Theme: manual unpacking Packer: GHF PROTECTOR by GPcH Author: SMoKE Tools: OllyDbg, OllyDump, LordPE (PE Tools), UltraEdit (other hex editor), ImpRec URL: http://www.dotfix.net Target: custom executable... Hi, some days ago i downloaded this protector and tried it... In about sayed that it based on Morphine v2.6 and AHPack v0.1 I ain't gonna explain in step by step how to unpack this and even do some researches on work algo and protection methods, (you know i am too lazy :P) in generaly i'll explain just how to quickly unpack it :) Files protected with this work only on NT based systems, such as 2k, XP, NT, 2003 don't try on 9x/ME ! I took one of my own programs, written in Delphi and protected it. I choosed PACK AND PROTECT, leaved ImageSize to auto (just 0)... It deleted all my resources, just left one icon, protector's icon, f%#*ed up all sections, redirected TLS table, maked own import table... Seams we'll have a lotta work to do :/ Load it into your olly (i love this...) :) I will just tell you few words about the work of this protector, if I remember right it allocates some memory two times, first it decryptes part of the code into the allocated memory, then it allocates second memory part starting from the *original image base* of the file, we gonna catch and dump the first part written to the allocated memory and you will see what is that ! no need to trace until original entry point... cryptor will give to us :) press CTRL+N --> breakpoint on LoadLibraryA F9... we breaked, trace until user code 005711DE 6A 00 PUSH 0 005711E0 68 2E646C6C PUSH 6C6C642E 005711E5 68 656C3332 PUSH 32336C65 005711EA 68 6B65726E PUSH 6E72656B 005711EF 54 PUSH ESP 005711F0 8B45 10 MOV EAX, DWORD PTR SS:[EBP+10] 005711F3 FF10 CALL DWORD PTR DS:[EAX] ; LoadLibraryA 005711F5 83C4 10 ADD ESP, 10 do you see how it pushes dll and function names to the stack, yes... very interesting method, i liked it :) now just make a full dump of this process using Lord PE (PE Tools), we will get back to this later... then it gets some api names and... 005712B3 51 PUSH ECX 005712B4 6A 40 PUSH 40 005712B6 68 00300000 PUSH 3000 005712BB 51 PUSH ECX 005712BC 50 PUSH EAX 005712BD FFD3 CALL EBX ; kernel32.VirtualAlloc interesting part, EAX is 400000h before the call, thats our original image base, but we dont need to know that :P load the dumped file into your hex editor, scroll down until you will find the MZ and PE headers... here is mine... 00001870h: 01 7C 98 B6 D4 EA FB 13 2F B3 8C A5 47 9B 3B 39 ; .|y¦L?v./¦iNG?;9 00001880h: 3F 3A 24 08 5C E3 F2 1B D0 CC 1E CD BD B4 0B 2A ; ?:$.\??.¦¦.=-+.* 00001890h: F3 E0 96 C1 9F 40 77 3D FD E8 74 B6 A1 67 78 A6 ; ??u+?@w=??t¦igx? 000018a0h: FD 70 E8 FC 43 01 DB 97 AF 03 FE 3D E9 E5 59 D5 ; ?p??C.-u».¦=??Y- 000018b0h: 0D E7 3A 86 71 D9 F3 C5 65 AF 46 C9 51 33 7A B9 ; .?:aq-?+e»FãQ3z¦ 000018c0h: 0C 84 B8 8E 4F 64 05 99 92 5B DD 05 C3 49 92 D9 ; .a¬AOd.O?[¦.+I?- 000018d0h: 96 E7 9B 5D 6D 4A AF BF 17 59 59 31 DB 0F 84 01 ; u??]mJ»¬.YY1-.a. 000018e0h: F8 FF FF 90 2F F8 65 4B 4D 5A 50 00 02 00 00 00 ; °  E/°eKMZP..... 000018f0h: 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 ; ....  ..¬....... 00001900h: 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 ; @............... 00001910h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00001920h: 00 00 00 00 80 00 00 00 BA 10 00 0E 1F B4 09 CD ; ....C...¦....+.= 00001930h: 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F ; !¬.L=!EEThis pro 00001940h: 67 72 61 6D 20 6D 75 73 74 20 62 65 20 72 75 6E ; gram must be run 00001950h: 20 75 6E 64 65 72 20 57 69 6E 33 32 0D 0A 24 37 ; under Win32..$7 00001960h: 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 09 00 ; ........PE..L... 00001970h: 19 5E 42 2A 00 00 00 00 00 00 00 00 E0 00 8E 81 ; .^B*........?.Au 00001980h: 0B 01 02 19 00 14 05 00 00 1A 01 00 00 00 00 00 ; ................ 00001990h: FF 80 06 00 00 10 00 00 00 30 05 00 00 00 40 00 ;  C.......0....@. 000019a0h: 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 ; ................ 