PDA

View Full Version : What the heck is this


SiGiNT
May 8th, 2006, 22:01
I'm wondering if I've encountered a homegrown packer - I've tried several different tools to identify it, scanned for packer reg. keys and files, I can dunp it and rebuild it - no problem but it won't run and dumped and loaded into olly, it tells me it's not a Win executable - anyone recognize this - here's how it looks at the the entry point:

004485D2 o> $ 55 PUSH EBP
004485D3 . 8BEC MOV EBP,ESP
004485D5 . 81C4 04FFFFFF ADD ESP,-0FC
004485DB . 53 PUSH EBX
004485DC . 56 PUSH ESI
004485DD . 57 PUSH EDI ; ntdll.7C910738
004485DE . E9 24010000 JMP xxxx.00448707
004485E3 74 DB 74 ; CHAR 't'
004485E4 32 DB 32 ; CHAR '2'
004485E5 85 DB 85
004485E6 04 DB 04
004485E7 00 DB 00
004485E8 A2 DB A2
004485E9 88 DB 88
004485EA 04 DB 04
004485EB 00 DB 00
004485EC 00 DB 00
004485ED 0A DB 0A
004485EE 00 DB 00
004485EF 00 DB 00
004485F0 12 DB 12
004485F1 00 DB 00

and thats with olly's analysis. All the section data looks like a normal PE.

Any body recognize this?

SiGiNT

disavowed
May 8th, 2006, 23:07
> dumped and loaded into olly, it tells me it's not a Win executable

It's probably munging the PE header in the unpacking stub.

SiGiNT
May 8th, 2006, 23:54
Could be, I did an auto eix-up using PE-Explorer, I probably should do it by hand, but I'm really interested in which packer this is, every file in the directory is packed with it.

SiGiNT

LLXX
May 9th, 2006, 01:32
That looks like a packer that is coded in an HLL, due to the setting up of a stack frame. The instructions following the JMP are actually code... from what I can see, it appears to be a while() loop, with the JMP going to the loop check.

Do you find any standard runtime library strings (e.g. "MS Visual C++ Runtime Library Copyright (C) Microsoft Corp." etc.) in the packed program? If so, that would definitely make it a homemade HLL-coded packer.

SiGiNT
May 9th, 2006, 01:42
LLXX -

No not really but it's written in Visual C-, all the .exe is, is a GUI, all the import info is contained in the dll's - here's what I found in the GUI executable - using Peek -

MvSQ^
xml version
encoding
standalone
<assembly xmlns
:schemas-microsoft-
manifestVersion
<assemblyIdentity
version

processorArchitecture

name
CompanyName.ProductName.YourApplication

type
win32
<description>Your application description here
description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type
win32

name
Microsoft.Windows.Common-Controls

version

processorArchitecture

publicKeyToken
6595b64144ccf1df

language




dependentAssembly>
dependency>
assembly>

Note - the dll's run 2 processes - remarkably the reg. serial is fairly easy to fish so it appears that someone went to a lot of work for no good reason.

SiGiNT

I find references to .NET but it isn't, it's written in Visual C.

Added later, I think I know what the problem is, (DOH!), the executable is merely an interface to the dll's which contain the executable code for those functions, when I dump the .exe and use Imprec to rebuild the Imports, it's actually inserting imports invoked by the dll that's executing at the time - bingo, screwed up, but perfectly good dump that can't possibly run - if that makes any sense - again WTF packer is this?

OHPen
May 10th, 2006, 08:26
Hi man,

drop me a pm with target name, i will take a look at it.

nikolatesla20
May 10th, 2006, 11:38
Just because it's .NET does not mean it can't be C++. It can be unmanaged C++ that is calling .NET library code. Most likely this is what you are seeing. Try loading the EXE into ILDASM or .NET Reflector and see what, if anything, shows up. And those DLL's you are talking about - perhaps they are native .NET. Check into that.

Most likely the EXE is not "custom packed" but self packed in a simple way using .Net obfuscator and such. Even if you dumped it it won't run since .NET apps are very very strict about their PE structure.

-niko

SiGiNT
May 10th, 2006, 19:35
Peid and Rdg and others Identify the .dll's as nothing found, or unknown - when loaded into Olly I get the typical warning that results from loading a packed file, I'll try disassemblng one as a .NET but I don't have high hopes.

SiGiNT

Well, when I disaasembled the registration wizard dll IDA didn't complain, but, it looks as though there is some sort of compression - lots of data tables - and it's not .NET - the Main executable definitely is entirely packed.

