Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 11-07-2006, 04:48 PM
mMhCkB mMhCkB is offline
Member
 
Join Date: Dec 2003
Posts: 7
Default

How to Unpack Various EXE Packers using OllyDBG
In fucking alphabetic order even!
By mMh

(The techniques referenced are at the bottom, dammit!)

------------------------------------------------------------------------
ASPack 2.12:

Load the exe, you will have to Shift+F9 several times. Upwards of 50
times is normal. Use Ctrl+G ESP BP technique. You'll land on a JNZ.
Trace into jump, it is pushing the oep. Trace into the ret. This
is the OEP. Dump then fix IAT. Fix dump. done.

------------------------------------------------------------------------
EZIP 1.0:

You start out on a JMP, trace into it. Ctrl+F9 (exec til ret). Scroll
down and you should find a large loop. Past that, there is a JMP EAX.
Trace into this JMP, this is the OEP. Dump, fix IAT, fix dump.

------------------------------------------------------------------------
Neolite 2.0:

Scroll down until you see JMP EAX. Put BP here. Step into
JMP. You're at the OEP. Dump and rebuild just as you would
with UPX.

------------------------------------------------------------------------
PE-PaCK 1.0:

You start on a JE with JMP right below it. Trace into the JMP. Now
you're on a PUSHAD. Use the Dump window Ctrl+G esp bp. You stop on
a JMP EAX. Trace into the JMP and you're at the OEP. Dump, rebuild
IAT, fix dump. Done.

------------------------------------------------------------------------
Petite 2.2:

Trace until you go over the PUSHAD. Click in dump window. Ctrl+G.
Type ESP. Select first two bytes in dump, set breakpoint on memory
access -> word. Back in CPU window, hit F9. Shift+F9 until you
reach POPAD/POPFW. There should be a JMP soon after the POP. Trace
into the JMP, this is the OEP. Dump process with LordPE. Open process
with imprec. Set correct OEP/IAT autotrace. Hit show invalid. Right
click and do a level 1. Fix the dump.


------------------------------------------------------------------------
UPX:

Scroll down until you reach something that looks like this:

004142C7 > 61 POPAD
004142C8 .-E9 BE6CFFFF JMP wrap.0040AF8B
004142CD 00 DB 00
004142CE 00 DB 00

Set a breakpoint on the JMP and run. Step into the JMP.
You're at the OEP. Dump with LordPE. Open process
with impRec. Set OEP with the one you just found.
Hit IAT AutoSearch. Hit Get Imports. Delete the bad
thunks. Fix the dump. Done.

------------------------------------------------------------------------

OEP Finding Techniques

#1 is just scroll down till u see
0040E23F .-E9 A479FFFF JMP upxs306.00405BE8
0040E244 5CE24000 DD upxs306.0040E25C
0040E248 60E24000 DD upxs306.0040E260
0040E24C C8734000 DD upxs306.004073C8

JMP and some shit with a bunch of 0's.

#2
F7 on the PUSHAD
goto the dump
CTRL + G
goto ESP
Set a hardware Breakpoint on WORD
that will take u straight to the jump

#3
F7 onto the PUSHAD
ctrl + T
COMMAND is one of the following "POPAD"
then CTRL + F11
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.