Posted November 20, 200816 yr not so much for protecting, I made it just to prove the point that protection can be done in many different ways :/the goal is to make a scriptDetemida_np.rar Edited November 20, 200816 yr by Nooby
November 21, 200816 yr The question is what is considered an unpack.. make it do the imports normally or just a decrypted code section.. I mean you could make an imports table and resolve all API calls but that isn't really necessary it seems. Very nice one though, you got me somewhat confused at some point. Regards, q. Small script; LCLResto //EP or systembreakpointGMI eip, MODULEBASElog $RESULT, "Modulebase: "mov base, $RESULTmov base1, $RESULTadd base, 3cadd base, [base]sub base, 3cadd base, 100 add base1, 1000log base1, "Code Section: "bpwm base1, [base]estobpmcmov write, eipadd write, 14bp write estobc eipbprm base1, [base]estoDPE "dump.exe", eipmsg "Program dumped and unpacked. Check dump.exe"ret Edited November 21, 200816 yr by quosego
November 22, 200816 yr The question is what is considered an unpack.. make it do the imports normally or just a decrypted code section.. I mean you could make an imports table and resolve all API calls but that isn't really necessary it seems. Very nice one though, you got me somewhat confused at some point. Regards, q. Well the API pointers are still wrong, even though as you say, code section is decrypted. You can't remove the Nooby section until thats fixed. So i'd declare it unpacked once its removed.
Create an account or sign in to comment