OHPen
May 11th, 2006, 07:38
So i think this is the valid IAT of the dumped application.

FThunk: 00102000 NbFunc: 00000014
1 00102000 advapi32.dll 0126 GetUserNameW
1 00102004 advapi32.dll 01D1 RegCreateKeyW
1 00102008 advapi32.dll 01CB RegCloseKey
1 0010200C advapi32.dll 01E5 RegOpenKeyExW
1 00102010 advapi32.dll 01EF RegQueryValueExW
1 00102014 advapi32.dll 01D0 RegCreateKeyExW
1 00102018 advapi32.dll 01FC RegSetValueExW
1 0010201C advapi32.dll 01D5 RegDeleteValueW
1 00102020 advapi32.dll 01D3 RegDeleteKeyW
1 00102024 advapi32.dll 00F2 GetFileSecurityW
1 00102028 advapi32.dll 0226 SetFileSecurityW
1 0010202C advapi32.dll 01E6 RegOpenKeyW
1 00102030 advapi32.dll 01FD RegSetValueW
1 00102034 advapi32.dll 01F0 RegQueryValueW
1 00102038 advapi32.dll 0201 RegisterEventSourceW
1 0010203C advapi32.dll 00B2 DeregisterEventSource
1 00102040 advapi32.dll 020C ReportEventW
1 00102044 advapi32.dll 01E4 RegOpenKeyExA
1 00102048 advapi32.dll 01EE RegQueryValueExA
1 0010204C advapi32.dll 01DA RegEnumKeyW

FThunk: 00102054 NbFunc: 00000008
1 00102054 comctl32.dll 005C PropertySheetW
1 00102058 comctl32.dll 002B ImageList_AddMasked
1 0010205C comctl32.dll 002E ImageList_Create
1 00102060 comctl32.dll 002F ImageList_Destroy
1 00102064 comctl32.dll 0034 ImageList_Draw
1 00102068 comctl32.dll 003D ImageList_GetIconSize
1 0010206C comctl32.dll 005F _TrackMouseEvent
1 00102070 comctl32.dll 0011 InitCommonControls

