See this tutor in notepad,Font Fixedsys Regular size 10

       
       
        Toolz Used: Olly v1.10,PEid v0.93,Ollydump Plugin and ImpRec.

        Well,hallo U riderz of the StorM.This is an easy tutor I decide
        to write,because I saw that many of U were interested in unpacking
        this protector,althought I dont know the reason why.The way up to
        the OEP is really easy (only an anti-debugging trick makes this
        tutor a little hard for newbiez) and the IAT rebuilding is pretty
        simple too.So,download MagicCursor2000 v2.2.1.1 from www.madentec.com
        (this version is the most revent now,January 2005).Install the software.
       
        Now use the PEid  tool and U can see that is under the protection of
        Crunch/PE Heuristic -> Bit-Arts [Overlay].Now open Olly and load the
        target.U should be HeRe :

00484000 > $ 55             PUSH EBP                        <----- U are HeRe
00484001   . E8 00000000    CALL MagicCur.00484006
00484006   $ 5D             POP EBP
00484007   . 83ED 06        SUB EBP,6
0048400A   . 8BC5           MOV EAX,EBP
0048400C   . 55             PUSH EBP
0048400D   . 60             PUSHAD
0048400E   . 89AD 8A340000  MOV DWORD PTR SS:[EBP+348A],EBP
00484014   . 2B85 65340000  SUB EAX,DWORD PTR SS:[EBP+3465]
0048401A   . 8985 19250000  MOV DWORD PTR SS:[EBP+2519],EAX

        Be sure that in Debugging Options the only checked option is
        Ignore memory access violations in KERNEL32.Now press F9 to run and U are at
        a screen.Press Continue and Olly breaks at an exception,here:

77F51081   890424           MOV DWORD PTR SS:[ESP],EAX
77F51084   C74424 04 000000>MOV DWORD PTR SS:[ESP+4],0
77F5108C   C74424 08 000000>MOV DWORD PTR SS:[ESP+8],0
77F51094   C74424 10 000000>MOV DWORD PTR SS:[ESP+10],0
77F5109C   54               PUSH ESP
77F5109D   E8 05000000      CALL ntdll.RtlRaiseException
77F510A2   E9 BD000000      JMP ntdll.77F51164                  <------  Olly breaks HeRe
77F510A7 > 55               PUSH EBP
77F510A8   8BEC             MOV EBP,ESP
77F510AA   9C               PUSHFD
77F510AB   81EC D0020000    SUB ESP,2D0
77F510B1   8985 DCFDFFFF    MOV DWORD PTR SS:[EBP-224],EAX
77F510B7   898D D8FDFFFF    MOV DWORD PTR SS:[EBP-228],ECX
77F510BD   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]

        Try to continue the execution of the target with Shift+F9 and U will get a message
        saying Starting Error.This is an anti-debugging trick.So,load again the file
        and when U get an exception look at the eax register.It has a value.This is
        the value of the exception the prog on purpose trigered.If U also see at the
        down left side of Olly,it says Exception ... use ... to pass exception to
        program.And XXXXXXXX is the number of exception,for me was C0000008.Now check an
        opcode up from there where Olly broke (this is at 77F5109D).What has happened here?

        Well this is the anti-debug trick:The prog being debugged,our target,caused an
        exception using RtlRaiseException API and in eax is the value of that.Then uses another
        API that is called SetUnhandledExceptionFilter.This last API will set up a memory
        location that the prog will jamp at if not being debuged.If being debuged it won't
        jamp there,and continue its execution to a routine that sends the error message in
        screen and in other cases makes the program crash.Here is also the reference of
        SetUnhandledExceptionFilter API from msn:

SetUnhandledExceptionFilter

The SetUnhandledExceptionFilter function enables an application to supersede
the top-level exception handler of each thread and process.

After calling this function, if an exception occurs in a process that is not being
debugged, and the exception makes it to the unhandled exception filter, that filter
will call the exception filter function specified by the lpTopLevelExceptionFilter
parameter.

