Ufo-Pu55y Posted September 23, 2007 Share Posted September 23, 2007 Here's a challenge for all unpackers out there: A small sheep-demo in a wolf's clothing Share your approach, if you succeed in unpacking it. SnD_UnpackMaDemo_1.rar Thx to Ted Link to comment Share on other sites More sharing options...
Busted Posted September 23, 2007 Share Posted September 23, 2007 Have to give this one a crack Link to comment Share on other sites More sharing options...
Agony Posted September 24, 2007 Share Posted September 24, 2007 (edited) This is kinda annoying to trace, garr. Ok this is what I got, the unpackme uses CreateProcessA to loop back to the beginning if it detects any type of debugger use, also forces one I believe to kill loaders and such. So I guess you have to patch to bypass going to CreateProcessA. Here is the annoying part, tracing the freakin code. Im done for now, dont like to do much on Sunday, maybe another look during the week. Quick note, if you just do a basic dump with pe tools, sections show up, so you can get a little more info about unpacking it. Edited September 24, 2007 by CHuRcH Link to comment Share on other sites More sharing options...
Killboy Posted September 25, 2007 Share Posted September 25, 2007 Win32:Agent-EXT [Trj] Link to comment Share on other sites More sharing options...
Ufo-Pu55y Posted September 25, 2007 Author Share Posted September 25, 2007 -=> <=- PS: Go get an AV with bigger nuts.. :> Link to comment Share on other sites More sharing options...
Loki Posted September 25, 2007 Share Posted September 25, 2007 PS: Go get an AV with bigger nuts.. :>Lol (I actually did).Amazingly, McAffee didn't complain about this one! They obviously need to update their patented ****-People-Off-By-Detecting-Everything-As-Dangerous heuristics algorithm. Link to comment Share on other sites More sharing options...
syk071c Posted September 25, 2007 Share Posted September 25, 2007 McAfee have now created a generic string 'MZ' if this is located in the executable file as the first two bytes.. it's probably malware.. other search strings include 0B0h, 01h.. McAfee's theory ... if it is compressed it is probably infected.. Link to comment Share on other sites More sharing options...
-kNiGhT- Posted October 7, 2007 Share Posted October 7, 2007 After a long time i had success!It was really difficult, I have given up three times but now I had success!Here is the unpackt file/>http://www.file-upload.net/download-437450/SnD_UnpackMaDemo_1-unpackt.rar.htmlkNiGhT Link to comment Share on other sites More sharing options...
Ufo-Pu55y Posted October 7, 2007 Author Share Posted October 7, 2007 After a long time i had success!Um.. very nice !Any chance for some lines, how you went ?Greets Link to comment Share on other sites More sharing options...
Ox87k Posted October 7, 2007 Share Posted October 7, 2007 Yeah, maybe a little tutorial? Good job -kNiGhT-! Link to comment Share on other sites More sharing options...
What Posted October 9, 2007 Share Posted October 9, 2007 (edited) Here are some hints, I think it 4 open processes tell it runs through. Also during debugging I noticed a string saying Vasm_Protector_**_**_2005. LOL. I think thats a pretty big hint. Has alternating createThreads, one process goes, then waits for the other process. Edited October 9, 2007 by What Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now