Posted July 3, 200817 yr Hi mates! I've modified a little bit ExeFog packer (made by Bagie), removed some crap which i consider unuseful by the moment (CreateMutex?, Morphine? (well, i've removed this because it get detected by all AV )).. and added "some" protection... just have a look to the unpackme Thanx goes to Bagie for his sources Any ideas for improvement will be good received Enjoy it! http://stashbox.org/151499/Unpackme-mfh.rar
July 3, 200817 yr Hey, thanks for this one. - You could try to improve obfuscation and import redirection. Like that little anti-debug at the beginning... I attached my dump. dump.7z
July 4, 200817 yr Author Thanks mate... i'll be making my own polymorph engine and add some memory crc checks and more antidebug Coding a packer/protector brings a lot fun Import redirection? And what i've maded with imports? It put right value into an memory allocated area, and redirect imports from executable to the allocated area (this avoid IAT repairing )... Is this a right way? Regards.. Edited July 4, 200817 yr by HMX0101
July 4, 200817 yr script unpacker:var countervar ImageBasevar OEPvar iat_startvar imsizevar lbsGMEMI eip,MEMORYSIZEmov lbs,$RESULTmov counter,0gmi eip,MODULEBASEmov ImageBase,$RESULTGMI eip,MODULESIZEmov imsize,$RESULTsub imsize,lbsgo eip+30mov !CF, 1gpa "LoadLibraryA","kernel32.dll"find $RESULT,#C20400#bp $RESULTerunerunbc eipstistimov iat_start,ecxfind eip,#68????????012C24C3#cmp $RESULT,0je abortmov OEP,[$RESULT+1]add OEP,ImageBasemov eip,OEPcmt eip, "Oep"sub OEP,ImageBasesub iat_start,ImageBasemov counter,ImageBaseadd counter,3Cmov counter,[counter]add counter,ImageBasemov [counter+28],OEPmov [counter+80],iat_startDPE "dump.exe",eipmsg "The file is unpacked! Remove unnecessary section in Dump"retabort:ret
July 11, 200817 yr Thanks for the unpackme. I'm still a newbie at unpacking, and this is one of the few I attempted and successfully unpacked Edited July 11, 200817 yr by SMK
Create an account or sign in to comment