Scribd
Upload
555 views14 pages

Unpacking - MoleBox.v2.6. (Extracting Embedded Files) - (ColdFeve

This document provides a 3-part tutorial for extracting embedded files from an executable packed with MoleBox. Part 1 discusses dumping and fixing the main executable file. Part 2 explains how to extract a missing DLL file ("QuickTime.ax") embedded within the MoleBox package. Part 3 rebuilds the extracted DLL file with the correct headers so that it can be found and used by the dumped executable. The full tutorial provides technical steps and screenshots to guide extracting embedded files from a MoleBox-packed executable.

Uploaded by

Jhwazkd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
555 views14 pages

Unpacking - MoleBox.v2.6. (Extracting Embedded Files) - (ColdFeve

This document provides a 3-part tutorial for extracting embedded files from an executable packed with MoleBox. Part 1 discusses dumping and fixing the main executable file. Part 2 explains how to extract a missing DLL file ("QuickTime.ax") embedded within the MoleBox package. Part 3 rebuilds the extracted DLL file with the correct headers so that it can be found and used by the dumped executable. The full tutorial provides technical steps and screenshots to guide extracting embedded files from a MoleBox-packed executable.

Uploaded by

Jhwazkd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Extracting embedded files from

within MoleBox Executables

By
ColdFever
AoRE team
Abstract:
Unpacking a single executable file packed with MoleBox is a fairly simple
job. However, unpacking one or more embedded files (dll or ocx) from
MoleBox executable is a very nice challenge.

Tools of the trade:


1. Ollydbg
2. ImpRec
3. LordPE

Introduction:
“MoleBox is a runtime exe packer for Windows applications. It bundles the
executable together with the DLL and data files into a single EXE file,
without losing the ability to run the application.” said in their site.

From the picture you can see that you can add all sorts of files.

Part I:
Dumping and fixing the main file

I have used “AVI MPEG WMV RM to MP3 Converter” as a target for this
tutorial.
Since I have written a detailed tutorial on unpacking MoleBox, “MUP
MoleBox Pro 2.6.0.2375”, I will just walkthrough unpacking the main file
in brief. So for more details, read my pervious tutorial.
Load the program in Ollydbg. Push F8 once. Follow what’s in the ESP
register at the dump window. Set a Hardware break point on access for
ESP’s address. Run the program (F9). You should break here

Push F7 twice and you are at the OEP. Write it down. Clear the hardware
break point. Now, either you can run ImpRec and get your RVA address
from it or just find any FF 25 (JMP) and follow it in the dump window. Set
a hardware break point on Write on any of the address and restart the
program (Ctrl+F2).

Run the program (F9). Ignore the first break and run one more time. You
should be here

Go into the highlight call by pressing “Enter”. The second jump is the
magic jump. Write down the address of this jump. Clear your hardware
break point and set a hardware break point on Execution on this jump.
Restart the program (Ctrl+F2).

Run the program (F9). Change the JE to JMP and clear the hardware
break point. Now, set a break point on your OEP. “You did write down,
didn’t you? “

Run the program (F9). You should stop at OEP. Use Ollydbg’s plug-in to
dump the program. Run ImpRec, select the program, type your OEP, and
click “IAT AutoSearch”. Then replace the RVA and the size with the
suggested one, see the following picture for details
Once you change the RVA and the size click on “Get Imports”. Click “Show
Invalid” and cut thunks. Then fix your dump.

Now you should have a working dump file, but with a fatal error L

Part II:
Extracting the missing dll

Load the dump file in Ollydbg. Run the program (F9). When the message
box comes up, pause the program in Ollydbg (F12). Then press Alt+F9 and
click on “OK” at the message box. The program will break in here

Keep pressing F8 until you return from this call. You should be here
Now, we know the program is looking for “QuickTime.ax” filter. Since it is
not in my hard drive, it must be inside the MoleBox file.

Load the original program and set break on new module

Keep pressing F9 until this message box shows up

Click “OK” and go to the memory (Alt+M). Set a break point on the “.text”
section of “MBX@574@” module. As shown
Also, place another break point on the magic jump

Now, remove the check from “Break on new module” and run the program
(F9). You should break here

Press Ctrl+F9 to stop at the “RETN 0C”. Place another break point on the
“.text” section of “MBX@574@” and run the program (F9). You should
break here
Place a break point on the “RETN” and run the program (F9). When you
stop at the return, place another break point on the “.text” section of
“MBX@574@” and run the program (F9). You should break here

Remove the break point and change “JE” to “JMP” and run the program
(F9). You should break here

This is the OEP of this module. Write it down.

Run LordPE and select the program in the parent window. In the child
window look for our module and dump it
Run ImpRec and select our program. Then Click on “Pick DLL”.

In Ollydbg follow the address of “kernel32.GetVersionExA” in dump

You should see this


Scroll up to get the start of the IAT table

Scroll down to get the end of the IAT table

So far we have OEP = 00D047C0 – 00D00000 = 000047C0


RVA = 00D0B000 – 00D00000 = 0000B000
Size = 00D0B11C - 00D0B000 = 11C

However, ImpRec see the image base as 10000000. See the log window

So for the RVA address you need to use 10000000 for the image base. So
RVA = 00D0B000 – 10000000 = F0D0B000

Place this information in ImpRec and click “Get Imports”


Very nice, no invalids

Now if you try to fix your dump you will get this message

Even after correcting the RVA to 0000B000, may be some limitations in


ImpRec.

So to work around this, click “Save Tree” and open the saved file in
“Notepad”. We need to correct the addresses manually
Address should be like this

Click on “Load Tree” and load the file to ImpRec. Now fix your dump file ☺

Open the fixed file with LordPE

Click on “Sections” and remove “_BOX_”

Close the section table and click on “Directories”


The relocation address is pointing to _BOX_ section. So, go back to
sections again to get the correct relocation address and size

Scroll down from the beginning of the section till you see a lot of ‘00’s
So, the size is D32. Enter the correct information

Do not forget to save. Close the directory table and change the image base

Again do not forget to save. Click “OK” to close the file. Then click on
“Rebuild PE” to rebuild our file
After all this, we need to rename the file to “QuickTime.ax” in order for
our main dump file to find it

Now, run “dump_.exe”

Over ‘n’ Out


ColdFever

Greetings:
To all my friends in AoRE Fourm
Tuts4you, ARteam, Snd, CORE, TSRh, and all the cracking groups
To you for taking the time to read this ☺

You might also like