FThunk: 00102078 NbFunc: 00000048
1 00102078 gdi32.dll 0022 CombineRgn
1 0010207C gdi32.dll 01B0 GetTextColor
1 00102080 gdi32.dll 0013 BitBlt
1 00102084 gdi32.dll 01BE GetTextMetricsW
1 00102088 gdi32.dll 0090 DeleteObject
1 0010208C gdi32.dll 016C GetDeviceCaps
1 00102090 gdi32.dll 01B6 GetTextExtentPoint32W
1 00102094 gdi32.dll 008D DeleteDC
1 00102098 gdi32.dll 024A StretchBlt
1 0010209C gdi32.dll 020F SelectObject
1 001020A0 gdi32.dll 0033 CreateDIBSection
1 001020A4 gdi32.dll 0161 GetClipBox
1 001020A8 gdi32.dll 023D SetTextColor
1 001020AC gdi32.dll 0216 SetBkColor
1 001020B0 gdi32.dll 0027 CopyMetaFileW
1 001020B4 gdi32.dll 0028 CreateBitmap
1 001020B8 gdi32.dll 0208 SaveDC
1 001020BC gdi32.dll 0201 RestoreDC
1 001020C0 gdi32.dll 0217 SetBkMode
1 001020C4 gdi32.dll 022C SetMapMode
1 001020C8 gdi32.dll 00D8 ExcludeClipRect
1 001020CC gdi32.dll 01C8 IntersectClipRect
1 001020D0 gdi32.dll 01CE LineTo
1 001020D4 gdi32.dll 01D2 MoveToEx
1 001020D8 gdi32.dll 004C CreateRectRgn
1 001020DC gdi32.dll 020D SelectClipRgn
1 001020E0 gdi32.dll 01C0 GetViewportExtEx
1 001020E4 gdi32.dll 01C3 GetWindowExtEx
1 001020E8 gdi32.dll 019D GetPixel
1 001020EC gdi32.dll 01F2 PtVisible
1 001020F0 gdi32.dll 01F6 RectVisible
1 001020F4 gdi32.dll 0250 TextOutW
1 001020F8 gdi32.dll 00DF ExtTextOutW
1 001020FC gdi32.dll 00D5 Escape
1 00102100 gdi32.dll 0240 SetViewportOrgEx
1 00102104 gdi32.dll 01D6 OffsetViewportOrgEx
1 00102108 gdi32.dll 023F SetViewportExtEx
1 0010210C gdi32.dll 0209 ScaleViewportExtEx
1 00102110 gdi32.dll 0244 SetWindowOrgEx
1 00102114 gdi32.dll 0243 SetWindowExtEx
1 00102118 gdi32.dll 020A ScaleWindowExtEx
1 0010211C gdi32.dll 00DD ExtSelectClipRgn
1 00102120 gdi32.dll 0047 CreatePatternBrush
1 00102124 gdi32.dll 01A6 GetStockObject
1 00102128 gdi32.dll 0048 CreatePen
1 0010212C gdi32.dll 0051 CreateSolidBrush
1 00102130 gdi32.dll 004D CreateRectRgnIndirect
1 00102134 gdi32.dll 0237 SetRectRgn
1 00102138 gdi32.dll 018E GetMapMode
1 0010213C gdi32.dll 01DE PatBlt
1 00102140 gdi32.dll 0052 DPtoLP
1 00102144 gdi32.dll 014D GetBkColor
1 00102148 gdi32.dll 015E GetCharWidthW
1 0010214C gdi32.dll 003F CreateFontW
1 00102150 gdi32.dll 024B StretchDIBits
1 00102154 gdi32.dll 0095 Ellipse
1 00102158 gdi32.dll 01A5 GetRgnBox
1 0010215C gdi32.dll 01C1 GetViewportOrgEx
1 00102160 gdi32.dll 0232 SetPixel
1 00102164 gdi32.dll 016B GetDIBits
1 00102168 gdi32.dll 0220 SetDIBits
1 0010216C gdi32.dll 01EE Polygon
1 00102170 gdi32.dll 00CC EnumFontFamiliesExW
1 00102174 gdi32.dll 01AF GetTextCharsetInfo
1 00102178 gdi32.dll 01AC GetTextAlign
1 0010217C gdi32.dll 0202 RoundRect
1 00102180 gdi32.dll 01F7 Rectangle
1 00102184 gdi32.dll 00DC ExtFloodFill
1 00102188 gdi32.dll 002D CreateCompatibleBitmap
1 0010218C gdi32.dll 003E CreateFontIndirectW
1 00102190 gdi32.dll 002E CreateCompatibleDC
1 00102194 gdi32.dll 0198 GetObjectW

