Guest MiStEr_X Posted July 10, 2007 Share Posted July 10, 2007 (edited) Very easy fishme:http://downtown.vc/index.php?page=main&id=89092038&name=FishMe.v.1.exe.rar Edited March 16, 2008 by Teddy Rogers Corrected topic title... Link to comment Share on other sites More sharing options...
Labyrnth Posted March 16, 2008 Share Posted March 16, 2008 This file shows up as a trojan backdoor. Link to comment Share on other sites More sharing options...
BlacKaT Posted March 17, 2008 Share Posted March 17, 2008 (edited) This file shows up as a trojan backdoor. Upack is evil Not sure if it is needed (or correct) CD407CDC <-- OEP?? greetz Edited March 17, 2008 by BlacKaT Link to comment Share on other sites More sharing options...
DrPepUr Posted March 17, 2008 Share Posted March 17, 2008 (edited) 004502F7 <<<<<< Serial00455424 > 55 PUSH EBP ; OEP! Edited March 17, 2008 by dustyh1981 Link to comment Share on other sites More sharing options...
BlacKaT Posted March 17, 2008 Share Posted March 17, 2008 (edited) ok, see this is why i normally don't use tools (quick unpack) my post ladies and gentleman is why you should always mup. Edited March 17, 2008 by BlacKaT Link to comment Share on other sites More sharing options...
Fungus Posted March 17, 2008 Share Posted March 17, 2008 WinUpack is pretty easy.Step with F7... after 2 EAX = OEP, set HWBP there, and run twice or so. 2nd time it breaks it is unpacked.You can find the import redirection by HWBP first byte in IAT, you will have to break several times until you see it writes the redirected import to the JMP table. Then there is JE after comparing EAX to see if the import is by ordinal. Trace into the call after and that is the import redirection routine, which you can patch easy, there is a JE you patch to JMP.Some of the imports can be emulated a bit like old asprotect... so you just need to use some brains to figure these... typical is GetProcAddress. Link to comment Share on other sites More sharing options...
BlacKaT Posted March 17, 2008 Share Posted March 17, 2008 (edited) Lord 0.o I do think i have been noob'd. Edited March 17, 2008 by BlacKaT Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now