#ro0ted #OpNewblood What the blackhats don’t want you to know: Manually Unpacking 101
This is a part three to Manually Unpacking Ollydbg. – https://twitter.com/ro0ted/
Our target is the same as before. a Masm crackme.
Load it up in exeinfoPE:
We see it’s not packed. So let’s compress it in upx…
Same as before open cmd navigate to upx destination.
if you didn’t read the last two tutorials on it type:
cd = Change Directory
Then we type:
upx -9 urfile.exe
Now load it up in Ollydbg:
Olly breaks at the entry point. Push Ad is shown.
PUSH AD = push all double register/stacks area
push F7 once to execute the PUSHAD instruction:
right-click the byte 0012FFA4 select Breakpoint > Hardware, on access then press F9
This JMP takes us to the beginning of decompressed code which takes us to the original ep of the unpacked .exe.
This is the OEP.
Press F7 twice to get to the OEP.
Now go to plugins>Ollydump>Dump Debugged…:
Uncheck rebuild import this time. Change Base of Code to 1000 because the start of our unpacked code starts at RVA 1000. Click EIP as OEP. Click save:
Now we will open an import reconstruction tool, impREC:
Pick the target in the active process list up at the top:
Type change 6637c to 11EC as that’s our OEP. 6637c was the old packed one.
the order above is:
Now fire it in ollydbg:
It loads up perfectly.
Now load it in exeinfoPE…it looks unpacked but let’s double check:
Check out my tutorials in my series…. “What the Blackhats don’t want you to know”
Manually Unpacking 101 +
(Visited 419 times, 1 visits today)
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.