Jump to content
Tuts 4 You

[unpackme] Private Personal Packer 1.0.2...


Teddy Rogers

Recommended Posts

It not Packer :) It is bad clone Daemon Crypt

100ххххх E8 AE000000 CALL <JMP.&kernel32.WriteProcessMemory>

100ххххх 8B47 34 MOV EAX,DWORD PTR DS:[EDI+34]

100ххххх 0347 28 ADD EAX,DWORD PTR DS:[EDI+28] ; <----OEP <--Dump it

100ххххх A3 04310010 MOV DWORD PTR DS:[10003104],EAX

Link to comment

Everytime I dump it, the code section seems destroyed :/

Is there some sort of CRC of the file that decrypts the code section ?

Ive found OEP and dumped after SetThreadContext, but yeh, the code section is crap :o

Link to comment

Small script :)

var p

var p1

var sz

var rgn

mov p1,eip

mov p,eip

add p,60

mov [p],#EB#

add p,8E

bp p

run

bc p

mov sz,eax

sto

mov rgn,eax

add p1,3F9

bp p1

run

bc p1

dm rgn, sz, "D:\CrackTools\Protector\PPP\PPP\dump.exe" // edit fo you

Msg "File Unpacked!"

ret

Link to comment
  • 4 weeks later...
Everytime I dump it, the code section seems destroyed :/

Is there some sort of CRC of the file that decrypts the code section ?

Ive found OEP and dumped after SetThreadContext, but yeh, the code section is crap :o

dump after ResumeThread ,and after you patch the new process. when you dump, dump with LoadPE (dump Full) and make sure

you remove the option in LordPE

dump full: paste header from disk

then fix the patched dump and you'll have a working file, you can use the same method used in unpacking Open Source Code Crypter 1.0 the tutorial here

azmo

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...