[unpackme] [mine Noname Packer]

[4e4en]

Packed by [Mine noname packer] Build Today, 02:13:02 GMT +2.

Packed file: Resource Hacker (If wouldn't be so lazy, i would make programm, which shows only MSG Box).

ResHacker.rar

P.S> I would like hear ideas, how to make it more powerfull.

P.S.S> in VirusTotal 6 from 32 AV's says that is a something bad.

http://www.virustotal.com/resultado.html?6...712aab04844f987

Edited December 27, 2007 by 4e4en

[Killboy]

Dunno if it's just my crappy PC or me or actually intended to be like this, but I haven't been able to dump it properly.

Dumping with Ollydump makes it crash when you open the About window, LordPE+ImpRec doesn't work either, crashes at startup.

If I'm not mistaken, it has something to do with the resources or smth, not really sure tho...

Very embarassing indeed, didn't take a deeper look into it, might do it later this evening...

Finding OEP is pretty easy, you should consider using no exceptions, at least not if it's the only one. Finding the only INT3 is a lot easier than finding the last INT3 of hundreds, however if you use some sort of jump eax or push eax+retn it'll be less easier to find the OEP.

Some decent antidebug in there, but nothing serious, works flawlessly in an Olly with basic antidebug measures...

[4e4en]

But no resources is nice, isn't it so?

now i am rewriteing some parts of it, now i am implementing self modifying code (like rewriteing some parts of it with int 3 ).

Now i am learning ASM, and i have an idea, to write self-decrypting decryptor (ok something like that )

Edited December 27, 2007 by 4e4en

[pavka]

not run on my PC

[4e4en]

Which Os? Did you try to run it with out debuggers? What AV/Fw you have?

Tested & Working on Legal WinXP + SP2 + All Updates

Edited December 28, 2007 by 4e4en

[zako]

Works fine on English xp sp1 too. Don't know what you mean by "But no resources is nice, isn't it so?"

[pavka]

@4e4en

Legal WinXP + SP2 & XP + SP1

[4e4en]

Then i have no idea, why it could don't work on your system.

[Apakekdah]

i can unpack this...

[4e4en]

Can you provide working unpacked variant of this file?

[zako]

Can you provide working unpacked variant of this file?

working dump

[4e4en]

oh, you have unpacked this sucessfuly

[pavka]

Script unpack no Imprec

Olly + Fantom

----------

var pnd

var oep

var iat_st

var iat_cp

var iat_al

var sz

var end_cp

var i_st

var ith

var imbase

var itwr

var iat_end

mov oep,4aba30

mov imbase,400000

mov i_st,4af00c

mov iat_al,330004

mov iat_end,4af188

mov pnd,4dd3eb

bphws pnd,"x"

erun

bphwc pnd

mov [iat_al],00

add iat_al,4

loopdl:

cmp i_st,iat_end

ja fin

mov ith,[i_st+4]

add ith,400000

mov iat_cp,[i_st]

add iat_cp,400000

cmp end_cp,331A95

ja fin

find iat_al,#00#

mov end_cp,$RESULT

sub end_cp,iat_al

MEMCPY iat_cp,iat_al,end_cp

add iat_al,end_cp+1

add i_st,14

loopfn:

cmp [ith],0

je nexdll

mov iat_cp,[ith]

add iat_cp,400002

find iat_al,#00#

mov end_cp,$RESULT

sub end_cp,iat_al

MEMCPY iat_cp,iat_al,end_cp

add iat_al,end_cp+1

add ith,4

cmp end_cp,331Aa1

ja fin

jmp loopfn

fin:

mov eip,oep

mov [400180],AF000

mov [400188],BE000

mov [40018c],83800

dpe "unpacked.exe",eip

msg "File Unpacked Try run "

ret

nexdll:

add iat_al,8

jmp loopdl

[zako]

Smart arse nah I was just too lazy. Out of curiosity what was it preventing it running on your os before?.

[pavka]

On my system it is not started, and has not understood why! Started on pure XP SP1

[4e4en]

it didn't started, or it crashed?

[pavka]

not started

[Apakekdah]

ResHacker_Dumped1_.rar

i set my olly like this.

then put BP on Code Section.