Posted July 10, 200718 yr Very easy fishme:http://downtown.vc/index.php?page=main&id=89092038&name=FishMe.v.1.exe.rar Edited March 16, 200817 yr by Teddy Rogers Corrected topic title...
March 17, 200817 yr This file shows up as a trojan backdoor. Upack is evil Not sure if it is needed (or correct) CD407CDC <-- OEP?? greetz Edited March 17, 200817 yr by BlacKaT
March 17, 200817 yr 004502F7 <<<<<< Serial00455424 > 55 PUSH EBP ; OEP! Edited March 17, 200817 yr by dustyh1981
March 17, 200817 yr ok, see this is why i normally don't use tools (quick unpack) my post ladies and gentleman is why you should always mup. Edited March 17, 200817 yr by BlacKaT
March 17, 200817 yr WinUpack is pretty easy.Step with F7... after 2 EAX = OEP, set HWBP there, and run twice or so. 2nd time it breaks it is unpacked.You can find the import redirection by HWBP first byte in IAT, you will have to break several times until you see it writes the redirected import to the JMP table. Then there is JE after comparing EAX to see if the import is by ordinal. Trace into the call after and that is the import redirection routine, which you can patch easy, there is a JE you patch to JMP.Some of the imports can be emulated a bit like old asprotect... so you just need to use some brains to figure these... typical is GetProcAddress.
Create an account or sign in to comment