-_-INTRO-_-

 There have been a few tutorials floating around about MoleBox. To this day only one has actually touched its packing abilities. So I bring you this tutorial on this subject, also so it is known.... big thanks to fly for his unprecedented tutorial on MoleBox v2.33. This is the very tutorial i speak of when I say only one has touched the target.
 

We can plainly see this also packed in asprotect.  The version has no effect on us.  We will proceed to the first Virtually Allocated dll.  We do this by:

BP MapViewOfFileEx

1st break:

we see we don't return to the real executable. (this is the uxtheme.dll)

second break is one we want.

we see we would return to main exe.

so hit ALT+F9:

and if you really cared you can see the crc check here in asprotect.

if you check out the EAX register:

then follow it in dump:

you see the asprotect virtually mapped executable in memory.

many tutorials have covered this. so no more from me.

The sole reason for this is to get as close to the OEP as possible without detection.

so now we switch gears and set:

BP CreateFileA

and just watch below:

so here we are using the SCSI.. usually in asprotect this is for the HWID checks.

using DeviceIoControl.

here we do a file check.

and another one.

OMG!.. another one.

here is where it gets interesting. :)

above is the dll we want.  if you look closely in stack.. you can see what the DLL's name is.  MSVCP60.DLL

so.. how to remedy this?  well simply said, we just rename it.  So follow the filename in dump.

and modify the MBX "CRAP CRAP CRAP".### to the real name.

also we can look above in the dump and see that the real filename is already mapped for us :)

Molebox knows the dll is there, it never actually goes to the current directory.  only to temp directory.

so now we must fix the dll.

simply enough all we do is this:

BP GetModuleHandleA

first break, remove BP, then set a BP on code section of the new DLL.

first GetModHandle break, now remove it and set BP on the dll's code section.

you should see this pop up when you go to memory map.

now hit SHIFT+F9

.....

OEP!!!!!!!!!!!!!!!!!!!!!!!!!!!

now we have gotten to OEP of DLL #1 (yes #1)

so now using Lord-PE dump the file, then fix the Relocations and then rebuild import table.

watch:

select our process, then in the bottom window we select the dll to dump.

then dump it...

now using LORD-PE, again we will fix the relocations.

so click the PE-Editor button then open the dumped dll we just did.

click the sections tab, then look for the section "RELOC"

so we see that the RVA = 0045E000 and the SIZE = 00002CF0

so now we must change it in the dll so it is a running dll and can be loaded up by the executable after unpacking it.

so hit the [X] on the top right corner. to exit the sections part, then click the directories tab

you see the relocations are set for an offset that is way wrong, and way too small.

so we must fix this:

in the "Relocation" box.

RVA = 0005E000

Size = 00002FC0

like this:

then hit the save button and then save again..

now we just need to fix imports.

so start up IMPREC.

then click the "Pick DLL" button.

select our dll, then click OK. (NOTE: make sure the option "use PE header from disk" is unchecked)

now enter in our details.

OEP, the RVA should popup for you.

now the invalids must be fixed by you, the disasm wont help you.

so right click each one and view hex.

and just copy the first line you see and then double click the invalid one, and paste in the correct thunk.

done, now attach your IAT to the dll and this one is unpacked and ready to use :)

now lets take a 5 minute break and then proceed.

you can get a copy of the IAT HERE

So now we use the same BP

BP CreateFIleA

first break we hit our mark :)

we see the name of the dll is MSkinCORE.DLL

so again we follow the filename in dump, and change it a bit so we can dump, and fix IAT correctly.

then change it to the right name:

now we set new BP.

BP GetModuleHandleA

and first break we remove the BP and set BP on code section of DLL.

remove BP and then set BP on code section.

again you should get this warning when you go to memory map.

then SHIFT+F9

OEP!!!!!

okay now to dump and then do thee same as before..

i wont go into it again.

use lord-pe and dump, fix the reloc, then use imprec and fix IAT.

now fix it then you got the 2 virtually mapped dll's back, now to hit up the executable.

IAT is HERE

and you land right one it.

Now we are to fix the imports of this one as well.

same deal.. you can do this :)

now run it:

you can thank the nasty calls for that one ;)

so search for all references:

believe me there is more.

once you decrypt parts, more calls appear.,

best way to fix these is to bp on the static ones, then as each new one is made, keep copying to a new file the new code.  Or you can also set new EIP to get the harder to reach ones :)
 

here is one example:

then step into call, and you see this:

follow the JMP:

that call is our decryptor, which leads us to more code, which decrypts our code.

best to do is hit CTRL+F9:

then hit F7:

there we are out of call, and a new one appears.

you get the idea.
it will take you some time to get all of them, once you do find all of them.  we have yet one more problem to deal with. or should i say 2 more problems to deal with.

HIDDEN FILES:

If you try to pack a file with MoleBox, you get a error that it cant find its boot stub.  This, like the dll's is hidden inside the executable. These are a bit different to find that before. first you must try to pack something.  So pick any file and then pack it.

The easiest way to use them, only one option.

if its unchecked, you use one file.

if its ticked you use the other.

BP CreateFileA (keep a sharp eye)

3rd break look up in stack a bit:

That's our filename "mbox2_bootupLtDemo"

now: (*NOTE* I could not find a better way so this procedure is merely a reproduction of fly's tutorial)

BP GetSystemTimeAsFileTime

this is our first break. we want second break.

F9 again:

follow this EBP-3C pointer in dump:

here is our first file.

set a BP memory on access on the first byte of image.

you should pop here:

We check what data is being moved around:

So our little boot stub moves from one space to another.

lets follow 00194FE8 in dump to see exactly.

well lets hit F7 once.

we see our file is moved around.. that's no problem for us.

hit F7 once, then hit F8 until you land on the CMP DWORD PTR SS:[EBP+10], EAX

now see what it says in pointer:

that's our image size.

so scroll down till you see the RETN 0C

and set a bp on it, then break, then dump with LORD-PE using the "dump partial option" and put the start of image, then use the size we just got.

So we are going to dump:
RVA = 00194FE8

Size = 15C00

the file has no extension on it.

you do the same for other file.

Memory bp on the first byte.

we see our image is written here

we now have the size and RVA.

so again use LORD-PE and dump a partial section.

when its all said and done.  you should 5 files total that you unpacked.

1 Executable, 2 Dll's, 2 Boot stubs.

not bad for a days work :)

until next time I remain....

MaDMAn_H3rCuL3s

[MAIN TEAM]
[Nilrem] [Shub - Nigurrath] [MaDMAn_H3rCuL3s] [Anorganix] [Deroko] [Garbri3l] [Condzero] [Kruger] [potassium] [Lunar_Dust] [Teerayoot] [ThunderPwr] [EJ12N] [Kruger] [Stickman 373] [Bone Enterprise] [Nacho_DJ] [cl0ud] [sigint33]

       [fly] [shoooo] [winddy] [KuNgBiM] [cxlrb] [heXer] [Stephenteh] [Linhanshi] [crackslatinos] [SECTiON-8]           [AND OF COURSE.......YOU :)]