Título: HELP = Desempacar PC Guard 5.01 Publicado por: zilox en 24 Agosto 2014, 09:58 am Hola a todos,
Necesito de ayuda para desempacar un programa. Utilice el RDG y el Exeinfo y uno de ellos dice que el exe esta empacado con PC Guard 5.0d y el otro dice 5.01. Ya intente encontrar el OEP usando OllyDBG y contando el numero de exceptions antes del programa cargar. Tambien intente varios tutoriales y no encontre la solucion con ninguno de esos tutoriales. Me gustaria pedir ayuda para desempacar el siguiente programa: http://www.sim-garage.co.uk/files/3DSimED30t.zip agradezco de antemano su ayuda. Título: Re: HELP = Desempacar PC Guard 5.01 Publicado por: MCKSys Argentina en 24 Agosto 2014, 10:25 am Hola!
Te recomiendo leer este (http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/601-700/636-%5BRVLCN%5D.PCGuard.v5.00.by.%2BNCR.rar) tutorial. Saludos! PD: El OEP sale sencillo! ;) Título: Re: HELP = Desempacar PC Guard 5.01 Publicado por: zilox en 24 Agosto 2014, 11:15 am Gracias MCKSys,
Sorry for replying in english, I can read spanish but not speak, I asked my wife to translate for me. ") I already tried this tutorial and many others. I'll describe what I have done so far. I open the program in Ollydbg v2 and I got in the PC Guard OEP: CPU Disasm Address Hex dump Command Comments <ModuleEn /$ FC CLD 00BA4E01 |. 55 PUSH EBP 00BA4E02 |. 50 PUSH EAX 00BA4E03 |. E8 00000000 CALL 3DSimED3.00BA4E08 I disable the "ignored exceptions" in ollydbg so it breakpoints in all exceptions. I count the number of exceptions until the program executes, in my case 10 times. Reload exe, Press shift + F9 nine times. Set the breakpoint to .code on access. press shift + F9 one more time. CPU Disasm Address Hex dump Command Comments 004310BE ³. FF50 0C CALL DWORD PTR DS:[EAX+0C] 004310C1 ³. 8BF0 MOV ESI,EAX 004310C3 ³. 8D85 98FBFFFF LEA EAX,[LOCAL.282] 004310C9 ³. 50 PUSH EAX 004310CA ³. FF15 54257F00 CALL DWORD PTR DS:[3DSimED3.7F2554] 004310D0 ³. 33D2 XOR EDX,EDX -------->Landed right here. Doesn't look like the OEP. 004310D2 ³. 83F8 0F CMP EAX,0F 004310D5 ³. 0F94C2 SETE DL 004310D8 ³. B9 5C810000 MOV ECX,815C 004310DD ³. 8D46 0C LEA EAX,[ESI+0C] Am I missing something? PS: Feel free to reply in spanish as I can read spanish perfectly, just cannot speak :( Cheers, Título: Re: HELP = Desempacar PC Guard 5.01 Publicado por: MCKSys Argentina en 24 Agosto 2014, 11:55 am Well, I need to practice my english, so:
1) I recommend you to use Olly 1.10 and StrongOD plugin. Also, always tray to unpack using Windows XP SP3 (a Virtual Machine is pretty handy for this). 2) In this case, OEP is at 702742h. To get to the OEP: - At the EP (C1F400) put a BPM in the .text section and hit F9. When Olly stops, you'll be at C33C95: Código: 00C33C95 281F SUB BYTE PTR DS:[EDI],BL Now, Put a BP on that RETN (00C33CB4) and hit F9. When Olly stops, put a BPM in the .text section and hit F9. When Olly stops, you'll be at OEP: Código: 00702742 . E8 26410100 CALL 3DSimED3.0071686D Now you can dump and rebuild IAT with ImpRec. You'll have 4 bad entries in the IAT. The first is ExitProcess (the same as the tutorial). The other 3 are used by the program to comunicate with the packer. You'll have to wach what happens in each of those 3 (what registers are modified and what is modified in the stack). In fact, only 2 functions are important. Both MUST return 0 in EAX, but they also return data in the stack, so be careful with that. And that should be enough to remove the packer... :) Cheers! EDIT: I forgot to tell you to check all the exceptions, so they are passed to the packer! Título: Re: HELP = Desempacar PC Guard 5.01 Publicado por: zilox en 24 Agosto 2014, 14:19 pm MCKSys,
Thank you very much. I'll give it a try and I'll let you know if it was successful or not. ;) Cheers, Título: Re: HELP = Desempacar PC Guard 5.01 Publicado por: zilox en 30 Agosto 2014, 20:36 pm Well, I need to practice my english, so: 1) I recommend you to use Olly 1.10 and StrongOD plugin. Also, always tray to unpack using Windows XP SP3 (a Virtual Machine is pretty handy for this). 