HMX0101 Posted July 3, 2008 Share Posted July 3, 2008 Hi mates! I've modified a little bit ExeFog packer (made by Bagie), removed some crap which i consider unuseful by the moment (CreateMutex?, Morphine? (well, i've removed this because it get detected by all AV )).. and added "some" protection... just have a look to the unpackme Thanx goes to Bagie for his sources Any ideas for improvement will be good received Enjoy it! http://stashbox.org/151499/Unpackme-mfh.rar Link to comment Share on other sites More sharing options...
metr0 Posted July 3, 2008 Share Posted July 3, 2008 Hey, thanks for this one. - You could try to improve obfuscation and import redirection. Like that little anti-debug at the beginning... I attached my dump. dump.7z Link to comment Share on other sites More sharing options...
HMX0101 Posted July 4, 2008 Author Share Posted July 4, 2008 (edited) Thanks mate... i'll be making my own polymorph engine and add some memory crc checks and more antidebug Coding a packer/protector brings a lot fun Import redirection? And what i've maded with imports? It put right value into an memory allocated area, and redirect imports from executable to the allocated area (this avoid IAT repairing )... Is this a right way? Regards.. Edited July 4, 2008 by HMX0101 Link to comment Share on other sites More sharing options...
high6 Posted July 4, 2008 Share Posted July 4, 2008 Should modify it some more, avg gives a false positive. Link to comment Share on other sites More sharing options...
pavka Posted July 4, 2008 Share Posted July 4, 2008 script unpacker:var countervar ImageBasevar OEPvar iat_startvar imsizevar lbsGMEMI eip,MEMORYSIZEmov lbs,$RESULTmov counter,0gmi eip,MODULEBASEmov ImageBase,$RESULTGMI eip,MODULESIZEmov imsize,$RESULTsub imsize,lbsgo eip+30mov !CF, 1gpa "LoadLibraryA","kernel32.dll"find $RESULT,#C20400#bp $RESULTerunerunbc eipstistimov iat_start,ecxfind eip,#68????????012C24C3#cmp $RESULT,0je abortmov OEP,[$RESULT+1]add OEP,ImageBasemov eip,OEPcmt eip, "Oep"sub OEP,ImageBasesub iat_start,ImageBasemov counter,ImageBaseadd counter,3Cmov counter,[counter]add counter,ImageBasemov [counter+28],OEPmov [counter+80],iat_startDPE "dump.exe",eipmsg "The file is unpacked! Remove unnecessary section in Dump"retabort:ret Link to comment Share on other sites More sharing options...
zugo Posted July 4, 2008 Share Posted July 4, 2008 thanks for ModdedFog v1.0 script pavka regards zugo Link to comment Share on other sites More sharing options...
SMK Posted July 11, 2008 Share Posted July 11, 2008 (edited) Thanks for the unpackme. I'm still a newbie at unpacking, and this is one of the few I attempted and successfully unpacked Edited July 11, 2008 by SMK Link to comment Share on other sites More sharing options...
::: - phpbb3 - ::: Posted July 11, 2008 Share Posted July 11, 2008 unpackedunpacked.7z Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now