This CrackMe is packed with UPX 3.91 packer

Objectives:

  • Unpack it and then patch the unpacked file, or,
  • Create a loader for it

Link: https://crackinglessons.com/crackme-11/

Application

It was a simple application where it shows Sorry Wrong Key when wrong serial key entered.

00 - 0 app

Detect It Easy

DIE software showed that the application was packed with UPX 3.91 which disallow us to patch it because user module is readonly.

00 - die

x32dbg

The logic was simple. It was not executing JE if serial key was wrong.

01 - logic

But we could not patch it.

02 - cannot patch

Unpacking

To unpack, we first need to restart the program and find where it executed PUSHAD or PUSH EBP. These commands are characteristics of UPX packers.

03 - found pushad

After finding it, we must step over and execute it. And then we must set a Hardware Breakpoint on EBP register so we can catch POPAD or POP EBP, which is the last part of packing where it will jump to the user code.

04 - EBP value

05 - follow in dump

06 - set breakpoint

After setting breakpoint, we can run the program again and it will stop at POPAD command.

07 - pop ad

Then stepping over a few times and executing the JMP command, we are now on Original Entry Point (OEP).

08 - jumped to original place

Now click step over one more time to load IAT instructions and then open scylla.

09 - scylla

Select File → Dump Memory and find the memory address where readonly executable is stored. And click Dump PE to dump it.

10 - dump

Then apply below steps sequentially to fix the executable:

  1. IAT Autosearch
  2. Get Imports
  3. Fix Dump

11 - fix dump

And it is fixed.

12 - fixed

Patching

Now we can simply open it with x32dbg and patch it.

14 - pacthed

And we won.

15 - gg

<
Previous Post
ReverseMe2 by Lena
>
Blog Archive
Archive of all previous blog posts