Jump to content
Tuts 4 You

[unpackme] [mine Noname Packer]


4e4en

Recommended Posts

Packed by [Mine noname packer] Build Today, 02:13:02 GMT +2.

Packed file: Resource Hacker (If wouldn't be so lazy, i would make programm, which shows only MSG Box).

ResHacker.rar

P.S> I would like hear ideas, how to make it more powerfull.

P.S.S> in VirusTotal 6 from 32 AV's says that is a something bad.

http://www.virustotal.com/resultado.html?6...712aab04844f987

Edited by 4e4en
Link to comment

Dunno if it's just my crappy PC or me or actually intended to be like this, but I haven't been able to dump it properly.

Dumping with Ollydump makes it crash when you open the About window, LordPE+ImpRec doesn't work either, crashes at startup.

If I'm not mistaken, it has something to do with the resources or smth, not really sure tho...

Very embarassing indeed, didn't take a deeper look into it, might do it later this evening...

Finding OEP is pretty easy, you should consider using no exceptions, at least not if it's the only one. Finding the only INT3 is a lot easier than finding the last INT3 of hundreds, however if you use some sort of jump eax or push eax+retn it'll be less easier to find the OEP.

Some decent antidebug in there, but nothing serious, works flawlessly in an Olly with basic antidebug measures...

Link to comment

But no resources is nice, isn't it so? :D

now i am rewriteing some parts of it, now i am implementing self modifying code :) (like rewriteing some parts of it with int 3 :) ).

Now i am learning ASM, and i have an idea, to write self-decrypting decryptor (ok something like that :P ) :)

Edited by 4e4en
Link to comment

Which Os? Did you try to run it with out debuggers? What AV/Fw you have?

Tested & Working on Legal WinXP + SP2 + All Updates

Edited by 4e4en
Link to comment

Script unpack no Imprec

Olly + Fantom

----------

var pnd

var oep

var iat_st

var iat_cp

var iat_al

var sz

var end_cp

var i_st

var ith

var imbase

var itwr

var iat_end

mov oep,4aba30

mov imbase,400000

mov i_st,4af00c

mov iat_al,330004

mov iat_end,4af188

mov pnd,4dd3eb

bphws pnd,"x"

erun

bphwc pnd

mov [iat_al],00

add iat_al,4

loopdl:

cmp i_st,iat_end

ja fin

mov ith,[i_st+4]

add ith,400000

mov iat_cp,[i_st]

add iat_cp,400000

cmp end_cp,331A95

ja fin

find iat_al,#00#

mov end_cp,$RESULT

sub end_cp,iat_al

MEMCPY iat_cp,iat_al,end_cp

add iat_al,end_cp+1

add i_st,14

loopfn:

cmp [ith],0

je nexdll

mov iat_cp,[ith]

add iat_cp,400002

find iat_al,#00#

mov end_cp,$RESULT

sub end_cp,iat_al

MEMCPY iat_cp,iat_al,end_cp

add iat_al,end_cp+1

add ith,4

cmp end_cp,331Aa1

ja fin

jmp loopfn

fin:

mov eip,oep

mov [400180],AF000

mov [400188],BE000

mov [40018c],83800

dpe "unpacked.exe",eip

msg "File Unpacked Try run :) "

ret

nexdll:

add iat_al,8

jmp loopdl

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...