Sup again people and welcome back to the tutorial about unpacking Server files, in this case MX files...
like in my second thread i post how unpack mydll now lets go to another lvl, and that is GS !! (version 1.1 lastest)
Ok what we need:
1.- Ollydbg 1.10 (with all Plugins updated)
2.- Imprec (for fix IAT)
3.- A little of experiencie (mm not 100% nesesarie)
4.- HAVE A GOOD IMAGINATION (100% needed)
Lets start:
//Taking OEP\\
1.- Load in ollydbg the GS 1.1
2.- Now lets press "Control+G" and write "CreateThread"
4.- Press Enter and we are on Kernel in the API [COLOR="CreateThread...
5.- Now lets find our last OPCODE caused armadillo check the first ones and make infinite loop, so lets put a BreakPoint with F2 on the FIRST "RET" (for me is RET 14)
Trick: You can put a BP on the first OPCODE of CreateThread and later press control+F9 and that will send to you at the RET 14
6.- Now press F9 (for run target)
7.- Voila, ollydbg stop on himself (in this case in RET 14), remove breakpoint with F2 again
8.- No press F7 for get inside of RET
9.- You will saw another part of section, but calm down we are fine, press CONTROL+F9 for search the first RET.
10.- Once he find it, press F7 for get inside of this new RET Again.
11.- Now lets find that:
"CALL EDI"
12.- Once we find it put a BreakPoint on there with F2 and run target with F9
13.- Now ollydbg stop again on himself (in this case "CALL EDI"), now press F7 and...
14.- VOILA WE ARE ON OEP (our section with no armadillo protection).
How we check that OEP its the true one...?
Easy lets do that:
//Checking OEP\\
1.- Open another instance of Ollydbg (dont cloce the another one)
2.- We open a GS of 0.99b unpacked or another one unpacked (not 0.97)
3.- Now lets watch in olly in what part it start... (check it)
4.- View the another instance of olly, the one with 1.1 GS and you will saw that the OEP of 0.99b GS and 1.1 GS are the same, so you are right !!
What else??...
mmmmhhh lets fix PE Header:
//Fixing PE Header\\
1.- Cloce the ollydbg instance with 0.99b GS & open a new one
2.- Load 1.1 GS again (now we get 2 GS load)
3.- Press ALT+M on the new instance of olly, and watch for PE Header Section
4.- Secondary Buttom and press "Watch on DUMP", press secondary buttom again on dump window and select TEXT MODE
5.- Select all PE Header and press "Copy Binary"
6.- Lets go to the another Olly instance (the 1.1 GS with OEP)
7.- Press ALT+M for watch map section and go to PE Header, secondary buttom DUMP in window and press again secondary buttom on dumped window and select TEXT MODE
8.- Select all PE Header Section and press "Binary Paste"
9.- Voila now we fix PE Header (fuck armadillo phew !!)
NOW CLOCE THE 1.1 GS (the one in where we copy the PE header) AND LETS DUMP THE ONE WITH OEP+PE HEADER FIXED...
Once you dump it, we need to do the last step...
//FIXING IAT\\ (need Imprec)
1.- We check for OEP and we saw the Offset in left side... Example:
100089> EB FE JMP 100092 (that is not real, just a expample) (the red part is the Offset, but that is not the OEP we need for introduce on Imprec)
2.- Go to Olly "PLUGINS">OLLYDUMP>[GET EIP HAS OEP] (check the Option)
3.- Now in some part of the window of ollydump... (left side of GET EIP HAS OEP) its a new value that is the OEP that we need, and the original One.
Lets explain this:
**IMAGE BASE - OFFSET = REAL OEP**
4.- Now the value that change on Ollydump window, copy it and open Imprec...
5.- In Imprec window lets put in OEP the real one and press "FIND IAT"
6.- Yahooo it find Invalid IAT, now lets press OK to the message that appears and press GET IMPORTS
7.- Imprec find Invalid IAT, and now lets press "Show Invalid"
8.- Secondary Buttom on Imprec window and press "Cut Thunks" now all IAT Said:
VALIED = YES (yupi !!)
9.- Now press "FIX DUMP" and select our DUMPED GS 1.1 (the one we dump with Olly or another dumper) and wait a moment, the process is slow caused file size grow up a lot.
10.- Imprec said that dump has finished and YOU DO IT MAN !!
HAVE FIXED IAT+OEP+PE HEADER ON YOUR GS 1.1 (MX last version) NOW YOU CAN OPEN IT ON OLLY FOR DEEP SCAN, MAKE MEMORY LOADER, WATCH SOURCE UNPACKED ON HEX EDITOR AND ALOT OF MORE THINGS !! :3dflagsdo
Unpacker: FeN$x :blob2:
All Thx to: Exernon Team (i love my team) :wink2:
Reply With Quote
![[GR]SiLvER's Avatar](https://forum.ragezone.com/customavatars/avatar127235_2.gif "[GR]SiLvER's Avatar"){kind=avatar}
Originally Posted by Z_Gamer
