[unpackme] Dump'n'RebuildMe

[steve10120]

Just experimenting.

As the title suggests, successfully dump and rebuild the file.

Difficulty: ?

packed.rar

[LCF-AT]

Hi,

try this.

greetz

packed_unpacked.rar

[steve10120]

Thanks. And,

Difficulty: ?

Only experimenting like I said, just wondering whether its worth totally re-basing the image if relocs are present.

[Teddy Rogers]

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

[LCF-AT]

Difficulty: ? <-- No not really.So you know I can just give you my opinion.

-no IAT redirection

-no AntiDump / dump protection feature

-no manipulation detection / CRC / PE

You should also insert more [self] and debug checks.

So keep going maybe you next one will be harder.

greetz

[steve10120]

Ok, thanks.

[NullPointerException]

also you should pack bigger file if you are developing your own protector so we can fully test it.

As for protection you should do what lcf said, plus:

1) try to hide the jmp to oep

2) add some primitive obfuscation (by using jumps)

3) dont make the code too linear: use calls inside calls to hide what your packer does. It's stupid but effective

regarding antidebugs try to develop your own way to detect debuggers: altough they are more or less all known, try to make some little tricks (plugin detection, hook of patches made by plugins detection etc)

last week i found a paper from blackhat explaining malware protection but i cant find it anymore. was nice for some inspiration