View Full Version : Molebox Pro 4 Unpacking

Juan Pablo
October 4th, 2012, 09:08

I've been trying to unpack a file that is compreesed by Molebox 4, but look's like all methods that I try it doesn't work.

I found something weird in the address 0x401293 if you want to take a look and see if you can unpack it:

Link Speedyshare:

Ps: The file has no copyrights, so do not worry about that.

Edit:Forgot to mentionate that it is a .NET File, but Molebox compress it to not show as a .NET File, so de4dot or any other .NET reverse doesn't work.

October 5th, 2012, 00:43

What exactly do you mean by something weird in the address 0x401293? If you mean the series of CPUID instructions that is first encountered, that's just a standard way of getting processor information and doesn't look too suspicious in itself.

Sorry if that's not what you're curious about, but by means of explanation, CPUID returns processor identification and feature information to EAX, EBX, ECX, and EDX, according to the input value entered initially in the EAX register. Basic Information: EAX = 0 - 5, Extended Information: EAX = 0x80000000 - 0x80000008.

For example the first part just checks for CPUID support and is similar to the following code snippet:

// Check for CPUID support (if ID flag in EFLAGS can be set and cleared)

pop eax
xor eax, 00200000h ; flip bit 21 (ID flag)
push eax
pop ecx
xor eax, ecx ; check if bit 21 was flipped
jz cpuid_supported
jmp Quit


You can figure the rest out if you like from the docs, but I don't know if I'd be too concerned with those instructions per se unless you think something in particular is being targetted.


Juan Pablo
October 5th, 2012, 16:05
Thank you for the informations.

I thought that address was related to the Molebox and it's compreesion, beause I'm trying to find a way to reverse this compreesion.

Since I'm checking some Ollydbg tutorials for that, but it's for old versions and I'm not really finding a way to do that in this file version.

Do you know some unpacker for Molebox nowdays?

Thanks again.