/// <summary> /// Unpacks the target with ease... /// </summary> /// <param name="myForm">The mainFrm</param> public void Unpack(mainFrm myForm) { NonIntrusive.NIStartupOptions opts = new NonIntrusive.NIStartupOptions(); NonIntrusive.NIDebugger debugger = new NonIntrusive.NIDebugger(); NonIntrusive.NIDumpOptions dumpOpts = new NonIntrusive.NIDumpOptions(); NonIntrusive.NISearchOptions searchOpts = new NonIntrusive.NISearchOptions(); List<uint> list = new List<uint>(); opts.executable = toBeUnpacked; opts.resumeOnCreate = false; dumpOpts.ChangeEP = true; dumpOpts.OutputPath = toBeUnpacked.Substring(0, toBeUnpacked.Length - 4) + "_dumped.exe"; dumpOpts.PerformDumpFix = true; searchOpts.SearchString = "75 08 B8 01 00 00 00"; searchOpts.SearchImage = true; searchOpts.MaxOccurs = 1; debugger.Execute(opts); debugger.SearchMemory(searchOpts, out list); if (list.Count > 0) { myForm.AddLog("Setting BP#1: " + (list[0] - debugger.ProcessImageBase).ToString("X8")); debugger.SetBreakpoint(list[0]).Continue().SingleStep(3); uint newOEP = debugger.Context.Eip - debugger.ProcessImageBase; dumpOpts.EntryPoint = newOEP; debugger.DumpProcess(dumpOpts); myForm.AddLog("OEP: " + newOEP.ToString("X8")); uint iatStart = 0; uint iatSize = 0; IntPtr errorCode = Marshal.AllocHGlobal(1000); try { NonIntrusive.ARImpRec.SearchAndRebuildImports((uint)debugger.Process.Id, dumpOpts.OutputPath, newOEP + debugger.ProcessImageBase, 1, out iatStart, out iatSize, errorCode); myForm.AddLog("IAT Start: " + iatStart.ToString("X8")); myForm.AddLog("IAT Size: " + iatSize.ToString("X8")); myForm.AddLog("ReturnCode: " + Marshal.PtrToStringAnsi(errorCode)); Marshal.FreeHGlobal(errorCode); myForm.AddLog("Now fully unpacked - enjoy!"); debugger.Detach().Terminate(); } catch (Exception ex) { myForm.AddLog(ex.Message); debugger.Detach().Terminate(); } } else { myForm.AddLog("Failed to find the OEP..."); debugger.Detach().Terminate(); } }
/// <summary> /// Unpacking function... /// </summary> /// <param name="target">Target to unpack...</param> static void UnpackUPX(string target) { NonIntrusive.NIStartupOptions opts = new NonIntrusive.NIStartupOptions(); NonIntrusive.NIDebugger debugger = new NonIntrusive.NIDebugger(); NonIntrusive.NIDumpOptions dumpOpts = new NonIntrusive.NIDumpOptions(); NonIntrusive.NISearchOptions searchOpts = new NonIntrusive.NISearchOptions(); List<uint> list = new List<uint>(); opts.executable = target; opts.resumeOnCreate = false; dumpOpts.ChangeEP = true; dumpOpts.OutputPath = target.Substring(0, target.Length - 4) + "_dumped.exe"; dumpOpts.PerformDumpFix = true; searchOpts.SearchString = "E9 ?? ?? ?? ?? 00 00 00 00"; searchOpts.SearchImage = true; searchOpts.MaxOccurs = 1; debugger.Execute(opts); debugger.SearchMemory(searchOpts, out list); if (list.Count > 0) { Console.WriteLine("Setting BreakPoint: " + (list[0] - debugger.ProcessImageBase).ToString("X8")); debugger.SetBreakpoint(list[0]).Continue().SingleStep(); uint newOEP = debugger.Context.Eip - debugger.ProcessImageBase; dumpOpts.EntryPoint = newOEP; debugger.DumpProcess(dumpOpts); try { Clipboard.Clear(); Clipboard.SetText(newOEP.ToString("X8")); } catch { Console.WriteLine("Seems to have some problems clearing and setting the clipboard :("); } Console.WriteLine("OEP: " + newOEP.ToString("X8")); Console.WriteLine("ProcessID: " + debugger.Process.Id.ToString("X8")); uint iatStart = 0; uint iatSize = 0; IntPtr errorCode = Marshal.AllocHGlobal(1000); try { NonIntrusive.ARImpRec.SearchAndRebuildImportsIATOptimized((uint)debugger.Process.Id, dumpOpts.OutputPath, newOEP + debugger.ProcessImageBase, 1, out iatStart, out iatSize, errorCode); Console.WriteLine("IAT Start: " + iatStart.ToString("X8")); Console.WriteLine("IAT Size: " + iatSize.ToString("X8")); Console.WriteLine("ReturnCode: " + Marshal.PtrToStringAnsi(errorCode)); Marshal.FreeHGlobal(errorCode); debugger.Detach().Terminate(); } catch (Exception ex) { Console.WriteLine(ex.Message); debugger.Detach().Terminate(); } Console.WriteLine("All done... Fix imports and press any key to exit!"); Console.ReadKey(); } }