Ayuda desempacando un ejecutable!!!

Iniciado por perfect18, 21 Octubre 2012, 22:43 PM

0 Miembros y 2 Visitantes están viendo este tema.

perfect18

Amigos necesito que me ayuden a desempacar este ejecutable, esta protegido por asprotect 1.23 si alguien prodria ayudarme se lo agradeceria...

rylvzla.sytes.net/cilent.exe




apuromafo CLS

supongo lo abriste en ollydbg y esperaste llegar al oep, hasta que direccion llegas sin problema?

saludos Apuromafo

perfect18

Amigo no soy muy experto en esto pero me interesa desempacar urgentemente este ejecutable por eso acudo a ustedes que saben mas de este tema aqui esta una miniguia q consegui pero esta en ingles no entiendo mucho.

First get the plugin ollydump for ollydbg.

Open ollydbg, go into options and make sure memory access violation is NOT ticked in debug options.

Open client in olly and you should see a access violation exception in lower left corner, hit shift+f9 once select no to analyze code.
The starting code should look something like push <address> call <address>

now hit shift+f9 (27 times for me) and break on every access violation until you hit a place where the code looks something like this:

xor dword.. ,eax
pop ..
pop ..
cmp dword.. ,0
je ..
push 0C
..

Place a breakpoint on RETN at the end of this function and hit shift+f9 again to break on it, remove the breakpoint, hit f7 once.

hit alt+m and find your client in the list and click the section of your client that says code (starting at address 00401000) rightclick on it and select: Set memory breakpoint on access.

hit ctrl+f11 to start trace (it will take awhile) once it breaks hit f7 once and you're now on the OEP (Original Entry Point) however there are some stolen bytes by asprotect that you need to restore, the way you do that is by openening your trace log, view runtrace and make sure highlight register=esp is selected. Then you find the stolen bytes by analyzing this, however i cba to explain it so just close the runtrace scroll a bit up and insert these 2 lines at where the code is junk:

006BC90D PUSH 60
006BC90F PUSH 0071B668

those are the only 2 stolen code commands. rightclick on the line with push 60 and select new origin here.

now you need to dump the entire thing to file, so select plugins->ollydump->dump debugged process (untick rebuild import at bottom) and click ok, save the file to some new filename.

Now you just need to fix the imports (which asprotect has changed) use imprec to do this. You'll need to use a program like imprec 1.7c select your ollydbg client.exe process from its open dll dropdown box.

Fill in your (OEP - 00400000) in the OEP editbox (002BC90D) and click iat autosearch.

Click on get imports, click show invalid button at right side, it will highlight all invalid import calls.

Rightclick on them and select plugin tracers->asprotect 1.23rc4

Click again on show invalid, it should not have any left (it might highlight some valid calls just ignore that) click on fix dump and select the filename you dumped from ollydbg, exit imprec.

Now open up program LordPE, click rebuild PE open your filename imprec saved, and exit LordPE.

You will now have an unpacked client.exe.

Note that there might be compatability issues when running this new file on 32bit vs 64bit systems, there is another program similar to imprec that will fix this issue however it doesn't have the tracers support so it will take a long time to fix the imports, alternatively you can first use imprec then open the imprec saved file in the new program (CHimpRec) and save a new file from that (this will make the file work on all 32bit/64bit editions of windows)

--

The End.

apuromafo CLS

pues ahi indican desempacar mediante exepciones , hay 2 codigos robados y puede servirte 1 plugin de import rec, significa que te dieron casi todo

oep, iat, y stolen code, por ende deberias lograr desempacar con la informacion ahi dada.

saludos Apuromafo
pd:lee tutoriales en español... para eso se creo el faq

MCKSys Argentina

Cita de: perfect18 en 23 Octubre 2012, 04:11 AM
Amigo no soy muy experto en esto pero me interesa desempacar urgentemente este ejecutable por eso acudo a ustedes que saben mas de este tema aqui esta una miniguia q consegui pero esta en ingles no entiendo mucho.

El problema es que aquí "no vendemos/regalamos pescados", aquí enseñamos "a pescar".

Si necesitas tutoriales sobre unpacking de asprotect, entra aqui: http://ricardonarvaja.info/WEB/buscador.php

Ingresa "asprotect" (sin comillas) y te saldrán VARIOS tutoriales sobre cómo desempacarlo.

Ahora, si no tienes idea del tema, te recomiendo que comiences por aqui: https://foro.elhacker.net/ingenieria_inversa/faq_iquesteres_nuevo-t345798.0.html

Saludos!
MCKSys Argentina

"Si piensas que algo está bien sólo porque todo el mundo lo cree, no estás pensando."