By ro0ted | March 27, 2015 - 09:59 | Posted in /b/ | 8 Comments
#ro0ted #OpNewblood What the blackhats don’t want you to know: Manually Unpacking 101

This is a part three to Manually Unpacking Ollydbg. –


Our target is the same as before. a Masm crackme.


Load it up in exeinfoPE:


We see it’s not packed. So let’s compress it in upx…

Same as before open cmd navigate to upx destination.
if you didn’t read the last two tutorials on it type:

cd C:\Users\Username\Downloads

cd = Change Directory


Then we type:

upx -9 urfile.exe


load it in exeinfoPE:

Now load it up in Ollydbg:


Hit yes

Olly breaks at the entry point. Push Ad is shown.
PUSH AD = push all double register/stacks area
push F7 once to execute the PUSHAD instruction:


ESP is now red showing that it had changed.
Right click ESP>Follow in dump:


right-click the byte 0012FFA4 select Breakpoint > Hardware, on access then press F9


This JMP takes us to the beginning of decompressed code which takes us to the original ep of the unpacked .exe.
This is the OEP.
Press F7 twice to get to the OEP.
Now go to plugins>Ollydump>Dump Debugged…:


Uncheck rebuild import this time. Change Base of Code to 1000 because the start of our unpacked code starts at RVA 1000. Click EIP as OEP. Click save:


Now we will open an import reconstruction tool, impREC:


Pick the target in the active process list up at the top:


Type change 6637c to 11EC as that’s our OEP. 6637c was the old packed one.
the order above is:
IAT AutoSearch
OEP Change
Get Imports
Fix Dump.

Now fire it in ollydbg:


It loads up perfectly.
Now load it in exeinfoPE…it looks unpacked but let’s double check:

That’s about it.





Check out my tutorials in my series…. “What the Blackhats don’t want you to know”


(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file


Unpacking & Crypting there is a difference

Covert Debugging whitepaper from

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101 +



(Visited 419 times, 1 visits today)

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.