Reading Time : 2min

Crunch 5.0 Manual Unpacking


Unpackme Series


Required Tools

  • Ollydbg 1.10
    • OllyDump (plugin)
  • ImpRec (Import Reconstructor)
  • DiE (Detect it Easy)

Procedure

First of all lets check our file with DiE

Protector = Crunch 5.0

Lets open it in Olly,

You will see EIP at a JMP instruction.

press Alt+O to open debugger option and check all these (ignore exceptions)

At main debugger window press F8 twice and you will reach this CALL instruction

see how the value of ESP changed!

Select value of ESP, right click and select “Follow in Dump”

In the dump select first four bites at address of ESP and right click select Breakpoint>Hardware, on access>Dword

Now press F9 once and you will break here this is our OEP (original entry point)

to see the instructions clearly, click inside CPU window and press Ctrl+A, the code will be analyzed and will be more understandable.

Now right click and select “Dump debugged process” make sure you have ollydump plugin installed and working.

This window will pop up here uncheck “Rebuild Import” option, and take note of the OEP value “271B0” it will be used later

name your dumped file i named it “dump.exe” and save it.

Do not close your debugger yet.

now we get file named dump.

Lets repair its Import Table.

To do that open ImpRec (Import REConstructor) and select your process from drop down.

Remember we had noted our OEP

  1. write your OEP at 1
  2. Press IAT AutoSearch button “program will automatically detect RVA and Size values”
  3. Press Get Imports button
  4. Press Fix Dump button

After pressing Fix Dump button a window ill pop up, here choose your dump file that was created earlier and press Open.

we will get fixed file named “dump_”

With that our work is done.

Your can check if file is successfully unpacked by opening it once again in DiE, and as shown looks like we were successful.