Jump to content
Tuts 4 You

[fishme] Very Easy Fishme V.1 For N00bs :)

Guest MiStEr_X

Recommended Posts

Guest MiStEr_X

Very easy fishme:

Edited by Teddy Rogers
Corrected topic title...
Link to comment
  • 8 months later...
This file shows up as a trojan backdoor.

Upack is evil ;)

Not sure if it is needed (or correct)

CD407CDC <-- OEP??


Edited by BlacKaT
Link to comment

ok, see this is why i normally don't use tools ;) (quick unpack)

my post ladies and gentleman is why you should always mup. ;)

Edited by BlacKaT
Link to comment

WinUpack is pretty easy.

Step with F7... after 2 EAX = OEP, set HWBP there, and run twice or so. 2nd time it breaks it is unpacked.

You can find the import redirection by HWBP first byte in IAT, you will have to break several times until you see it writes the redirected import to the JMP table. Then there is JE after comparing EAX to see if the import is by ordinal. Trace into the call after and that is the import redirection routine, which you can patch easy, there is a JE you patch to JMP.

Some of the imports can be emulated a bit like old asprotect... so you just need to use some brains to figure these... typical is GetProcAddress.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...