FThunk: 0010219C NbFunc: 000000B4
1 0010219C kernel32.dll 012F GetConsoleOutputCP
1 001021A0 kernel32.dll 038B WriteConsoleW
1 001021A4 kernel32.dll 014C GetDriveTypeA
1 001021A8 kernel32.dll 0050 CreateFileA
1 001021AC kernel32.dll 00E7 FlushFileBuffers
1 001021B0 kernel32.dll 0038 CompareStringA
1 001021B4 kernel32.dll 0039 CompareStringW
1 001021B8 kernel32.dll 02FF SetEnvironmentVariableA
1 001021BC kernel32.dll 0306 SetFileAttributesW
1 001021C0 kernel32.dll 00DB FindNextFileW
1 001021C4 kernel32.dll 0083 DeleteFileW
1 001021C8 kernel32.dll 031E SetProcessAffinityMask
1 001021CC kernel32.dll 0199 GetProcessAffinityMask
1 001021D0 kernel32.dll 015C GetFileSize
1 001021D4 kernel32.dll 03B2 lstrcpynW
1 001021D8 kernel32.dll 0381 WriteConsoleA
1 001021DC kernel32.dll 01E7 GetWindowsDirectoryW
1 001021E0 kernel32.dll 0244 LoadLibraryExW
1 001021E4 kernel32.dll 013B GetCurrentDirectoryW
1 001021E8 kernel32.dll 024A LocalFileTimeToFileTime
1 001021EC kernel32.dll 0301 SetErrorMode
1 001021F0 kernel32.dll 024F LocalReAlloc
1 001021F4 kernel32.dll 01F5 GlobalHandle
1 001021F8 kernel32.dll 01F9 GlobalReAlloc
1 001021FC kernel32.dll 0248 LocalAlloc
1 00102200 kernel32.dll 01F1 GlobalFlags
1 00102204 kernel32.dll 01C8 GetTempFileNameW
1 00102208 kernel32.dll 015E GetFileTime
1 0010220C kernel32.dll 030B SetFileTime
1 00102210 kernel32.dll 003D ConvertDefaultLocale
1 00102214 kernel32.dll 00A3 EnumResourceLanguagesW
1 00102218 kernel32.dll 0195 GetPrivateProfileStringW
1 0010221C kernel32.dll 0392 WritePrivateProfileStringW
1 00102220 kernel32.dll 018F GetPrivateProfileIntW
1 00102224 kernel32.dll 01F4 GlobalGetAtomNameW
1 00102228 kernel32.dll 03A7 lstrcmp
1 0010222C kernel32.dll 004D CreateEventW
1 00102230 kernel32.dll 0341 SuspendThread
1 00102234 kernel32.dll 0302 SetEvent
1 00102238 kernel32.dll 02C0 ResumeThread
1 0010223C kernel32.dll 032E SetThreadPriority
1 00102240 kernel32.dll 01A5 GetProfileIntW
1 00102244 kernel32.dll 0092 DuplicateHandle
1 00102248 kernel32.dll 0359 UnlockFile
1 0010224C kernel32.dll 0253 LockFile
1 00102250 kernel32.dll 03AC lstrcmpiW
1 00102254 kernel32.dll 01CD GetThreadLocale
1 00102258 kernel32.dll 01B2 GetStringTypeExW
1 0010225C kernel32.dll 0261 MoveFileW
1 00102260 kernel32.dll 03B3 lstrlen
1 00102264 kernel32.dll 0043 CopyFileW
1 00102268 kernel32.dll 01FA GlobalSize
1 0010226C kernel32.dll 01EA GlobalAddAtomW
1 00102270 kernel32.dll 01EF GlobalFindAtomW
1 00102274 kernel32.dll 01ED GlobalDeleteAtom
1 00102278 kernel32.dll 03A9 lstrcmpW
1 0010227C kernel32.dll 00F3 FreeResource
1 00102280 kernel32.dll 0111 GetComputerNameW
1 00102284 kernel32.dll 000A AllocConsole
1 00102288 kernel32.dll 01BC GetSystemTime
1 0010228C kernel32.dll 0344 SystemTimeToFileTime
1 00102290 kernel32.dll 02A4 ReadFile
1 00102294 kernel32.dll 02FE SetEndOfFile
1 00102298 kernel32.dll 0322 SetStdHandle
1 0010229C kernel32.dll 016D GetLocaleInfoW
1 001022A0 kernel32.dll 022F IsValidCodePage
1 001022A4 kernel32.dll 0231 IsValidLocale
1 001022A8 kernel32.dll 00AD EnumSystemLocalesA
1 001022AC kernel32.dll 016C GetLocaleInfoA
1 001022B0 kernel32.dll 01D6 GetUserDefaultLCID
1 001022B4 kernel32.dll 01B3 GetStringTypeW
1 001022B8 kernel32.dll 01B0 GetStringTypeA
1 001022BC kernel32.dll 012D GetConsoleMode
1 001022C0 kernel32.dll 011C GetConsoleCP
1 001022C4 kernel32.dll 0307 SetFilePointer
1 001022C8 kernel32.dll 0216 InitializeCriticalSection
1 001022CC kernel32.dll 0242 LoadLibraryA
1 001022D0 kernel32.dll 021B InterlockedExchange
1 001022D4 kernel32.dll 013A GetCurrentDirectoryA
1 001022D8 kernel32.dll 0163 GetFullPathNameW
1 001022DC kernel32.dll 020F HeapSize
1 001022E0 kernel32.dll 0235 LCMapStringW
1 001022E4 kernel32.dll 0234 LCMapStringA
1 001022E8 kernel32.dll 0140 GetDateFormatA
1 001022EC kernel32.dll 01D3 GetTimeFormatA
1 001022F0 kernel32.dll 018B GetOEMCP
1 001022F4 kernel32.dll 00F7 GetACP
1 001022F8 kernel32.dll 00FE GetCPInfo
1 001022FC kernel32.dll 01D5 GetTimeZoneInformation
1 00102300 kernel32.dll 036B VirtualAlloc