2) In this case, OEP is at 702742h. To get to the OEP: - At the EP (C1F400) put a BPM in the .text section and hit F9. When Olly stops, you'll be at C33C95: Código: 00C33C95 281F SUB BYTE PTR DS:[EDI],BL Now, Put a BP on that RETN (00C33CB4) and hit F9. When Olly stops, put a BPM in the .text section and hit F9. When Olly stops, you'll be at OEP: Código: 00702742 . E8 26410100 CALL 3DSimED3.0071686D Now you can dump and rebuild IAT with ImpRec. You'll have 4 bad entries in the IAT. The first is ExitProcess (the same as the tutorial). The other 3 are used by the program to comunicate with the packer. You'll have to wach what happens in each of those 3 (what registers are modified and what is modified in the stack). In fact, only 2 functions are important. Both MUST return 0 in EAX, but they also return data in the stack, so be careful with that. And that should be enough to remove the packer... :) Cheers! EDIT: I forgot to tell you to check all the exceptions, so they are passed to the packer! Hi MCKSys, Sorry for bothering you but I have tried to rebuild the IAT but without success. If you don't mind I have some questions. I did what you said and dumped the unpacked proccess. Set the Image Base 00400000 and Entry point 00302742. I am using ImpREC to rebuild the IAT. I am reading some tutorials how to unpack Armadillo manually as this packer removes the IAT and is a good exercise on how to rebuild it from scratch. I'll describe the steps I am following. -select the exe process; -set OEP to 00302742; -press IAT auto search; -ImpREC finds the IAT at 003F2000; -I checked this address(007F2000) in Olly to make sure it is the IAT; CPU Dump Address Value Comments 007F2000 76EBC55A ; ADVAPI32.RegDeleteValueA 007F2004 76EA11A8 ; ADVAPI32.RegQueryValueExA 007F2008 76EA1197 ; ADVAPI32.RegOpenKeyExA 007F200C 76EBC527 ; ADVAPI32.RegEnumKeyExA 007F2010 76EBC5D6 ; ADVAPI32.RegEnumValueA 007F2014 76EBD023 ; ADVAPI32.GetFileSecurityA 007F2018 76EE10CE ; ADVAPI32.SetFileSecurityA ... Seems to be the IAT. And size (B20) seems to be correct too. -click Get Imports and Imprec rebuild the IAT; -click show invalid and as you mentioned I have 4 bad entries in IAT. CPU Dump Address Value Comments 007F2280 774EC83C ; KERNEL32.RtlUnwind 007F2284 00C39B1A -----> 1 007F2288 774EC318 ; KERNEL32.GetModuleHandleExW 007F254C 76E138D5 ; OLEAUT32.VariantClear 007F2550 00000000 007F2554 00C2D3D6 -----> 2 007F2558 00C2C7F0 -----> 3 007F255C 00C2C4BF -----> 4 007F2560 00000000 007F2564 75C0F9E7 ; SHELL32.SHAppBarMessage -I set a break point in 007F2284 trying to trace the jump. -Run the proccess (F9). Doesn't hit the breakpoint. -I exit the proccess then Olly hits the breakpoint. The code seems to be using some kind of overlapping instruction obfuscation. Is that right? If that is the case is there a way to fix that? Am I doing something wrong? CPU Disasm Address Hex dump Command Comments 00C39B17 00 DB 00 00C39B18 00 DB 00 00C39B19 00 DB 00 00C39B1A 60 DB 60 ; CHAR '`' ------->landed here. 00C39B1B EB DB EB ; CHAR 'ë' 00C39B1C 01 DB 01 00C39B1D E3 DB E3 ; CHAR 'ã' 00C39B1E EB DB EB ; CHAR 'ë' 00C39B1F 01 DB 01 00C39B20 D4 DB D4 ; CHAR 'Ô' 00C39B21 E8 DB E8 ; CHAR 'è' 00C39B22 00 DB 00 00C39B23 00 DB 00 00C39B24 00 DB 00 00C39B25 00 DB 00 I appreciate any help. :) Cheers, PS:I forgot to mention that first I tried to cut and delete the invalid thunks just to check if the process would execute but it crashes... Título: Re: HELP = Desempacar PC Guard 5.01 Publicado por: MCKSys Argentina en 1 Septiembre 2014, 03:42 am Hi zilox!
As I told you, the first of the 4 bad entries in the IAT is ExitProcess. You can fix it with ImpRec by double-clicking the address and selecting the adecuated API. I also told you that the other 3 must return 0 in EAX. You must patch them manually. BUT 2 of them, return data in the stack also. So, I suggest you to search for the references to those functions, and put a BP on them. Now, when the function gets called, watch the stack parameters and how are they filled. Also, you should watch what the program does with those values. When you find what to put in the parameters to make the program work, just patch the function manually. And that's all. You don't need to analyze the function, because it's a packer's function and it's heavily ofuscated. Cheers! Título: Re: HELP = Desempacar PC Guard 5.01 Publicado por: zilox en 1 Septiembre 2014, 08:40 am Hi MCKSys,
Yes I knew that the first one was the ExitProccess I was just trying to figure out that by myself. I was trying to learn something from that. Actually I don't need to patch that program I am just doing it for "fun" and learning purposes... :) How do you know the first was the ExitProccess? I was trying to figure it out analysing the code and finding the jump to the ExitProccess but as you said it is all obfuscated... Anyway I'll try to fix the 3rd and 4th calls and maybe bring some more questions. lol Cheers mate, Título: Re: HELP = Desempacar PC Guard 5.01 Publicado por: MCKSys Argentina en 1 Septiembre 2014, 18:17 pm Hi zilox!
One thing you can do it's to execute the function itsetf. This is a generic method when resolving APIs manually. To do this you just put a memory BP on the .text section of system modules (kernel32, user32, ntdll, etc.) depending on what you think the API colud be. Then, you use the "New origin here" on the first instruction of the API. When the program tries to execute the API, the BPM will trigger. That's the idea... :) cheers! |