Beruflich Dokumente
Kultur Dokumente
TARGET = Crackme #1;-)- coded for this tute (download target here)
DIFF = 1/10
TOOLS USED = OllyDbg 1.09b + OllyDump v2.01.108 plugin, LordPE (optional)
Requirement = PE Knowledge
AUTHOR = Zephyrous
Intro
This is my 2nd tutorial for BiW-Reversing that will discuss about MUP with ollydbg + ollydump. BTW, my 2nd
should be about the truth lies behind a keygen. But i need more time to get as much as ideas to discuss about it
deeply. For this tute, i just want to unpack UPXed file and as a bonus, FSG 1.33 packed one. I assume the reade
a little knowledge about PE like Entry Point (EP), Original Entry Point (OEP) in packed PE executables. BTW,
want to recommend you to read 'Peering Inside the PE: A Tour of the Win32 Portable Executable File Format' b
Matt Pietrek, but other manual/docs about PE also recommended to read (and to learn too :P).
Let start the game
Dont waste the time, open crackme.upx.exe (11, 776 bytes) included with this tute. Unfortunately, olly will ask
about the file because it is packed/compressed. At this time, just click yes to continue our job. As we want, olly
stop at EP of the packed exe. EP is offset where the code that to be executed just after program loaded. Is it clea
to show it more clear, you can check the EP with any PE editor, i used LordPE by y0da.
At this offset, toggle breakpoint because we dont want to trace the decompress routine of it. Then press F9 or 'P
button.
As we want to, olly will break here. Just press F8 to continue execution to the OEP.
004012C0
004012C1
004012C3
004012C5
004012CA
55
8BEC
6A FF
68 F8404000
68 F41D4000
PUSH EBP
; you will stop here, 12C0 is the OEP
MOV EBP,ESP
PUSH -1
PUSH crackme_.004040F8
PUSH crackme_.00401DF4
Now, we at the OEP, and we just have to dump the program with OllyDump. You will find OllyDump in 'Plugin
you installed it correctly :P.
Just choose 'Dump debugged process' because we had traced the routine manually, so tracer came with OllyDum
useless now.
Just leave all default setting because OllyDump will dump the program automatically for you including the Imp
Table rebuilding.
But its ok to learn how to rebuild IAT manually ;-).
Why? Because you're one of the reversers in the world.
What are you waiting for??? Just press 'Dump' and i want to go to class sooner.
Heh, i forgot something, if you dont satisfied with size of unpacked .exe, just rebuild it with any PE tools.
After the tracer found the OEP, Olly will break and this time you may dump it succesfully, using OLLYDUMP.
Outro
OllyDbg has a lot of features to offer to coders/reversers. Just doing some experiments or at least just 'playin
around with this damn good tool.
For example, you should inspect what olly had offered in View menu like Executable Moduls, Windows, Mem
Handles, etc.
You right mouse button will help you a lot ;-)
Greetings and respects: (not in specific order)
Oleh Yuschuk (OllyDbg), Gigapede (OllyDump), and y0da (rebIT.dll, LordPE, etc) - Thanx A Lot.
Ancient_One, Kwai_Lo, Bengaly, snaker (for teaching me UPX MUP), fuss, Detten, chainie, evileuA or clues
BiW-Reversing team, Bor0, X-Lock, and all reversers out there.
Real Life words:
"Reversing doesnt feed your stomach" - by a friend.
But reversing help you a lot in coding ;-)
I could be reached at r_etarded(at)yahoo(dot)com
6:58 p.m / 23 June 2003
biw.rult.at