Credits: richie86
Software Introduction:
1. OD -- "you have to google it i cant upload it to the site
the rest of the files are included"
Also known as OllyDbg. It’s a 32-bit assembler level analysis debugger. Powerful tool to analyze 32-bit assembler.
2. Phantom
It’s a plugin for OllyDbg. Used to prevent the OllyDbg from being detected by anti-debugger engine for Themida/WInLicense.
3. okdodo script
This is the unpack script we will use in this tutorial.
4. PEiD
PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.
5. ImpportRec
Import Reconstructor is a tool that used to fix the IAT of dump image and reconstruct them.
———————————————————————————————————-
Okay let’s get started.
First we have to determine what is the packer first. Drag Cpp1.exe into PEiD. You will need the latest signature database. Here we found it’s pack with Themida/WinLicense 1.8.2.0 above.
PeID
Start your ollydbg, make sure your phantom setting is like below. Configure it by pressing Plugin>Phantom>Option . You will need to restart ollydbg for setting to take effect.
Phantom Setting
Do this by moving the phantom.dll into the ollydbg folder.
[IMG]https://richie86.files.*********.com/2008/01/phantom-opt.jpg[/IMG]
After that drag Cpp1.exe into ollydbg. See the yellow line in main thread. B8 00 00 00 60, common entry point used by Themida/WinLicense.
[IMG]https://richie86.files.*********.com/2008/01/load.jpg[/IMG]
Pressing ALT+M to switch into Memory Map tab. Drag down a little bit the list and you will found msvcrt on PE Header. Shows that this EXE is using C++ Runtime.
C++
Let’s continue. Run okdodo script by pressing Plugin>ODbgScript>RunScript>then select okdodo.osc
The script will automatic run. After you being prompt that the script has completed. The debugger will stop at the OEP (Original Entry Point) of your EXE.
[IMG]https://richie86.files.*********.com/2008/01/oep.jpg[/IMG]
Take note of the OEP address above. We will using it later on. 00401151
Next we will try to dump the image out. Do NOT close OllyDbg yet.
Open your importRec. Attach the process to the Cpp1.Exe in the list.
Then you will see in the status box. Image Base: 00400000. So calculate the OEP by 00401151-00400000 = 1151
Fill in into the OEP box and press IAT Auto Search. It will inform you that the OEP is found.
Press Get Import to get all import function. From the Imports status, shows that valid:YES. Which means all imports function pointer are match.
So dump the image by Righ***ick>Advanced Commands>Select Code Section(s)
[IMG]https://richie86.files.*********.com/2008/01/imprec.jpg[/IMG]
Press Full Dump. then save it at somewhere as cpp1_dump.exe
[IMG]https://richie86.files.*********.com/2008/01/dumped.jpg[/IMG]
Then continue to reconstruct the dump base on new OEP. At main menu. Press Fix Dump, then select the dump image cpp1_dump.exe we create just now.
[IMG]https://richie86.files.*********.com/2008/01/fixdump.jpg[/IMG]
After reconstruct. New image cpp1_dump_.exe is created. And now try to open the cpp1_dump_.exe and you will see you are sucessfully unpacked it.
[IMG]https://richie86.files.*********.com/2008/01/done.jpg[/IMG]
Credit: okdodo for the script. unpack.cn for the resources.
okdodo script"/*
Script written by okdodo 2007/03
Tested for themida IAT restore and OEP find~
Ollyice: Ignore all exceptions (add 0EEDFADE,C0000005,C000001E)
HideOD : Check HideNtDebugBit and ZwQueryInformationProcess(method2)
Test Environment : Ollyice 1.1 + HideOD
ODBGScript 1.52 under WINXP
Thanks :
kanxue – author of HideOD
hnhuqiong – author of ODbgScript 1.52
*/
data:
var cbase
var csize
var dllimg
var pmbase
var apibase
var mem
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
gmemi eip,MEMORYBASE
mov dllimg,$RESULT
log dllimg
findapibase:
gpa “GetLocalTime”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
gpa “VirtualAlloc”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
mov apibase,eax
log apibase
gpa “LoadLibraryA”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
findVirtualAlloc:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE809000 0005DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
iatloop:
esto
mov tmp,[esp]
find dllimg,#50516033C0#
cmp $RESULT,0
jne iatpatch
jmp iatloop
iatpatch:
bphwc tmpbp
find eip,#C21000#
bphws $RESULT,”x”
esto
bphwc $RESULT
sti
mov tmpbp,tmp
find tmpbp,#0F850A000000C785#
mov tmpbp,$RESULT
mov [tmpbp],0A0EEB
find tmpbp,#0F84390000003B8D#
mov tmpbp,$RESULT
mov [tmpbp],3928EB
alloc 1000
mov mem, $RESULT
log mem
mov tmp,mem
mov [tmp],#A3000000008908ADC746FC00000000E90000000050A10000 00008907807FFFE8750866C747FEFF15EB0666C747FEFF2558 E90000000050A100000000894701807FFFE8750866C747FFFF 15EB0666C747FFFF25580F8500000000E90000000083C704E9 00000000#
mov memtmp,tmp
add memtmp,100
add tmp,1
mov [tmp],memtmp
add tmp,15
mov [tmp],memtmp
add tmp,22
mov [tmp],memtmp
mov tmp,mem
find tmpbp,#8908AD#
mov tmpbp,$RESULT
mov addr1,tmpbp
add addr1,0A
eval “jmp {tmp}”
asm tmpbp, $RESULT
find tmpbp,#E92400000058#
mov tmpbp,$RESULT
add tmp,14
eval “jmp {tmp}”
asm tmpbp, $RESULT
find tmpbp,#0F851800000083BD#
mov tmpbp,$RESULT
mov addr3,tmpbp
add addr3,06
add tmp,22
eval “jmp {tmp}”
asm tmpbp, $RESULT
find tmpbp,#884704#
mov tmpbp,$RESULT
mov addr2,tmpbp
add addr2,03
mov [tmpbp],#909090#
find tmpbp,#ABAD#
mov tmpbp,$RESULT
mov [tmpbp],#90#
add tmpbp,9
add tmp,29
eval “jmp {tmp}”
asm tmpbp, $RESULT
mov memtmp,mem
add memtmp,0F
eval “jmp {addr1}”
asm memtmp, $RESULT
add memtmp,22
eval “jmp {addr2}”
asm memtmp, $RESULT
add memtmp,23
eval “jne {addr2}”
asm memtmp, $RESULT
add memtmp,06
eval “jmp {addr3}”
asm memtmp, $RESULT
add memtmp,08
eval “jmp {addr1}”
asm memtmp, $RESULT
find eip,#C7010000000083C104#
mov tmpbp,$RESULT
add tmpbp,14
bphws tmpbp,”x”
esto
bphwc tmpbp
mov tmp,cbase
add tmp,csize
findoep:
bprm cbase,csize
esto
bpmc
cmp eip,tmp
ja findoep
msg “script finished,check the oep place by yourself~”
ret
stop:
pause
apierror:
pause"