/// <summary>
/// Unpacks the target with ease...
/// </summary>
/// <param name="myForm">The mainFrm</param>
public void Unpack(mainFrm myForm)
{
NonIntrusive.NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
NonIntrusive.NIDebugger debugger = new NonIntrusive.NIDebugger();
NonIntrusive.NIDumpOptions dumpOpts = new NonIntrusive.NIDumpOptions();
NonIntrusive.NISearchOptions searchOpts = new NonIntrusive.NISearchOptions();
List <uint> list = new List <uint>();
opts.executable = toBeUnpacked;
opts.resumeOnCreate = false;
dumpOpts.ChangeEP = true;
dumpOpts.OutputPath = toBeUnpacked.Substring(0, toBeUnpacked.Length - 4) + "_dumped.exe";
dumpOpts.PerformDumpFix = true;
searchOpts.SearchString = "75 08 B8 01 00 00 00";
searchOpts.SearchImage = true;
searchOpts.MaxOccurs = 1;
debugger.Execute(opts);
debugger.SearchMemory(searchOpts, out list);
if (list.Count > 0)
{
myForm.AddLog("Setting BP#1: " + (list[0] - debugger.ProcessImageBase).ToString("X8"));
debugger.SetBreakpoint(list[0]).Continue().SingleStep(3);
uint newOEP = debugger.Context.Eip - debugger.ProcessImageBase;
dumpOpts.EntryPoint = newOEP;
debugger.DumpProcess(dumpOpts);
myForm.AddLog("OEP: " + newOEP.ToString("X8"));
uint iatStart = 0;
uint iatSize = 0;
IntPtr errorCode = Marshal.AllocHGlobal(1000);
try
{
NonIntrusive.ARImpRec.SearchAndRebuildImports((uint)debugger.Process.Id, dumpOpts.OutputPath, newOEP + debugger.ProcessImageBase, 1, out iatStart, out iatSize, errorCode);
myForm.AddLog("IAT Start: " + iatStart.ToString("X8"));
myForm.AddLog("IAT Size: " + iatSize.ToString("X8"));
myForm.AddLog("ReturnCode: " + Marshal.PtrToStringAnsi(errorCode));
Marshal.FreeHGlobal(errorCode);
myForm.AddLog("Now fully unpacked - enjoy!");
debugger.Detach().Terminate();
}
catch (Exception ex)
{
myForm.AddLog(ex.Message);
debugger.Detach().Terminate();
}
}
else
{
myForm.AddLog("Failed to find the OEP...");
debugger.Detach().Terminate();
}
}
/// <summary>
/// Unpacking function...
/// </summary>
/// <param name="target">Target to unpack...</param>
static void UnpackUPX(string target)
{
NonIntrusive.NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
NonIntrusive.NIDebugger debugger = new NonIntrusive.NIDebugger();
NonIntrusive.NIDumpOptions dumpOpts = new NonIntrusive.NIDumpOptions();
NonIntrusive.NISearchOptions searchOpts = new NonIntrusive.NISearchOptions();
List<uint> list = new List<uint>();
opts.executable = target;
opts.resumeOnCreate = false;
dumpOpts.ChangeEP = true;
dumpOpts.OutputPath = target.Substring(0, target.Length - 4) + "_dumped.exe";
dumpOpts.PerformDumpFix = true;
searchOpts.SearchString = "E9 ?? ?? ?? ?? 00 00 00 00";
searchOpts.SearchImage = true;
searchOpts.MaxOccurs = 1;
debugger.Execute(opts);
debugger.SearchMemory(searchOpts, out list);
if (list.Count > 0)
{
Console.WriteLine("Setting BreakPoint: " + (list[0] - debugger.ProcessImageBase).ToString("X8"));
debugger.SetBreakpoint(list[0]).Continue().SingleStep();
uint newOEP = debugger.Context.Eip - debugger.ProcessImageBase;
dumpOpts.EntryPoint = newOEP;
debugger.DumpProcess(dumpOpts);
try
{
Clipboard.Clear();
Clipboard.SetText(newOEP.ToString("X8"));
}
catch
{
Console.WriteLine("Seems to have some problems clearing and setting the clipboard :(");
}
Console.WriteLine("OEP: " + newOEP.ToString("X8"));
Console.WriteLine("ProcessID: " + debugger.Process.Id.ToString("X8"));
uint iatStart = 0;
uint iatSize = 0;
IntPtr errorCode = Marshal.AllocHGlobal(1000);
try
{
NonIntrusive.ARImpRec.SearchAndRebuildImportsIATOptimized((uint)debugger.Process.Id, dumpOpts.OutputPath, newOEP + debugger.ProcessImageBase, 1, out iatStart, out iatSize, errorCode);
Console.WriteLine("IAT Start: " + iatStart.ToString("X8"));
Console.WriteLine("IAT Size: " + iatSize.ToString("X8"));
Console.WriteLine("ReturnCode: " + Marshal.PtrToStringAnsi(errorCode));
Marshal.FreeHGlobal(errorCode);
debugger.Detach().Terminate();
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
debugger.Detach().Terminate();
}
Console.WriteLine("All done... Fix imports and press any key to exit!");
Console.ReadKey();
}
}
/// <summary>
/// Unpacks the target with ease...