1 00102304 kernel32.dll 0097 EnterCriticalSection
1 00102308 kernel32.dll 0241 LeaveCriticalSection
1 0010230C kernel32.dll 013D GetCurrentProcessId
1 00102310 kernel32.dll 0292 QueryPerformanceCounter
1 00102314 kernel32.dll 036E VirtualFree
1 00102318 kernel32.dll 0205 HeapCreate
1 0010231C kernel32.dll 0207 HeapDestroy
1 00102320 kernel32.dll 013E GetCurrentThread
1 00102324 kernel32.dll 021A InterlockedDecrement
1 00102328 kernel32.dll 013F GetCurrentThreadId
1 0010232C kernel32.dll 021E InterlockedIncrement
1 00102330 kernel32.dll 034D TlsFree
1 00102334 kernel32.dll 034F TlsSetValue
1 00102338 kernel32.dll 034C TlsAlloc
1 0010233C kernel32.dll 034E TlsGetValue
1 00102340 kernel32.dll 0080 DeleteCriticalSection
1 00102344 kernel32.dll 01AD GetStartupInfoA
1 00102348 kernel32.dll 015F GetFileType
1 0010234C kernel32.dll 0255 LockResource
1 00102350 kernel32.dll 010A GetCommandLineA
1 00102354 kernel32.dll 0150 GetEnvironmentStringsW
1 00102358 kernel32.dll 00F0 FreeEnvironmentStringsW
1 0010235C kernel32.dll 014E GetEnvironmentStrings
1 00102360 kernel32.dll 00EF FreeEnvironmentStringsA
1 00102364 kernel32.dll 0174 GetModuleFileNameA
1 00102368 kernel32.dll 01AF GetStdHandle
1 0010236C kernel32.dll 00B7 ExitProcess
1 00102370 kernel32.dll 0176 GetModuleHandleA
1 00102374 kernel32.dll 020D HeapReAlloc
1 00102378 kernel32.dll 00D4 FindFirstFileW
1 0010237C kernel32.dll 014D GetDriveTypeW
1 00102380 kernel32.dll 00CD FindClose
1 00102384 kernel32.dll 01BE GetSystemTimeAsFileTime
1 00102388 kernel32.dll 0297 RaiseException
1 0010238C kernel32.dll 022B IsDebuggerPresent
1 00102390 kernel32.dll 0333 SetUnhandledExceptionFilter
1 00102394 kernel32.dll 0358 UnhandledExceptionFilter
1 00102398 kernel32.dll 013C GetCurrentProcess
1 0010239C kernel32.dll 0347 TerminateProcess
1 001023A0 kernel32.dll 01AE GetStartupInfoW
1 001023A4 kernel32.dll 019B GetProcessHeap
1 001023A8 kernel32.dll 0203 HeapAlloc
1 001023AC kernel32.dll 01DC GetVersionExA
1 001023B0 kernel32.dll 0209 HeapFree
1 001023B4 kernel32.dll 038C WriteFile
1 001023B8 kernel32.dll 01DD GetVersionExW
1 001023BC kernel32.dll 006D CreateThread
1 001023C0 kernel32.dll 024C LocalFree
1 001023C4 kernel32.dll 03B5 lstrlenW
1 001023C8 kernel32.dll 0265 MultiByteToWideChar
1 001023CC kernel32.dll 037F WideCharToMultiByte
1 001023D0 kernel32.dll 00ED FormatMessageW
1 001023D4 kernel32.dll 02BF RestoreLastError
1 001023D8 kernel32.dll 0245 LoadLibraryW
1 001023DC kernel32.dll 0264 MulDiv
1 001023E0 kernel32.dll 0053 CreateFileW
1 001023E4 kernel32.dll 0032 CloseHandle
1 001023E8 kernel32.dll 01AC GetShortPathNameW
1 001023EC kernel32.dll 0175 GetModuleFileNameW
1 001023F0 kernel32.dll 010B GetCommandLineW
1 001023F4 kernel32.dll 00C3 FileTimeToLocalFileTime
1 001023F8 kernel32.dll 01F2 GlobalFree
1 001023FC kernel32.dll 01EB GlobalAlloc
1 00102400 kernel32.dll 01F6 GlobalLock
1 00102404 kernel32.dll 01FD GlobalUnlock
1 00102408 kernel32.dll 037B WaitForSingleObject
1 0010240C kernel32.dll 004B CreateDirectoryW
1 00102410 kernel32.dll 0169 GetLastError
1 00102414 kernel32.dll 0345 SystemTimeToTzSpecificLocalTime
1 00102418 kernel32.dll 01DB GetVersion
1 0010241C kernel32.dll 0170 GetLogicalDrives
1 00102420 kernel32.dll 01DF GetVolumeInformationW
1 00102424 kernel32.dll 01D2 GetTickCount
1 00102428 kernel32.dll 015A GetFileAttributesW
1 0010242C kernel32.dll 033F Sleep
1 00102430 kernel32.dll 016B GetLocalTime
1 00102434 kernel32.dll 0179 GetModuleHandleW
1 00102438 kernel32.dll 0198 GetProcAddress
1 0010243C kernel32.dll 00F1 FreeLibrary
1 00102440 kernel32.dll 00C4 FileTimeToSystemTime
1 00102444 kernel32.dll 0149 GetDiskFreeSpaceW
1 00102448 kernel32.dll 00E3 FindResourceW
1 0010244C kernel32.dll 0247 LoadResource
1 00102450 kernel32.dll 0255 LockResource
1 00102454 kernel32.dll 033E SizeofResource
1 00102458 kernel32.dll 0371 VirtualProtect
1 0010245C kernel32.dll 01B9 GetSystemInfo
1 00102460 kernel32.dll 0373 VirtualQuery
1 00102464 kernel32.dll 00B8 ExitThread
1 00102468 kernel32.dll 00E2 FindResourceExW

