Jump to content
Tuts 4 You

[Unpackme] ModdedFog v1.0

HMX0101

By HMX0101
in UnPackMe

 Share

Recommended Posts

HMX0101

HMX0101

Posted
Posted

Hi mates!

I've modified a little bit ExeFog packer (made by Bagie), removed some crap which i consider unuseful by the moment (CreateMutex?, Morphine? (well, i've removed this because it get detected by all AV :P )).. and added "some" protection... just have a look to the unpackme :D

Thanx goes to Bagie for his sources :)

Any ideas for improvement will be good received :rolleyes:

Enjoy it! :D

metr0

metr0

Posted
Posted

Hey, thanks for this one. ;) - You could try to improve obfuscation and import redirection. Like that little anti-debug at the beginning... :)

I attached my dump.

dump.7z

HMX0101

HMX0101

Posted
  • Author
Posted (edited)

Thanks mate... i'll be making my own polymorph engine and add some memory crc checks and more antidebug :)

Coding a packer/protector brings a lot fun :P

Import redirection? And what i've maded with imports? :P

It put right value into an memory allocated area, and redirect imports from executable to the allocated area (this avoid IAT repairing :D )... Is this a right way?

Regards..

Edited by HMX0101
high6

high6

Posted
Posted

Should modify it some more, avg gives a false positive.

pavka

pavka

Posted
Posted

script unpacker:

var counter

var ImageBase

var OEP

var iat_start

var imsize

var lbs

GMEMI eip,MEMORYSIZE

mov lbs,$RESULT

mov counter,0

gmi eip,MODULEBASE

mov ImageBase,$RESULT

GMI eip,MODULESIZE

mov imsize,$RESULT

sub imsize,lbs

go eip+30

mov !CF, 1

gpa "LoadLibraryA","kernel32.dll"

find $RESULT,#C20400#

bp $RESULT

erun

erun

bc eip

sti

sti

mov iat_start,ecx

find eip,#68????????012C24C3#

cmp $RESULT,0

je abort

mov OEP,[$RESULT+1]

add OEP,ImageBase

mov eip,OEP

cmt eip, "Oep"

sub OEP,ImageBase

sub iat_start,ImageBase

mov counter,ImageBase

add counter,3C

mov counter,[counter]

add counter,ImageBase

mov [counter+28],OEP

mov [counter+80],iat_start

DPE "dump.exe",eip

msg "The file is unpacked! Remove unnecessary section in Dump"

ret

abort:

ret

zugo

zugo

Posted
Posted

thanks for ModdedFog v1.0 script pavka :turned:

regards

zugo

SMK

SMK

Posted
Posted (edited)

Thanks for the unpackme. I'm still a newbie at unpacking, and this is one of the few I attempted and successfully unpacked :)

Edited by SMK

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...