4e4en Posted December 27, 2007 Share Posted December 27, 2007 (edited) Packed by [Mine noname packer] Build Today, 02:13:02 GMT +2.Packed file: Resource Hacker (If wouldn't be so lazy, i would make programm, which shows only MSG Box).ResHacker.rarP.S> I would like hear ideas, how to make it more powerfull.P.S.S> in VirusTotal 6 from 32 AV's says that is a something bad. http://www.virustotal.com/resultado.html?6...712aab04844f987 Edited December 27, 2007 by 4e4en Link to comment Share on other sites More sharing options...
Killboy Posted December 27, 2007 Share Posted December 27, 2007 Dunno if it's just my crappy PC or me or actually intended to be like this, but I haven't been able to dump it properly.Dumping with Ollydump makes it crash when you open the About window, LordPE+ImpRec doesn't work either, crashes at startup.If I'm not mistaken, it has something to do with the resources or smth, not really sure tho...Very embarassing indeed, didn't take a deeper look into it, might do it later this evening...Finding OEP is pretty easy, you should consider using no exceptions, at least not if it's the only one. Finding the only INT3 is a lot easier than finding the last INT3 of hundreds, however if you use some sort of jump eax or push eax+retn it'll be less easier to find the OEP.Some decent antidebug in there, but nothing serious, works flawlessly in an Olly with basic antidebug measures... Link to comment Share on other sites More sharing options...
4e4en Posted December 27, 2007 Author Share Posted December 27, 2007 (edited) But no resources is nice, isn't it so? now i am rewriteing some parts of it, now i am implementing self modifying code (like rewriteing some parts of it with int 3 ). Now i am learning ASM, and i have an idea, to write self-decrypting decryptor (ok something like that ) Edited December 27, 2007 by 4e4en Link to comment Share on other sites More sharing options...
pavka Posted December 28, 2007 Share Posted December 28, 2007 not run on my PC Link to comment Share on other sites More sharing options...
4e4en Posted December 28, 2007 Author Share Posted December 28, 2007 (edited) Which Os? Did you try to run it with out debuggers? What AV/Fw you have?Tested & Working on Legal WinXP + SP2 + All Updates Edited December 28, 2007 by 4e4en Link to comment Share on other sites More sharing options...
zako Posted December 28, 2007 Share Posted December 28, 2007 Works fine on English xp sp1 too. Don't know what you mean by "But no resources is nice, isn't it so?" Link to comment Share on other sites More sharing options...
pavka Posted December 28, 2007 Share Posted December 28, 2007 @4e4enLegal WinXP + SP2 & XP + SP1 Link to comment Share on other sites More sharing options...
4e4en Posted December 28, 2007 Author Share Posted December 28, 2007 Then i have no idea, why it could don't work on your system. Link to comment Share on other sites More sharing options...
Apakekdah Posted December 29, 2007 Share Posted December 29, 2007 i can unpack this... Link to comment Share on other sites More sharing options...
4e4en Posted December 29, 2007 Author Share Posted December 29, 2007 Can you provide working unpacked variant of this file? Link to comment Share on other sites More sharing options...
zako Posted December 29, 2007 Share Posted December 29, 2007 Can you provide working unpacked variant of this file?working dump Link to comment Share on other sites More sharing options...
4e4en Posted December 29, 2007 Author Share Posted December 29, 2007 oh, you have unpacked this sucessfuly Link to comment Share on other sites More sharing options...
pavka Posted December 29, 2007 Share Posted December 29, 2007 Script unpack no Imprec Olly + Fantom ---------- var pnd var oep var iat_st var iat_cp var iat_al var sz var end_cp var i_st var ith var imbase var itwr var iat_end mov oep,4aba30 mov imbase,400000 mov i_st,4af00c mov iat_al,330004 mov iat_end,4af188 mov pnd,4dd3eb bphws pnd,"x" erun bphwc pnd mov [iat_al],00 add iat_al,4 loopdl: cmp i_st,iat_end ja fin mov ith,[i_st+4] add ith,400000 mov iat_cp,[i_st] add iat_cp,400000 cmp end_cp,331A95 ja fin find iat_al,#00# mov end_cp,$RESULT sub end_cp,iat_al MEMCPY iat_cp,iat_al,end_cp add iat_al,end_cp+1 add i_st,14 loopfn: cmp [ith],0 je nexdll mov iat_cp,[ith] add iat_cp,400002 find iat_al,#00# mov end_cp,$RESULT sub end_cp,iat_al MEMCPY iat_cp,iat_al,end_cp add iat_al,end_cp+1 add ith,4 cmp end_cp,331Aa1 ja fin jmp loopfn fin: mov eip,oep mov [400180],AF000 mov [400188],BE000 mov [40018c],83800 dpe "unpacked.exe",eip msg "File Unpacked Try run " ret nexdll: add iat_al,8 jmp loopdl Link to comment Share on other sites More sharing options...
zako Posted December 29, 2007 Share Posted December 29, 2007 Smart arse nah I was just too lazy. Out of curiosity what was it preventing it running on your os before?. Link to comment Share on other sites More sharing options...
pavka Posted December 29, 2007 Share Posted December 29, 2007 On my system it is not started, and has not understood why! Started on pure XP SP1 Link to comment Share on other sites More sharing options...
4e4en Posted December 29, 2007 Author Share Posted December 29, 2007 it didn't started, or it crashed? Link to comment Share on other sites More sharing options...
pavka Posted December 30, 2007 Share Posted December 30, 2007 not started Link to comment Share on other sites More sharing options...
Apakekdah Posted December 31, 2007 Share Posted December 31, 2007 ResHacker_Dumped1_.rar i set my olly like this. then put BP on Code Section. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now