FThunk: 00102470 NbFunc: 00000001
1 00102470 mpr.dll 000C WNetAddConnection3W

FThunk: 00102478 NbFunc: 00000002
1 00102478 netapi32.dll 0091 NetGetDCName
1 0010247C netapi32.dll 006A NetApiBufferFree

FThunk: 00102484 NbFunc: 00000017
1 00102484 oleaut32.dll 0010 SafeArrayDestroy
1 00102488 oleaut32.dll 0011 SafeArrayGetDim
1 0010248C oleaut32.dll 0012 SafeArrayGetElemsize
1 00102490 oleaut32.dll 0014 SafeArrayGetLBound
1 00102494 oleaut32.dll 0013 SafeArrayGetUBound
1 00102498 oleaut32.dll 0017 SafeArrayAccessData
1 0010249C oleaut32.dll 0018 SafeArrayUnaccessData
1 001024A0 oleaut32.dll 0002 SysAllocString
1 001024A4 oleaut32.dll 000A VariantCopy
1 001024A8 oleaut32.dll 0095 SysStringByteLen
1 001024AC oleaut32.dll 0096 SysAllocStringByteLen
1 001024B0 oleaut32.dll 0008 VariantInit
1 001024B4 oleaut32.dll 000C VariantChangeType
1 001024B8 oleaut32.dll 0009 VariantClear
1 001024BC oleaut32.dll 0007 SysStringLen
1 001024C0 oleaut32.dll 0004 SysAllocStringLen
1 001024C4 oleaut32.dll 0072 VarBstrFromDate
1 001024C8 oleaut32.dll 0006 SysFreeString
1 001024CC oleaut32.dll 00B8 SystemTimeToVariantTime
1 001024D0 oleaut32.dll 00B9 VariantTimeToSystemTime
1 001024D4 oleaut32.dll 00A1 LoadTypeLib
1 001024D8 oleaut32.dll 01A4 OleCreateFontIndirect
1 001024DC oleaut32.dll 01A8 OleLoadPicturePath

FThunk: 001024E4 NbFunc: 0000000D
1 001024E4 shell32.dll 013C SHGetSpecialFolderLocation
1 001024E8 shell32.dll 0127 SHGetDesktopFolder
1 001024EC shell32.dll 008F DragQueryFileW
1 001024F0 shell32.dll 008B DragFinish
1 001024F4 shell32.dll 008A DragAcceptFiles
1 001024F8 shell32.dll 0122 SHFileOperationW
1 001024FC shell32.dll 016A ShellExecuteExW
1 00102500 shell32.dll 00C3 SHFree
1 00102504 shell32.dll 0136 SHGetMalloc
1 00102508 shell32.dll 0112 SHBrowseForFolderW
1 0010250C shell32.dll 013A SHGetPathFromIDListW
1 00102510 shell32.dll 012D SHGetFileInfoW
1 00102514 shell32.dll 00DE ExtractIconW

FThunk: 0010251C NbFunc: 00000007
1 0010251C shlwapi.dll 0285 PathIsUNCW
1 00102520 shlwapi.dll 02A9 PathStripToRootW
1 00102524 shlwapi.dll 0265 PathGetArgsW
1 00102528 shlwapi.dll 0295 PathRemoveArgsW
1 0010252C shlwapi.dll 02B1 PathUnquoteSpacesW
1 00102530 shlwapi.dll 025B PathFindExtensionW
1 00102534 shlwapi.dll 025D PathFindFileNameW

