PoiNtEr->: March 2013

           PoiNtEr->

                             Difference between a dream and an aim. A dream requires soundless sleep, whereas an aim requires sleepless efforts.

Search This Blog

Friday, March 8, 2013

How to Unpack Various EXE Packers using OllyDBG


How to Unpack Various EXE Packers using OllyDBG

------------------------------------------------------------------------
ASPack 2.12:

Load the exe, you will have to Shift+F9 several times. Upwards of 50
times is normal. Use Ctrl+G ESP BP technique. You'll land on a JNZ.
Trace into jump, it is pushing the oep. Trace into the ret. This
is the OEP. Dump then fix IAT. Fix dump. done.

------------------------------------------------------------------------
EZIP 1.0:

You start out on a JMP, trace into it. Ctrl+F9 (exec til ret). Scroll
down and you should find a large loop. Past that, there is a JMP EAX.
Trace into this JMP, this is the OEP. Dump, fix IAT, fix dump.

------------------------------------------------------------------------
Neolite 2.0:

Scroll down until you see JMP EAX. Put BP here. Step into
JMP. You're at the OEP. Dump and rebuild just as you would
with UPX.

------------------------------------------------------------------------
PE-PaCK 1.0:

You start on a JE with JMP right below it. Trace into the JMP. Now
you're on a PUSHAD. Use the Dump window Ctrl+G esp bp. You stop on
a JMP EAX. Trace into the JMP and you're at the OEP. Dump, rebuild
IAT, fix dump. Done.

------------------------------------------------------------------------
Petite 2.2:

Trace until you go over the PUSHAD. Click in dump window. Ctrl+G.
Type ESP. Select first two bytes in dump, set breakpoint on memory
access -> word. Back in CPU window, hit F9. Shift+F9 until you
reach POPAD/POPFW. There should be a JMP soon after the POP. Trace
into the JMP, this is the OEP. Dump process with LordPE. Open process
with imprec. Set correct OEP/IAT autotrace. Hit show invalid. Right
click and do a level 1. Fix the dump.


------------------------------------------------------------------------
UPX:

Scroll down until you reach something that looks like this:

004142C7 > 61 POPAD
004142C8 .-E9 BE6CFFFF JMP wrap.0040AF8B
004142CD 00 DB 00
004142CE 00 DB 00

Set a breakpoint on the JMP and run. Step into the JMP.
You're at the OEP. Dump with LordPE. Open process
with impRec. Set OEP with the one you just found.
Hit IAT AutoSearch. Hit Get Imports. Delete the bad
thunks. Fix the dump. Done.

------------------------------------------------------------------------

OEP Finding Techniques

#1 is just scroll down till u see
0040E23F .-E9 A479FFFF JMP upxs306.00405BE8
0040E244 5CE24000 DD upxs306.0040E25C
0040E248 60E24000 DD upxs306.0040E260
0040E24C C8734000 DD upxs306.004073C8

JMP and some shit with a bunch of 0's.

#2
F7 on the PUSHAD
goto the dump
CTRL + G
goto ESP
Set a hardware Breakpoint on WORD
that will take u straight to the jump

#3
F7 onto the PUSHAD
ctrl + T
COMMAND is one of the following "POPAD"
then CTRL + F11

Posted by Unknown at 3:31 AM 0 comments
Subscribe to: Posts (Atom)