000019b0h: 04 00 00 00 00 00 00 00 00 84 06 00 00 04 00 00 ; .........a...... 000019c0h: 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 ; .............@.. 000019d0h: 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ; ................ 000019e0h: 00 00 00 00 00 00 00 00 00 80 06 00 B1 00 00 00 ; .........C..-... 000019f0h: 00 00 06 00 00 7C 00 00 00 00 00 00 00 00 00 00 ; .....|.......... 00001a00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00001a10h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00001a20h: 00 00 00 00 00 00 00 00 00 90 05 00 18 00 00 00 ; .........E...... 00001a30h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00001a40h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00001a50h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00001a60h: 43 4F 44 45 00 00 00 00 60 12 05 00 00 10 00 00 ; CODE....`....... 00001a70h: 00 84 02 00 00 04 00 00 00 00 00 00 00 00 00 00 ; .a.............. 00001a80h: 00 00 00 00 E0 00 00 E0 44 41 54 41 00 00 00 00 ; ....?..?DATA.... 00001a90h: E0 1A 00 00 00 30 05 00 00 1C 00 00 00 88 02 00 ; ?....0.......e.. 00001aa0h: 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 E0 ; ............?..? 00001ab0h: 42 53 53 00 00 00 00 00 99 08 00 00 00 50 05 00 ; BSS.....O....P.. 00001ac0h: 00 00 00 00 00 A4 02 00 00 00 00 00 00 00 00 00 ; .....n.......... 00001ad0h: 00 00 00 00 E0 00 00 E0 2E 69 64 61 74 61 00 00 ; ....?..?.idata.. now just wipe everything above the MZ signature and save into the new file. do you see that it got the right image base already :) Run that file... it works !!! but it crypted still... load it into olly... 004680FF 60 PUSHAD 00468100 68 54804600 PUSH dump.00468054 ; ASCII "KERNEL32.DLL" 00468105 B8 48804600 MOV EAX, <&KERNEL32.GetModuleHandleA> 0046810A FF10 CALL DWORD PTR DS:[EAX] 0046810C 68 B3804600 PUSH 666.004680B3 ; ASCII "GlobalAlloc" 00468111 50 PUSH EAX 00468112 B8 44804600 MOV EAX, <&KERNEL32.GetProcAddress> 00468117 FF10 CALL DWORD PTR DS:[EAX] first of all goes section decrypting into allocated memory... we gonna catch import table patching to have original untouched import table :))) put a breakpoint on LoadLibraryA, press F9... it breaked, trace till user code... 00468200 53 PUSH EBX 00468201 B8 4C804600 MOV EAX, <&KERNEL32.LoadLibraryA> 00468206 FF10 CALL DWORD PTR DS:[EAX] 00468208 8905 CE804600 MOV DWORD PTR DS:[4680CE], EAX ; oleaut32.#392 trace a little or just put a break on GetProcAddress and you will land here 00468252 FF35 CE804600 PUSH DWORD PTR DS:[4680CE] ; ADVAPI32.77DD0000 00468258 B8 44804600 MOV EAX, <&KERNEL32.GetProcAddress> 0046825D FF10 CALL DWORD PTR DS:[EAX] 0046825F 8907 MOV DWORD PTR DS:[EDI], EAX the last line of the listing is the place where the loader patchs api addresses and we dont need that, so just nop it 00468258 B8 44804600 MOV EAX, <&KERNEL32.GetProcAddress> 0046825D FF10 CALL DWORD PTR DS:[EAX] 0046825F 90 NOP 00468260 90 NOP after that goes our jump to original entry point 00468299 61 POPAD 0046829A BA C4214500 MOV EDX, 666.004521C4 0046829F FFE2 JMP EDX 004682A1 90 NOP 004682A2 C3 RETN trace till OEP and make a dump with ollydump (ofcourse without import table rebuilding)... (i will call this new dumped file *FINAL* dump) here is my OEP 004521C4 55 PUSH EBP 004521C5 8BEC MOV EBP, ESP 004521C7 83C4 F4 ADD ESP, -0C now we have executable with correct image base, entry point and even TLS is good all we need to do is to fix the import table address... but first remove the last section and save few bytes :) Now open up your ImpRec and run the dumped file you make with Lord PE (PE Tools) (NOTE not that one made with OllyDump, not the *FINAL* dump !!!) choose it in imprec, type 000521C4 as OEP and press IAT AutoSearch... now look on your LOG... Getting associated modules done. Image Base:00400000 Size:00068400 Original IAT RVA found at: 00056228 in Section RVA: 00056000 Size:00001FB2 thats it... close the imprec and fix the IAT RVA and SIZE of the *FINAL* dump. run it... ViOLA !!! 18:43 11.05.2005 armfn.net/~softland smoke@armfn.net