FThunk: 0010253C NbFunc: 000000C7
1 0010253C user32.dll 02A5 TrackPopupMenu
1 00102540 user32.dll 0158 GetScrollRange
1 00102544 user32.dll 0270 SetScrollPos
1 00102548 user32.dll 0157 GetScrollPos
1 0010254C user32.dll 0291 ShowScrollBar
1 00102550 user32.dll 0062 CreateWindowExW
1 00102554 user32.dll 00F9 GetClassInfoExW
1 00102558 user32.dll 021A RegisterClassW
1 0010255C user32.dll 0003 AdjustWindowRectEx
1 00102560 user32.dll 0091 DeferWindowPos
1 00102564 user32.dll 0156 GetScrollInfo
1 00102568 user32.dll 026F SetScrollInfo
1 0010256C user32.dll 0283 SetWindowPlacement
1 00102570 user32.dll 0111 GetDlgCtrlID
1 00102574 user32.dll 001D CallWindowProcW
1 00102578 user32.dll 0282 SetWindowLongW
1 0010257C user32.dll 0284 SetWindowPos
1 00102580 user32.dll 0193 IntersectRect
1 00102584 user32.dll 029A SystemParametersInfoA
1 00102588 user32.dll 01A7 IsIconic
1 0010258C user32.dll 0174 GetWindowPlacement
1 00102590 user32.dll 016B GetWindow
1 00102594 user32.dll 010F GetDesktopWindow
1 00102598 user32.dll 0244 SetActiveWindow
1 0010259C user32.dll 0055 CreateDialogIndirectParamW
1 001025A0 user32.dll 009A DestroyWindow
1 001025A4 user32.dll 0170 GetWindowLongW
1 001025A8 user32.dll 0112 GetDlgItem
1 001025AC user32.dll 01AD IsWindowEnabled
1 001025B0 user32.dll 0144 GetNextDlgTabItem
1 001025B4 user32.dll 00C7 EndDialog
1 001025B8 user32.dll 01E4 MessageBoxW
1 001025BC user32.dll 0258 SetForegroundWindow
1 001025C0 user32.dll 021C RegisterClipboardFormatW
1 001025C4 user32.dll 002D CharNextW
1 001025C8 user32.dll 02BC UpdateWindow
1 001025CC user32.dll 00E0 EqualRect
1 001025D0 user32.dll 00FA GetClassInfoW
1 001025D4 user32.dll 0090 DefWindowProcW
1 001025D8 user32.dll 0257 SetFocus
1 001025DC user32.dll 01BF LoadImageW
1 001025E0 user32.dll 015E GetSystemMetrics
1 001025E4 user32.dll 011B GetIconInfo
1 001025E8 user32.dll 02D6 WindowFromPoint
1 001025EC user32.dll 00EC GetActiveWindow
1 001025F0 user32.dll 01B3 KillTimer
1 001025F4 user32.dll 02AA TranslateMDISysAccel
1 001025F8 user32.dll 00B9 DrawMenuBar
1 001025FC user32.dll 008B DefFrameProcW
1 00102600 user32.dll 0104 GetClipboardFormatNameW
1 00102604 user32.dll 027B SetTimer
1 00102608 user32.dll 022B ReleaseDC
1 0010260C user32.dll 010D GetDC
1 00102610 user32.dll 0041 ClientToScreen
1 00102614 user32.dll 0010 BringWindowToTop
1 00102618 user32.dll 0285 SetWindowRgn
1 0010261C user32.dll 00E3 FillRect
1 00102620 user32.dll 018B InflateRect
1 00102624 user32.dll 026E SetRectEmpty
1 00102628 user32.dll 026D SetRect
1 0010262C user32.dll 01A9 IsRectEmpty
1 00102630 user32.dll 017A GetWindowTextLengthW
1 00102634 user32.dll 015B GetSysColor
1 00102638 user32.dll 029B SystemParametersInfoW
1 0010263C user32.dll 00BC DrawStateW
1 00102640 user32.dll 00F3 GetAsyncKeyState
1 00102644 user32.dll 0243 SendNotifyMessageW
1 00102648 user32.dll 0194 InvalidateRect
1 0010264C user32.dll 0267 SetParent
1 00102650 user32.dll 0202 PostQuitMessage
1 00102654 user32.dll 024C SetClipboardViewer