/// </summary>
/// <param name="myForm">The mainFrm</param>
public void Unpack(mainFrm myForm)
{
NonIntrusive.NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
NonIntrusive.NIDebugger debugger = new NonIntrusive.NIDebugger();
NonIntrusive.NIDumpOptions dumpOpts = new NonIntrusive.NIDumpOptions();
NonIntrusive.NISearchOptions searchOpts = new NonIntrusive.NISearchOptions();
List<uint> list = new List<uint>();
opts.executable = toBeUnpacked;
opts.resumeOnCreate = false;
dumpOpts.ChangeEP = true;
dumpOpts.OutputPath = toBeUnpacked.Substring(0, toBeUnpacked.Length - 4) + "_dumped.exe";
dumpOpts.PerformDumpFix = true;
searchOpts.SearchString = "75 08 B8 01 00 00 00";
searchOpts.SearchImage = true;
searchOpts.MaxOccurs = 1;
debugger.Execute(opts);
debugger.SearchMemory(searchOpts, out list);
if (list.Count > 0)
{
myForm.AddLog("Setting BP#1: " + (list[0] - debugger.ProcessImageBase).ToString("X8"));
debugger.SetBreakpoint(list[0]).Continue().SingleStep(3);
uint newOEP = debugger.Context.Eip - debugger.ProcessImageBase;
dumpOpts.EntryPoint = newOEP;
debugger.DumpProcess(dumpOpts);
myForm.AddLog("OEP: " + newOEP.ToString("X8"));
uint iatStart = 0;
uint iatSize = 0;
IntPtr errorCode = Marshal.AllocHGlobal(1000);
try
{
NonIntrusive.ARImpRec.SearchAndRebuildImports((uint)debugger.Process.Id, dumpOpts.OutputPath, newOEP + debugger.ProcessImageBase, 1, out iatStart, out iatSize, errorCode);
myForm.AddLog("IAT Start: " + iatStart.ToString("X8"));
myForm.AddLog("IAT Size: " + iatSize.ToString("X8"));
myForm.AddLog("ReturnCode: " + Marshal.PtrToStringAnsi(errorCode));
Marshal.FreeHGlobal(errorCode);
myForm.AddLog("Now fully unpacked - enjoy!");
debugger.Detach().Terminate();
}
catch (Exception ex)
{
myForm.AddLog(ex.Message);
debugger.Detach().Terminate();
}
}
else
{
myForm.AddLog("Failed to find the OEP...");
debugger.Detach().Terminate();
}
}
/// <summary>
/// Unpacking function...
/// </summary>
/// <param name="target">Target to unpack...</param>
static void UnpackUPX(string target)
{
NonIntrusive.NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
NonIntrusive.NIDebugger debugger = new NonIntrusive.NIDebugger();
NonIntrusive.NIDumpOptions dumpOpts = new NonIntrusive.NIDumpOptions();
NonIntrusive.NISearchOptions searchOpts = new NonIntrusive.NISearchOptions();
List <uint> list = new List <uint>();
opts.executable = target;
opts.resumeOnCreate = false;
dumpOpts.ChangeEP = true;
dumpOpts.OutputPath = target.Substring(0, target.Length - 4) + "_dumped.exe";
dumpOpts.PerformDumpFix = true;
searchOpts.SearchString = "E9 ?? ?? ?? ?? 00 00 00 00";
searchOpts.SearchImage = true;
searchOpts.MaxOccurs = 1;
debugger.Execute(opts);
debugger.SearchMemory(searchOpts, out list);
if (list.Count > 0)
{
Console.WriteLine("Setting BreakPoint: " + (list[0] - debugger.ProcessImageBase).ToString("X8"));
debugger.SetBreakpoint(list[0]).Continue().SingleStep();
uint newOEP = debugger.Context.Eip - debugger.ProcessImageBase;
dumpOpts.EntryPoint = newOEP;
debugger.DumpProcess(dumpOpts);
try
{
Clipboard.Clear();
Clipboard.SetText(newOEP.ToString("X8"));
}
catch
{
Console.WriteLine("Seems to have some problems clearing and setting the clipboard :(");
}
Console.WriteLine("OEP: " + newOEP.ToString("X8"));
Console.WriteLine("ProcessID: " + debugger.Process.Id.ToString("X8"));
uint iatStart = 0;
uint iatSize = 0;
IntPtr errorCode = Marshal.AllocHGlobal(1000);
try
{
NonIntrusive.ARImpRec.SearchAndRebuildImportsIATOptimized((uint)debugger.Process.Id, dumpOpts.OutputPath, newOEP + debugger.ProcessImageBase, 1, out iatStart, out iatSize, errorCode);
Console.WriteLine("IAT Start: " + iatStart.ToString("X8"));
Console.WriteLine("IAT Size: " + iatSize.ToString("X8"));
Console.WriteLine("ReturnCode: " + Marshal.PtrToStringAnsi(errorCode));
Marshal.FreeHGlobal(errorCode);
debugger.Detach().Terminate();
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
debugger.Detach().Terminate();
}
Console.WriteLine("All done... Fix imports and press any key to exit!");
Console.ReadKey();
}
}