By ro0ted | March 27, 2015 - 09:59 | Posted in /b/ | 8 Comments
#ro0ted #OpNewblood What the blackhats don’t want you to know: Manually Unpacking 101

This is a part three to Manually Unpacking Ollydbg. – https://twitter.com/ro0ted/

 

Our target is the same as before. a Masm crackme.

 

Load it up in exeinfoPE:

Untitled

We see it’s not packed. So let’s compress it in upx…

Same as before open cmd navigate to upx destination.
if you didn’t read the last two tutorials on it type:

cd C:\Users\Username\Downloads

cd = Change Directory

Untitled

Then we type:

upx -9 urfile.exe

Untitled

load it in exeinfoPE:
Untitled

Now load it up in Ollydbg:

Untitled

Hit yes
Untitled

Olly breaks at the entry point. Push Ad is shown.
PUSH AD = push all double register/stacks area
push F7 once to execute the PUSHAD instruction:

Untitled

ESP is now red showing that it had changed.
Right click ESP>Follow in dump:
Untitled

Untitled

right-click the byte 0012FFA4 select Breakpoint > Hardware, on access then press F9

Untitled

This JMP takes us to the beginning of decompressed code which takes us to the original ep of the unpacked .exe.
This is the OEP.
Press F7 twice to get to the OEP.
Now go to plugins>Ollydump>Dump Debugged…:
Untitled

Untitled

Uncheck rebuild import this time. Change Base of Code to 1000 because the start of our unpacked code starts at RVA 1000. Click EIP as OEP. Click save:

Untitled

Now we will open an import reconstruction tool, impREC:

Untitled

Pick the target in the active process list up at the top:

Untitled

Type change 6637c to 11EC as that’s our OEP. 6637c was the old packed one.
Untitled
the order above is:
IAT AutoSearch
OEP Change
Get Imports
Fix Dump.

Now fire it in ollydbg:

Untitled

It loads up perfectly.
Now load it in exeinfoPE…it looks unpacked but let’s double check:

Untitled
That’s about it.

ro0ted

 


 

 

Check out my tutorials in my series…. “What the Blackhats don’t want you to know”

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file

IDA PRO Book

Unpacking & Crypting there is a difference

Covert Debugging whitepaper from blackhat.com

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101 +

 

 

(Visited 419 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.