Guest MiStEr_X Posted July 10, 2007 Posted July 10, 2007 (edited) Very easy fishme:http://downtown.vc/index.php?page=main&id=89092038&name=FishMe.v.1.exe.rar Edited March 16, 2008 by Teddy Rogers Corrected topic title...
BlacKaT Posted March 17, 2008 Posted March 17, 2008 (edited) This file shows up as a trojan backdoor. Upack is evil Not sure if it is needed (or correct) CD407CDC <-- OEP?? greetz Edited March 17, 2008 by BlacKaT
DrPepUr Posted March 17, 2008 Posted March 17, 2008 (edited) 004502F7 <<<<<< Serial00455424 > 55 PUSH EBP ; OEP! Edited March 17, 2008 by dustyh1981
BlacKaT Posted March 17, 2008 Posted March 17, 2008 (edited) ok, see this is why i normally don't use tools (quick unpack) my post ladies and gentleman is why you should always mup. Edited March 17, 2008 by BlacKaT
Fungus Posted March 17, 2008 Posted March 17, 2008 WinUpack is pretty easy.Step with F7... after 2 EAX = OEP, set HWBP there, and run twice or so. 2nd time it breaks it is unpacked.You can find the import redirection by HWBP first byte in IAT, you will have to break several times until you see it writes the redirected import to the JMP table. Then there is JE after comparing EAX to see if the import is by ordinal. Trace into the call after and that is the import redirection routine, which you can patch easy, there is a JE you patch to JMP.Some of the imports can be emulated a bit like old asprotect... so you just need to use some brains to figure these... typical is GetProcAddress.
BlacKaT Posted March 17, 2008 Posted March 17, 2008 (edited) Lord 0.o I do think i have been noob'd. Edited March 17, 2008 by BlacKaT
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now