Manual Unpacking Using OllyDbg + OllyDump

MUP With OllyDbg for Really Beginner

TARGET = Crackme #1;-)- coded for this tute (download target here)
DIFF = 1/10
TOOLS USED = OllyDbg 1.09b + OllyDump v2.01.108 plugin, LordPE (optional)
Requirement = PE Knowledge
AUTHOR = Zephyrous

Intro

This is my 2nd tutorial for BiW-Reversing that will discuss about MUP with ollydbg + ollydump. BTW, my 2nd tute should be about the truth lies behind a keygen. But i need more time to get as much as ideas to discuss about it deeply. For this tute, i just want to unpack UPXed file and as a bonus, FSG 1.33 packed one. I assume the reader has a little knowledge about PE like Entry Point (EP), Original Entry Point (OEP) in packed PE executables. BTW, I want to recommend you to read 'Peering Inside the PE: A Tour of the Win32 Portable Executable File Format' by Matt Pietrek, but other manual/docs about PE also recommended to read (and to learn too :P).

Let start the game

Dont waste the time, open crackme.upx.exe (11, 776 bytes) included with this tute. Unfortunately, olly will ask you about the file because it is packed/compressed. At this time, just click yes to continue our job. As we want, olly will stop at EP of the packed exe. EP is offset where the code that to be executed just after program loaded. Is it clear?

to show it more clear, you can check the EP with any PE editor, i used LordPE by y0da.

The Basic of Finding OEP and Dumping and rebIT.

After a PE .exe has been packed/compressed, the original code is not available until the decompress/decrypt routine take over the program flow. The problem of manual unpacking (MUP) .exe protector(read: Asprotect, Armadillo, Safedics, Securerom, etc) is to find where is the OEP that came from original .exe yet dealing with anti-debugging, anti-tracing, encryption, etc in the protection too. We're lucky because UPX has nothing to do with any protection against unpacking.
At the EP (RVA: 00408160) you can just scroll down the piece of decompress code to find the OEP, unless you want to reverse the decompression routine of UPX ;-). OK, i dont want to wait for you, just scroll down until you found the OEP. It's to easy to find OEP for UPX, isn't it?
Maybe you have a question how i can find where to set the breakpoint. The answer is 'Practice make perfect' and 'trial and error'.

004082AF .-E9 0C90FFFF JMP crackme_.004012C0    ;4012C0 is offset of the OEP, we found it dudes.

At this offset, toggle breakpoint because we dont want to trace the decompress routine of it. Then press F9 or 'Play' button.
As we want to, olly will break here. Just press F8 to continue execution to the OEP.

004012C0   55               PUSH EBP               ; you will stop here, 12C0 is the OEP
004012C1   8BEC             MOV EBP,ESP
004012C3   6A FF            PUSH -1
004012C5   68 F8404000      PUSH crackme_.004040F8
004012CA   68 F41D4000      PUSH crackme_.00401DF4

Now, we at the OEP, and we just have to dump the program with OllyDump. You will find OllyDump in 'Plugins' if you installed it correctly :P.
Just choose 'Dump debugged process' because we had traced the routine manually, so tracer came with OllyDump is useless now.

Just leave all default setting because OllyDump will dump the program automatically for you including the Import Table rebuilding.
But its ok to learn how to rebuild IAT manually ;-).
Why? Because you're one of the reversers in the world.

What are you waiting for??? Just press 'Dump' and i want to go to class sooner.
Heh, i forgot something, if you dont satisfied with size of unpacked .exe, just rebuild it with any PE tools.

Damn!!! I'm too sleepy to go to class. Gud Nite Dude.

Yet Another Exercise for You.

Gud Morning All.
Just come back from class.
Included with this tute, another FSG v1.33 by dulek packed .exe.

You can analyze the decompression routine to find the OEP or simply just using OllyDump Tracing feature.
Just load keygenme.fsg.exe (4,288 bytes). small enough eh ;-).
Dont press anything yet, choose 'Find OEP by Section Hop (Trace Over)' or (Trace Into).
I think Trace Over is faster but Trace Into is safer. Am i right?

Just wait and see. .
After the tracer found the OEP, Olly will break and this time you may dump it succesfully, using OLLYDUMP.

Outro

OllyDbg has a lot of features to offer to coders/reversers. Just doing some experiments or at least just 'playing' around with this damn good tool.
For example, you should inspect what olly had offered in View menu like Executable Moduls, Windows, Memory, Handles, etc.
You right mouse button will help you a lot ;-)

Greetings and respects: (not in specific order)

Oleh Yuschuk (OllyDbg), Gigapede (OllyDump), and y0da (rebIT.dll, LordPE, etc) - Thanx A Lot.

Ancient_One, Kwai_Lo, Bengaly, snaker (for teaching me UPX MUP), fuss, Detten, chainie, evileuA or cluesurf,
BiW-Reversing team, Bor0, X-Lock, and all reversers out there.

Real Life words:
"Reversing doesnt feed your stomach" - by a friend.
But reversing help you a lot in coding ;-)

I could be reached at r_etarded(at)yahoo(dot)com
6:58 p.m / 23 June 2003

biw.rult.at