not so much for protecting, I made it just to prove the point that protection can be done in many different ways :/

the goal is to make a script

Detemida_np.rar

Edited November 20, 200816 yr by Nooby

won't run on my pc (sudden reboot each time started!!!)

Runs fine on Vista32.

The question is what is considered an unpack.. make it do the imports normally or just a decrypted code section..

I mean you could make an imports table and resolve all API calls but that isn't really necessary it seems.

Very nice one though, you got me somewhat confused at some point.

Regards,

q.

Small script;

LCLR
esto								//EP or systembreakpoint
GMI eip, MODULEBASE
log $RESULT, "Modulebase: "
mov base, $RESULT
mov base1, $RESULT
add base, 3c
add base, [base]
sub base, 3c
add base, 100  
add base1, 1000
log base1, "Code Section: "bpwm base1, [base]
esto
bpmc
mov write, eip
add write, 14
bp write 
esto
bc eip
bprm base1, [base]
esto
DPE "dump.exe", eip
msg "Program dumped and unpacked. Check dump.exe"
ret

Edited November 21, 200816 yr by quosego

anything to do with stolen codes?

The question is what is considered an unpack.. make it do the imports normally or just a decrypted code section..

I mean you could make an imports table and resolve all API calls but that isn't really necessary it seems.

Very nice one though, you got me somewhat confused at some point.

Regards,

q.

Well the API pointers are still wrong, even though as you say, code section is decrypted.

You can't remove the Nooby section until thats fixed. So i'd declare it unpacked once its removed.