Jump to content
Tuts 4 You

unpacker stubs?


high6

Recommended Posts

I was wondering how do packer makers make stubs? Do they program a unpack stub in say C++ then get the bytecodes and have the unpacker use the bytecodes as a base stub?

Link to comment

I'm not that sure what you're referring to, packers or unpackers :?

If youre talking about packers, you can basically go three ways:

- code the stub with asm and use offset independent code, this is hardly possible with any high level language (most smaller packers, FSG, RLPack, etc.)

- code a virtual dll that you load into memory, most stuff is done in there (ASPro, Arma)

- code a stub dll and put it into a new section, the reloc table is used for relocating offsets to the new RVA (ie all offsets increased by NewSectionRVA)

Edited by Killboy
Link to comment
I'm not that sure what you're referring to, packers or unpackers :?

If youre talking about packers, you can basically go three ways:

- code the stub with asm and use offset independent code, this is hardly possible with any high level language (most smaller packers, FSG, RLPack, etc.)

- code a virtual dll that you load into memory, most stuff is done in there (ASPro, Arma)

- code a stub dll and put it into a new section, the reloc table is used for relocating offsets to the new RVA (ie all offsets increased by NewSectionRVA)

Okay thanks, thats what I was talking about.

Which is the most common?

Link to comment

I'd say the last method's the easiest for writing the stub, but needs a bit more coding concerning the builder (just fixing relocations). I myself use the first method (in Assembler), I also did an approach with C/C++ for the stub, but there are more restrictions for labels, thus it's easier to do it in asm. ;)

The second method needs some (lowlevel) stub which loads the dll, following the material on the net (Bauch, Shub, ...), this should be also not too hard to implement.

Link to comment

Well I plan on coding an unpack stub in VC++6. Anyone know the macro to make all calls inside a function inline?

Link to comment

Yep, it's __forceinline (inline let's the compiler decide whether to inline it or not). Apply it like this:

long __forceinline GimmeSomeKernelBase();
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...