May 22, 200718 yr It not Packer It is bad clone Daemon Crypt 100ххххх E8 AE000000 CALL <JMP.&kernel32.WriteProcessMemory> 100ххххх 8B47 34 MOV EAX,DWORD PTR DS:[EDI+34] 100ххххх 0347 28 ADD EAX,DWORD PTR DS:[EDI+28] ; <----OEP <--Dump it 100ххххх A3 04310010 MOV DWORD PTR DS:[10003104],EAX
May 22, 200718 yr Everytime I dump it, the code section seems destroyed :/ Is there some sort of CRC of the file that decrypts the code section ? Ive found OEP and dumped after SetThreadContext, but yeh, the code section is crap
May 22, 200718 yr @KillboyIn LordPe dump Partial & Rebuild Pe : options Validate Pe, Status Window ^)
May 23, 200718 yr Hy!I have unpackt it after a hard work!http://files.to/get/458925/10043/unpackt.rargreetz
May 23, 200718 yr unpacked it successful greetz http://ultrashare.net/hosting/fl/9815c00c40 Thats the ASCrypt one?
May 24, 200718 yr Small script var p var p1 var sz var rgn mov p1,eip mov p,eip add p,60 mov [p],#EB# add p,8E bp p run bc p mov sz,eax sto mov rgn,eax add p1,3F9 bp p1 run bc p1 dm rgn, sz, "D:\CrackTools\Protector\PPP\PPP\dump.exe" // edit fo you Msg "File Unpacked!" ret
May 24, 200718 yr unpacked it successful greetz http://ultrashare.net/hosting/fl/9815c00c40 Thats the ASCrypt one? its the file that was on the link
June 20, 200718 yr Everytime I dump it, the code section seems destroyed :/Is there some sort of CRC of the file that decrypts the code section ? Ive found OEP and dumped after SetThreadContext, but yeh, the code section is crap dump after ResumeThread ,and after you patch the new process. when you dump, dump with LoadPE (dump Full) and make sure you remove the option in LordPE dump full: paste header from disk then fix the patched dump and you'll have a working file, you can use the same method used in unpacking Open Source Code Crypter 1.0 the tutorial here azmo
Create an account or sign in to comment