MUP With OllyDbg for Really Beginner

TARGET = Crackme #1;-)- coded for this tute (download target here)
DIFF = 1/10
TOOLS USED = OllyDbg 1.09b + OllyDump v2.01.108 plugin, LordPE (optional)
Requirement = PE Knowledge
AUTHOR = Zephyrous
Intro
This is my 2nd tutorial for BiW-Reversing that will discuss about MUP with ollydbg + ollydump. BTW, my 2nd
should be about the truth lies behind a keygen. But i need more time to get as much as ideas to discuss about it
deeply. For this tute, i just want to unpack UPXed file and as a bonus, FSG 1.33 packed one. I assume the reade
a little knowledge about PE like Entry Point (EP), Original Entry Point (OEP) in packed PE executables. BTW,
want to recommend you to read 'Peering Inside the PE: A Tour of the Win32 Portable Executable File Format' b
Matt Pietrek, but other manual/docs about PE also recommended to read (and to learn too :P).
Let start the game
Dont waste the time, open crackme.upx.exe (11, 776 bytes) included with this tute. Unfortunately, olly will ask
about the file because it is packed/compressed. At this time, just click yes to continue our job. As we want, olly
stop at EP of the packed exe. EP is offset where the code that to be executed just after program loaded. Is it clea

to show it more clear, you can check the EP with any PE editor, i used LordPE by y0da.

The Basic of Finding OEP and Dumping and rebIT.

After a PE .exe has been packed/compressed, the original code is not available until the decompress/decrypt rou
take over the program flow. The problem of manual unpacking (MUP) .exe protector(read: Asprotect, Armadill
Safedics, Securerom, etc) is to find where is the OEP that came from original .exe yet dealing with anti-debuggi
anti-tracing, encryption, etc in the protection too. We're lucky because UPX has nothing to do with any protectio
against unpacking.
At the EP (RVA: 00408160) you can just scroll down the piece of decompress code to find the OEP, unless you
to reverse the decompression routine of UPX ;-). OK, i dont want to wait for you, just scroll down until you fou
the OEP. It's to easy to find OEP for UPX, isn't it?
Maybe you have a question how i can find where to set the breakpoint. The answer is 'Practice make perfect' an
'trial and error'.

004082AF .-E9 0C90FFFF JMP crackme_.004012C0

;4012C0 is offset of the OEP, we found it du

At this offset, toggle breakpoint because we dont want to trace the decompress routine of it. Then press F9 or 'P
button.
As we want to, olly will break here. Just press F8 to continue execution to the OEP.
004012C0
004012C1
004012C3
004012C5
004012CA

55
8BEC
6A FF
68 F8404000
68 F41D4000

PUSH EBP
; you will stop here, 12C0 is the OEP
MOV EBP,ESP
PUSH -1
PUSH crackme_.004040F8
PUSH crackme_.00401DF4

Now, we at the OEP, and we just have to dump the program with OllyDump. You will find OllyDump in 'Plugin
you installed it correctly :P.
Just choose 'Dump debugged process' because we had traced the routine manually, so tracer came with OllyDum
useless now.

Just leave all default setting because OllyDump will dump the program automatically for you including the Imp
Table rebuilding.
But its ok to learn how to rebuild IAT manually ;-).
Why? Because you're one of the reversers in the world.
What are you waiting for??? Just press 'Dump' and i want to go to class sooner.
Heh, i forgot something, if you dont satisfied with size of unpacked .exe, just rebuild it with any PE tools.

Damn!!! I'm too sleepy to go to class. Gud Nite Dude.

Yet Another Exercise for You.
Gud Morning All.
Just come back from class.
Included with this tute, another FSG v1.33 by dulek packed .exe.
You can analyze the decompression routine to find the OEP or simply just using OllyDump Tracing feature.
Just load keygenme.fsg.exe (4,288 bytes). small enough eh ;-).
Dont press anything yet, choose 'Find OEP by Section Hop (Trace Over)' or (Trace Into).
I think Trace Over is faster but Trace Into is safer. Am i right?

Just wait and see.

After the tracer found the OEP, Olly will break and this time you may dump it succesfully, using OLLYDUMP.
Outro
OllyDbg has a lot of features to offer to coders/reversers. Just doing some experiments or at least just 'playin
around with this damn good tool.
For example, you should inspect what olly had offered in View menu like Executable Moduls, Windows, Mem
Handles, etc.
You right mouse button will help you a lot ;-)
Greetings and respects: (not in specific order)
Oleh Yuschuk (OllyDbg), Gigapede (OllyDump), and y0da (rebIT.dll, LordPE, etc) - Thanx A Lot.
Ancient_One, Kwai_Lo, Bengaly, snaker (for teaching me UPX MUP), fuss, Detten, chainie, evileuA or clues
BiW-Reversing team, Bor0, X-Lock, and all reversers out there.
Real Life words:
"Reversing doesnt feed your stomach" - by a friend.
But reversing help you a lot in coding ;-)
I could be reached at r_etarded(at)yahoo(dot)com
6:58 p.m / 23 June 2003
biw.rult.at