick 10. Sep 2006 | I set a bp on 00401000 (oep) and dumped the file and the memory address (00140000 + 0C000 (size) ). Now I have add a section to the end of the file and added the dumped section (00140000). I redirected the code to make the program take access to my 00140000, not the original 00140000! I runs!!! But how can I rebuild the imports correctly, without using my patched 00140000 (imports) section? |
| deroko Author 11. Sep 2006 | 401000 isn't oep... |
| Maverick 14. Sep 2006 | Really? My app runs perfectly and shows your dialog! It makes a redirected call to DialogBoxParamA. I have emulated the redirection (maybe imperfect), but it runs, because I have redirected the addresses 00140000 and 00170000 to my own piece of dumped code and now your app is able to find the required opcodes that are sometimes in 00140000. I find that section everytime with a size of C000 bytes! |
| deroko Author 14. Sep 2006 | yep that's because I'm nice guy :) otherwise imagine that this was delphi app, w/o stolen oep it wouldn't run at all, actually most bcc aps won't run without startup code, but since this is unpackme I avoid usage of borlan libraries, only win32 apis. |
| Maverick 18. Sep 2006 | I got it running, by patching the decryptor and pasting the decrypted section over the encrypted one (00401000)... I don't want to release this file as a solution, because I just patched the file and its import section is not decrypted... |
| The french beginner 18. Sep 2006 | I got it! here is my fixed dump, with IAT reconstruction http://www.mytempdir.com/936275 but I still have a problem. I patch a 'ret' at 4066B4 to avoid a stack problem. and protexted go thru that call perfectly... Where is my mistake? Thx! |
| Maverick 18. Sep 2006 | You can download my unpacked sample for the next 7 days there: http://download/unpackme.zip.yousendit.com/CA6B59792D66538D |
| deroko Author 19. Sep 2006 | Oki let me make this clear to avoid "smart" solutions at main () w/o reconstructed oep. This is Borland compiled app so you have to reconstruct oep because in real life dump at main() won't work. It is easy to reconstruct oep, it is small loader, so it can be analyzed w/o a problem!. So tu sum, none of both dumps isn't reconstructed application. Maybe it will help, downlaod bcc32 it is free, compile one simple hello world and look how oep looks like, then you will know what you are looking for. |
| haggar 19. Sep 2006 | It seams that I'm too late :) My first idea was to reconstruct it with some Borland app, but I see that it has more stolen code. It reminds me a lot to ASPR SKE stolen code. I'll take closer look. |
| haggar 19. Sep 2006 | I solved it but I don't have time for solution now. It is not hard. Stolen code is in this format. - junk - stolen opcode - junk - call to import or to main code Junk can be removed by patching junk_generator, calls can be solved by little changing and then we can just attach whole block to main dump. I have wrote script for olly that can unprotect (stolen + imports) this file. I will try to write solution next week. This is nice unpackme. |
| deroko Author 19. Sep 2006 | nice solution kao yep haggar that is the easiest way to fix it :) |
| Zaphod 20. Sep 2006 | kao writes in his solution that we should run the exe and then dump it. Thereafter we can check the dump with PeId. But PeId just says "Not a valid PE file". Well, I guess I'm more of a complete newbie than I thought, but if someone, perhaps you, deroko?, could clarify things a bit, I would be grateful. Or tell me where I can find some good tutorials on stolen bytes and such things. I have searched with Google but found nothing really useful. |
| kao 21. Sep 2006 | Zaphod, I must apologise for my mistake. RDG packer detector detects "Borland C++ 1999" in freely dumped exe. PeId detects "Borland C++ 1999" when: a) load protexed.exe in PeId b) use generic OEP finder plugin to find OEP c) run and dump EXE d) set proper EP in EXE header. I mis-described necessary steps. Sorry again.. |
| Zaphod 22. Sep 2006 | kao, thank you for your answer - well, I haven't been able to find a "Generic OEP Finder"- plugin for PeId, but I have a "Generic Unpacker"- plugin. This plugin says that the OEP is 4080B2. On the other hand, you say in your tutorial that OEP is 401084, so I first tried ( after running and dumping protexted.exe ) to set entrypoint in exe header to 1084. PeId said "Not a valid PE file". Then I set entrypoint to 80B2. Now PeId said "Nothing found*". Then I tried again with 1084 - and this time PeId said "Borland C++ DLL Method 2". You can probably understand that I'm rather confused after this, but again - thanks for trying to explain things to me. |
| EvOlUtIoN 22. Sep 2006 | zaphod, u can also use RDG packer detector instead of PeID, using this tool you avoid any problem and see immediatly that compiler is Borland C++ 1999 |
| Zaphod 22. Sep 2006 | EvOlUtIoN, I can't find "RDG packer detector" either. Lots of references to this program, but nowhere to download it. There is a link in ExeTools Forum, but you have to be a member to download from this - then I tried to register as a member, but it was not possible to register anymore. Unless this is just temporary. Well, I'll keep looking, but if you or anyone else know where to find "RDG packer detector" or the "Generic OEP Finder"-plugin for PeId, please let me know :) |
| l0calh0st 22. Sep 2006 | Zaphod look here http://www.rdgsoft.8k.com/ |
| Zaphod 22. Sep 2006 | Thank you very much, l0calh0st, that helped, I have RDG Packer Detector now. And it shows the correct results, Borland C++ 1999 and OEP = 401084. Now I just need to understand these "stolen bytes". This might take some time...:) |
| ricnar456 23. Sep 2006 | Is posible determine the stolen bytes, and the oep without use RDG, or any detector, and without know with language are using, only tracing and looking, is obvious OEP is 401084, and the stolen bytes can be reconstructed only tracing and looking when are writed, quit the junk and copy in the correct location, is a tedious work, but for me is more practical than look for start of particular languajes, this can change in other victims, but the method of looking,slow tracing with calm, writing the results, quit the junk, never fail, in any languaje of programation. Is my opinion, maybe is more quick the languaje method. Ricardo Narvaja Ricardo |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.