Very easy fishme:

http://downtown.vc/index.php?page=main&id=89092038&name=FishMe.v.1.exe.rar

Edited March 16, 200817 yr by Teddy Rogers
Corrected topic title...

This file shows up as a trojan backdoor.

This file shows up as a trojan backdoor.

Upack is evil

Not sure if it is needed (or correct)

CD407CDC <-- OEP??

greetz

Edited March 17, 200817 yr by BlacKaT

004502F7 <<<<<< Serial

00455424 > 55 PUSH EBP ; OEP!

Edited March 17, 200817 yr by dustyh1981

ok, see this is why i normally don't use tools (quick unpack)

my post ladies and gentleman is why you should always mup.

Edited March 17, 200817 yr by BlacKaT

WinUpack is pretty easy.

Step with F7... after 2 EAX = OEP, set HWBP there, and run twice or so. 2nd time it breaks it is unpacked.

You can find the import redirection by HWBP first byte in IAT, you will have to break several times until you see it writes the redirected import to the JMP table. Then there is JE after comparing EAX to see if the import is by ordinal. Trace into the call after and that is the import redirection routine, which you can patch easy, there is a JE you patch to JMP.

Some of the imports can be emulated a bit like old asprotect... so you just need to use some brains to figure these... typical is GetProcAddress.

Lord 0.o I do think i have been noob'd.

Edited March 17, 200817 yr by BlacKaT