Jump to content
Tuts 4 You

[unpackme] noobyprotect


Nooby

Recommended Posts

The question is what is considered an unpack.. make it do the imports normally or just a decrypted code section.. :)

I mean you could make an imports table and resolve all API calls but that isn't really necessary it seems.

Very nice one though, you got me somewhat confused at some point. :)

Regards,

q.

Small script;

LCLR
esto //EP or systembreakpoint
GMI eip, MODULEBASE
log $RESULT, "Modulebase: "
mov base, $RESULT
mov base1, $RESULT
add base, 3c
add base, [base]
sub base, 3c
add base, 100
add base1, 1000
log base1, "Code Section: "bpwm base1, [base]
esto
bpmc
mov write, eip
add write, 14
bp write
esto
bc eip
bprm base1, [base]
esto
DPE "dump.exe", eip
msg "Program dumped and unpacked. Check dump.exe"
ret
Edited by quosego
Link to comment
The question is what is considered an unpack.. make it do the imports normally or just a decrypted code section.. :)

I mean you could make an imports table and resolve all API calls but that isn't really necessary it seems.

Very nice one though, you got me somewhat confused at some point. :)

Regards,

q.

Well the API pointers are still wrong, even though as you say, code section is decrypted.

You can't remove the Nooby section until thats fixed. So i'd declare it unpacked once its removed.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...