ARTeam Tutorial

Visit: http://cracking.accessroot.com | http://forum.accessroot.com

Unpacking NeoLite v1.0 - v1.01

Information

Unpacking NeoLite v2.0

Target

Smart Bomb PC Shutdown Demo v2.1

Available

http://grinders.withernsea.com/tools/evidence_eliminator_v5.058.exe

Tools

OllyDbg 1.10, LordPE, ImpREC

Protection

Neolite v1.0 - v1.01

level

Beginner

Category

Unpacking

Author

Nilrem - 28th July 2004

Requirements

Windows XP, IE 5.5, (1024x768) and above for best viewing


0. Introduction

Wow, I've written more than one tutorial in a month! That hasn't happened in a while. Well here we have NeoLite v1.0 - v1.01, but isn't it easier or the same as NeoLite v2.0, nope, it's just as easy, but not as quick. 8-) There might be a quicker way, but I couldn't find any documentation so that's why I am writing this tutorial. Before reading this tutorial I suggest you read my tutorial on unpacking version 2.0 of this particular protection:

Download: http://grinders.withernsea.com/tutorials/unpacking_neolite_v2.0.rar

You may also want to read an alternative method that Ferrari found, which you can read here:
http://www.intechhosting.com/~access/forums/index.php?showtopic=646
Read it before or after, or not at all (hehe), it really doesn't matter.

There are four sections to this tutorial, they are:
1. Unpacking Neolite v1.0 - v1.01
2. Dumping the target
3. Rebuilding our import table
4. Conclusion

 


1. Unpacking Neolite v1.0 - v1.01

   Ok, well where do we start? At the beginning of course. Sorry, I've always wanted to say that. 8-)
Ok, let us begin, load the target in Olly, now make sure your debugging options are set to the following:

Once that is done let us begin with our debugging procedure. We start out like this:

Ok, I've decided we'll try a couple of things, just to help make things a little clearer. As we can see we are going to jump to 004010A1, therefore that oh so interesting blue highlighted call is well, going to be called. So let's but a BP on it. Hit F9, then F7 to enter the call, you will be here:

Now what do we do? Well let's try and find the next instance of PUSHAD. If you don't know how to do this then you must not have read my tutorial on unpacking NeoLite v2.0, naughty naughty! Go read it. 8-) Right, the next instance of PUSHAD, is actually the next line down. Well that's interesting, let's experiment a bit. Hit 'Ctrl+F2', now let's search for the first instance of PUSHAD. Yes you land here:

Now 'Follow in Dump' the ESP register, and set a HW BP (HardWare BreakPoint) on access, word. Hit F9, and you will find yourself here (yes it should look very familiar to you):

So what have we discovered so far? Well we now know that the second instance of PUSHAD is at 00401413, and the first instance is a Call that takes you there, so on a new target we can enter the call and set a breakpoint on this second instance of PUSHAD. Will it get us to the OEP, well let us find that out. Now execute this instance of PUSHAD by hitting F7, now do another 'Follow in Dump' of the ESP register, and follow the same procedure aforementioned. You will be here (if you have problems like I did getting to this point in the screenshot then close the application, delete its corresponding .udd file and restart the application):

Execute this RETN command with F7, and continue to press F7 until you are kernel32.dll, once there hit 'Alt+F9', and............. VOILA! You are now at the OEP, if you don't believe me (but why shouldn't you? hehe) check out the thread on our forum I mentioned at the beginning of the tutorial.


 


2. Dumping The Target

I should not need to tell you how to dump the target because you should have learnt that whilst reading the tutorial I told you to read, naughty naughty. 8-)

 


3. Rebuilding the IAT

In most cases (that I have come across) the unpacked targets of a NeoLite packed program do not need the IAT rebuilding, that is not the case with Evidence Eliminator. Launch ImpREC (Import Reconstructor, I really want to shake the hand of the author of this excellent utility). Select Evidence Eliminator from the drop down list of active processes. Change the OEP, Image Base - OEP = Real OEP, so 00400000 - 00408F94 = 8F94, so enter that into the OEP box and click the 'IAT AutoSearch' button. Then click the 'Get Imports' button, as you can see there is nothing left to fix as what is found is valid. Now click the 'Fix Dump' button and fix our dump. 8-)

Now a something a little extra, not much, but most unpacking tutorials just don't explain how to do this, or even say that you can do it, I guess they expect it to be innate knowledge. Open up LordPE and click the 'Rebuild PE' button, and open dumped_.exe, there you go, it's been made just that bit smaller, what an excellent tool.


 
4. Conclusion

Lesson Learnt

Hopefully you have learnt that if you can't find any documentation on something, then try it yourself, experiment, remember "I hear and I forget, I see and I remember, I do and I understand.". I know I said that I would (in the conclusion of my last tutorial) write a tutorial on inline patching NeoLite, but it really isn't neccessary, if you can inline patch UPX or Aspack then you can inline patch NeoLite.


 
8. Greetingz

[MAIN TEAM]
| Nilrem | Enforcer | Ferrari | Pompeyfan(ex-member) | MaDMAn_H3rCuL3s | EJ12N | Kruger |
Shub-Nigurrath | Jdog45 | Teerayoot |

[TRIAL MEMBERS]
| R@Dier |

*****************************

Exetools | Woodmann | ANDR | VCT | JMI | Britedream | Hacnho | cl0ud (Mephisto) | Zest | No Limits | Evil Spirit | Everyone over at our forums, you make it what it is | Everyone we missed & you | and to Kyrstie for putting up with me!
Thanks to the authors of NeoLite, Ollydbg, LordPE, Imprec, and Evidence Eliminator
 

[Nilrem]
"I hear and I forget, I see and I remember, I do and I understand."