Professional Documents
Culture Documents
Unpacking CrypToCrackPeProtector v0 9 3 (TallfaZ)
Unpacking CrypToCrackPeProtector v0 9 3 (TallfaZ)
CrypToCrackPeProtector0.9.3
1
Again an easy and fast tutorial about CrypToCrackPeProtector0.9.3
Manual unpacking. And again traditional tools :
- OllyDbg,
- ImpRec.
Target : Here.
1. Reaching OEP :
1.1. Load the target in Olly
Users that use an original version of OllyDbg, will exit as soon as they
fire it up.
The reason is that the program checks directly the Debug flag, & if it’s
set, the app equilibrates the stack to call ExitThread function.
If u want more precision, study this peace of code (Figure 1), and
compare it with the code of IsDebuggerPresent (Figure 2) function:
2
Figure 1
Figure 2
1.2. just use a plug-in that hides Olly from this trick.
Now, put a BP on access memory on the .text section:
3
1.5. Clear this BP, and again put a BP on memory access on
.text section then F9:
This times we’re exactly at the OEP address, but some thing goes
wrong, the imports. No problem, We will fix them quickly.
Now just dump your app.
2. The Imports :
This is typically a VC/C++ entry point, and U can guess that the
function in 4271D6 is the GetVerion API.
2.1. Change the view of the dump windows to address view :
4
And follow in dump the address in dump :
5
If u want to try, put a BP on 46B823 and trace to see what will
happen.
2.2. Now we have to reconstruct the IAT, so that real value of
called functions are written to their place. To do this put a
Hardware BP on write on the first called address : (see the pic)
6
2.4. A little tracing will demonstrate this:
7
So what we have to do is simply to white the good import to its place
in stead of the redirected one.
So RESTART olly, GO to 46B338 and replace EDI with EAX:
8
U will find in the archive a script that automatically unpacks and
dumps the victim, so you’ve just to fix the IAT.
Thank you for taking time to read this little article.
Greeting to all AoRE team and forum members : ColdFever, Nolimit, sgr2001, azmo and كاتم السر.
And also special thanks to Teddy Roger for the great work he’s doing.