CaSus (04-17-2009),gandhi (08-02-2008),minorutono (08-02-2008)
Tools Needed
PEiD
OllyDBG
OllyDump Plugin
Imprec
A Brain...
Instructions
Go ahead, scan the application with PEiD, to verify that it is packed byIf it is, then go ahead, open the application with OllyDBGCode:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
Do analyze.
Then, CTRL+B to search for a binary.
Go to the JMP below that, hit F2 (breakpoint), then F9 (Run).Code:61 E9 87 92 FD FF 00 00 00 00
The application should hit the BP.
Hit F8 (Step-over)
Your now at the OEP. So go ahead right click -> OllyDump -> Make dump.
Take note of the OEP that OllyDump provides. This is needed later.
Edit the OEP to the address you landed on.
Then take down "Start Address" - This is our RVA
Then take down "Size" - This is needed.
Now press Dump, save as dumped.exe
Now, keep OllyDBG open. Go open Imprec, and select the application thats running that we are trying to unpack.
For OEP - Put in the OEP that OllyDump provided.
RVA - The "Start Address" that OllyDump provided.
Size - The "Size" OllyDump provided.
Hit IAT AutoSeach, if done right, "Found address which may be in the Original IAT. try 'Get Import'" should popup.
The RVA and Size will automatically change.
Then hit 'Get Imports'. All the thunks should be valid:YES.
If so, then hit Auto Trace just for precautions.
Then hit 'Fix Dump', and select the dumped.exe
You unpacked UPX!
-Marneus901/Circadian
CaSus (04-17-2009),gandhi (08-02-2008),minorutono (08-02-2008)
why not simply using the esp methode?
Didnt feel like it LOL, I would get it confused with ASPack 2.12 because its the same way (or ub3r freggin similar)
Well... no edit button pl0x? Wtf.
Anyways, correction to the binary.
Sorry for the mistake. If an edit button can please show up? (Doesnt show up after I leave) This is also why its a double post >_>Code:61 E9 ?? ?? ?? ?? 00 00 00 00
Allow an edit button pl0x?
sure but it dosent find that ether...
yes rite but as i sayd before it dosnet find that
Then you should stay away from learning to hack >_>
I made a mistake the first post, but I corrected it.
learning? LOL do u know who i am?
Do YOU know who I am?
If you are anyone that has the right to say "Do you know who I am", in the hacking community, should be able to unpack UPX pretty easily... Or at least use OllyDBG with normal ability, and know what type of instructions that the binary creates... And if I was wrong, could find the addresses themself..
But then again, the tutorial has been fixed.
If I went on teamviewer, to help you, im sure you were doing something completely noobish...
Look for a
popad (61)
JMP [Address] (E9 ?? ?? ?? ??)
DB 00 (00)
DB 00 (00)
Noob more pl0x.
Derduh.
pwnt.10char
EDIT: btw, forgot to let people know, at least with me, unpacking Combat Arms, then opening the unpacked EXE will still make ollyDBG say that its packed, the OEP is outside the ehader, etc... As far as i can tell with the unpacked EXE and UPX.exe both being unpacked; Comabt Arms is unpacked.
I just fixed the thing anyways o,o. even with the fails. I hope it works T_T
Last edited by minorutono; 08-02-2008 at 12:53 AM.
I got it to unpack successfully, but when I try to run combat arms it saying that something is corrupt.. What did I do wrong?
@kevko
@minorthen opening the unpacked EXE will still make ollyDBG say that its packed, the OEP is outside the ehader, etc... As far as i can tell with the unpacked EXE and UPX.exe both being unpacked; Comabt Arms is unpacked.
__________________
just talk in pm's. Ill help you (based on your screenshot, your OEP is incorrect.)
Last edited by *Marneus901*; 08-02-2008 at 10:20 AM.