Theme: manual unpacking
Packer: SPLayer v0.08 by Jibz
Author: SMoKE
Tools: OllyDbg, ImpRec, OllyDump (or some other dumper)
URL: http://www.peid.tk
Target: PEiD v0.93 (build 01.30.2005) (PEiD.exe)


Today we gonna unpack some packer, that i never saw before.
It seems like some private packer.

Load peid.exe in your olly...

00425FDA LEA EAX,DWORD PTR DS:[EAX]
00425FDD MOV ECX,PEID.00425FCC
00425FE2 PUSH 0E
00425FE4 POP EAX
00425FE5 ROR BYTE PTR DS:[ECX+EAX],4
00425FE9 DEC EAX
00425FEA JNZ SHORT PEID.00425FE5
00425FEC ADC SI,AX
00425FEF XCHG EAX,ECX
00425FF0 CMP EBX,ECX
00425FF2 CMP EDX,6CFBD0B0
00425FF8 JMP SHORT PEID.00425FCC

trace over the jump, if you got code like this

00425FCC MOV ECX,24FCC
00425FD1 SUB EAX,ECX
00425FD3 XOR BYTE PTR DS:[EAX+ECX],CL
00425FD6 DB E2
00425FD7 DB FB
00425FD8 DB 50                                    ;  CHAR 'P'
00425FD9 DD PEID.0040D8C3
00425FDD MOV ECX,PEID.00425FCC

then, do the following steps...
right click --> Analysis --> Remove analysis from module
now you should see this

00425FCC MOV ECX,24FCC
00425FD1 SUB EAX,ECX
00425FD3 XOR BYTE PTR DS:[EAX+ECX],CL
00425FD6 LOOPD SHORT PEID.00425FD3
00425FD8 PUSH EAX
00425FD9 RETN

continue tracing...
you can bypass the loopd instruction, by writing G EIP+2 in your Command Line
when you staying on loopd instruction...
after ret you will see...

00401000 MOV EAX,PEID.004797E8
00401005 PUSH EAX
00401006 PUSH DWORD PTR FS:[0]
0040100D MOV DWORD PTR FS:[0],ESP
00401014 XOR EAX,EAX
00401016 MOV DWORD PTR DS:[EAX],ECX

so the loader sets new exception handler at address 4797E8 and then
trys to write to address 00000000, so the access violation will occure
and work will continue from 4797E8, how to catch that ?
you can simply put a breakpoint on the 4797E8 and when you got the
exception just press SHIFT+F9 and you will reach 4797E8, then by
tracing and bypassing the loopd instructions by G EIP+2 command, you will
go thru the whole decryption routine and finally will reach this part

00479584 MOV EAX,FFBA8468
00479589 LEA ECX,DWORD PTR DS:[EAX+8D113F]
0047958F MOV DWORD PTR DS:[ECX+1],EAX
00479592 MOV EDX,DWORD PTR SS:[ESP+4]

but if you dont want to go thru the whole decryption routine, just press
SHIFT+F8 when you already got the exception and running paused.
You are here

004795A7 MOV EAX,FFBA8468
004795AC POP DWORD PTR FS:[0]
004795B3 ADD ESP,4
004795B6 PUSH EBP
004795B7 PUSH EBX

trace over all calls (or just scroll down, the calls are unpacking and import
table patching routines) and finally reach here

00479647 MOV EAX,ESI
00479649 POP EDX
0047964A POP ESI
0047964B POP EDI
0047964C POP ECX
0047964D POP EBX
0047964E POP EBP
0047964F JMP EAX

the last jump is the jump to your original entry point, now you are staying
on the OEP

00455F1E PUSH 60
00455F20 PUSH PEID.0042F508
00455F25 CALL PEID.004577DC
00455F2A MOV EDI,94
00455F2F MOV EAX,EDI

dump the process without import rebuilding, close olly.
Run peid.exe and fire up ImpRec, choose that process from the list,
in the OEP edit box type your OEP RVA you just got 55F1E. 
Press IAT AutoSearch --> Get Imports, as you can see all the imports are
valid, so press fix dump and choose your dumped executable.
Cross your fingers and run the dumped file.... it works !
Check it with PEiD... Microsoft Visual C++ 7.0  :)))


23:02 14.04.05

freenet.am/~softland
smoke@freenet.am