MUP of

CrypToCrackPeProtector0.9.3

1
Again an easy and fast tutorial about CrypToCrackPeProtector0.9.3
Manual unpacking. And again traditional tools :
- OllyDbg,
- ImpRec.
Target : Here.

1. Reaching OEP :
1.1. Load the target in Olly

Users that use an original version of OllyDbg, will exit as soon as they
fire it up.
The reason is that the program checks directly the Debug flag, & if it’s
set, the app equilibrates the stack to call ExitThread function.
If u want more precision, study this peace of code (Figure 1), and
compare it with the code of IsDebuggerPresent (Figure 2) function:

2
 Figure 1

Figure 2

1.2. just use a plug-in that hides Olly from this trick.
Now, put a BP on access memory on the .text section:

1.3. Run F9 and ou will land here:

1.4. Now put a BP on The “Ret” instruction and again F9 :

3
 1.5. Clear this BP, and again put a BP on memory access on
.text section then F9:

This times we’re exactly at the OEP address, but some thing goes
wrong, the imports. No problem, We will fix them quickly.
Now just dump your app.

2. The Imports :
This is typically a VC/C++ entry point, and U can guess that the
function in 4271D6 is the GetVerion API.
2.1. Change the view of the dump windows to address view :

4
And follow in dump the address in dump :

It calls a second address that we will follow in disassemble to study:

5
If u want to try, put a BP on 46B823 and trace to see what will
happen.
2.2. Now we have to reconstruct the IAT, so that real value of
called functions are written to their place. To do this put a
Hardware BP on write on the first called address : (see the pic)

2.3. Rewind the unpackme (Ctrl+F2) and run it press F9 five

times (till it writes the address 46B823) . U will land here:

6
2.4. A little tracing will demonstrate this:

7
So what we have to do is simply to white the good import to its place
in stead of the redirected one.
So RESTART olly, GO to 46B338 and replace EDI with EAX:

2.5. Then put a BP on the jump to OEP address and run:

2.6. Press F8 to follow the jump then trl+A to analyze. GOOD,

imports are clean, Now we can fix our dump with imprec.
2.7. Test your fixed dump : IT WORKS FINE!

8
U will find in the archive a script that automatically unpacks and
dumps the victim, so you’ve just to fix the IAT.
Thank you for taking time to read this little article.

Greeting to all AoRE team and forum members : ColdFever, Nolimit, sgr2001, azmo and ‫كاتم السر‬.

Always special Thanks to GrandPa.

And also special thanks to Teddy Roger for the great work he’s doing.

Thanks to all our friends all around the world