LPTOP_LEVEL_EXCEPTION_FILTER SetUnhandledExceptionFilter(
  LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter
);

Parameters

lpTopLevelExceptionFilter
    [in] Pointer to a top-level exception filter function that will be called
    whenever the UnhandledExceptionFilter function gets control, and the process is not
    being debugged. A value of NULL for this parameter specifies default handling within
    UnhandledExceptionFilter.

        So after the exception that paused Olly,we will make eax zero and the prog will
        not handle an exception,as it will think that there is not one actually.So make eax
        zero and press F9.Well,it runs jut fine.Anti-debugging trick defeated.Now we have
        to go to OEP.Restart the prog again with Olly and start tracing manually,using F7
        till the first PUSHAD opcode.After executing it U are HeRe:

00484000 > $ 55             PUSH EBP
00484001   . E8 00000000    CALL MagicCur.00484006
00484006   $ 5D             POP EBP
00484007   . 83ED 06        SUB EBP,6
0048400A   . 8BC5           MOV EAX,EBP
0048400C   . 55             PUSH EBP
0048400D   . 60             PUSHAD
0048400E   . 89AD 8A340000  MOV DWORD PTR SS:[EBP+348A],EBP          <--- U are HeRe
00484014   . 2B85 65340000  SUB EAX,DWORD PTR SS:[EBP+3465]
0048401A   . 8985 19250000  MOV DWORD PTR SS:[EBP+2519],EAX
00484020   . 55             PUSH EBP

        Now press on ESP a right click->Follow in Dump.Now in data window under code
        highlight the first 4 bytes U see,right click and the breakpoint hardware on
        access Dword.We do that because there is a POPAD opcode just before the magic
        jamp at OEP,and the same thing the the prog has at PUSHAD after we set the
        hardware breakpoint and the POPAD just before the Jamp at OEP,is the same
        stack pointer value (well,assuming no complicated other opcodes that mess
        stack up=>indicates a hard to unpack sheme,but this is not one of them).

        Now,press F9 and then the screen apears,Continue,now the anti-debug thing and
        press F9.When Olly pauses,richt click on code and choose Analysis->Analize code.
        U should be here:

004840E5   . 5D             POP EBP                                  ;  MagicCur.<ModuleEntryPoint>
004840E6   . 8B85 86340000  MOV EAX,DWORD PTR SS:[EBP+3486]
004840EC   . 5D             POP EBP
004840ED   . FFE0           JMP EAX
004840EF     BE             DB BE
004840F0     86             DB 86
004840F1     34             DB 34                                    ;  CHAR '4'
004840F2     00             DB 00
004840F3     00             DB 00

        Well,at 004840ED jamps at OEP.So,trace with F7 and execute the JMP EAX and U
        should be HeRe:

00408FB2  /. 55             PUSH EBP
00408FB3  |. 8BEC           MOV EBP,ESP
00408FB5  |. 6A FF          PUSH -1
00408FB7  |. 68 F8024100    PUSH MagicCur.004102F8
00408FBC  |. 68 28AB4000    PUSH MagicCur.0040AB28                   ;  SE handler installation
00408FC1  |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00408FC7  |. 50             PUSH EAX
00408FC8  |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00408FCF  |. 83EC 58        SUB ESP,58
00408FD2  |. 53             PUSH EBX
00408FD3  |. 56             PUSH ESI
00408FD4  |. 57             PUSH EDI
00408FD5  |. 8965 E8        MOV DWORD PTR SS:[EBP-18],ESP
00408FD8  |. FF15 38014100  CALL DWORD PTR DS:[410138]               ;  kernel32.GetVersion

       

        Now delete the hardware breakpoint U earlier set and dump the process with Olly
        Plugin without having checked the Rebuild Import option checked.Now open IMpreC
        and select the process,enter as OEP the value 00408FB2-00400000=8FB2 and then
        IAT autosearch and Get Imports.Now,press Show invalid,good,no invalid thunk.So
        proceed and Fix Dump.Now run the fixed file and...it Workz!

        Well,that was it about this packer.Maybe to See ya in Dillo'z Copymem defeating tutor
                                     ...But I'm not sure...

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课