1 00102658 user32.dll 0117 GetFocus
1 0010265C user32.dll 022E RemovePropW
1 00102660 user32.dll 014C GetPropW
1 00102664 user32.dll 026C SetPropW
1 00102668 user32.dll 00FE GetClassNameW
1 0010266C user32.dll 00FC GetClassLongW
1 00102670 user32.dll 001B CallNextHookEx
1 00102674 user32.dll 028C SetWindowsHookExW
1 00102678 user32.dll 00F4 GetCapture
1 0010267C user32.dll 019F IsChild
1 00102680 user32.dll 02D4 WinHelpW
1 00102684 user32.dll 0237 SendDlgItemMessageA
1 00102688 user32.dll 0238 SendDlgItemMessageW
1 0010268C user32.dll 000E BeginPaint
1 00102690 user32.dll 01BD LoadIconW
1 00102694 user32.dll 01B0 IsWindowVisible
1 00102698 user32.dll 01F3 OffsetRect
1 0010269C user32.dll 01D8 MapWindowPoints
1 001026A0 user32.dll 013D GetMessagePos
1 001026A4 user32.dll 013E GetMessageTime
1 001026A8 user32.dll 02AF UnhookWindowsHookEx
1 001026AC user32.dll 0164 GetTopWindow
1 001026B0 user32.dll 00C6 EndDeferWindowPos
1 001026B4 user32.dll 000D BeginDeferWindowPos
1 001026B8 user32.dll 0129 GetLastActivePopup
1 001026BC user32.dll 0118 GetForegroundWindow
1 001026C0 user32.dll 017B GetWindowTextW
1 001026C4 user32.dll 0123 GetKeyboardLayout
1 001026C8 user32.dll 01D6 MapVirtualKeyExW
1 001026CC user32.dll 0191 InsertMenuW
1 001026D0 user32.dll 013A GetMenuStringW
1 001026D4 user32.dll 019C IsCharLowerW
1 001026D8 user32.dll 0131 GetMenuDefaultItem
1 001026DC user32.dll 0180 HideCaret
1 001026E0 user32.dll 028E ShowCaret
1 001026E4 user32.dll 01A8 IsMenu
1 001026E8 user32.dll 0045 CloseWindow
1 001026EC user32.dll 0094 DestroyAcceleratorTable
1 001026F0 user32.dll 02DA wsprintfW
1 001026F4 user32.dll 00B4 DrawFocusRect
1 001026F8 user32.dll 00C2 EmptyClipboard
1 001026FC user32.dll 0043 CloseClipboard
1 00102700 user32.dll 01F4 OpenClipboard
1 00102704 user32.dll 0196 InvertRect
1 00102708 user32.dll 024B SetClipboardData
1 0010270C user32.dll 005B CreateIconIndirect
1 00102710 user32.dll 0049 CopyIcon
1 00102714 user32.dll 00B8 DrawIconEx
1 00102718 user32.dll 02B4 UnregisterClassA
1 0010271C user32.dll 0138 GetMenuState
1 00102720 user32.dll 003A CheckMenuItem
1 00102724 user32.dll 01E6 ModifyMenuW
1 00102728 user32.dll 012F GetMenuCheckMarkDimensions
1 0010272C user32.dll 0262 SetMenuItemBitmaps
1 00102730 user32.dll 01A3 IsDialogMessageW
1 00102734 user32.dll 0288 SetWindowTextW
1 00102738 user32.dll 01EA MoveWindow
1 0010273C user32.dll 0293 ShowWindow
1 00102740 user32.dll 029D TabbedTextOutW
1 00102744 user32.dll 00C0 DrawTextW
1 00102748 user32.dll 00BF DrawTextExW
1 0010274C user32.dll 017F GrayStringW
1 00102750 user32.dll 016D GetWindowDC
1 00102754 user32.dll 0204 PostThreadMessageW
1 00102758 user32.dll 01DC MessageBeep
1 0010275C user32.dll 0143 GetNextDlgGroupItem
1 00102760 user32.dll 0195 InvalidateRgn
1 00102764 user32.dll 0048 CopyAcceleratorTableW
1 00102768 user32.dll 00E7 FindWindowW
1 0010276C user32.dll 01CD LockWindowUpdate
1 00102770 user32.dll 010E GetDCEx
1 00102774 user32.dll 015D GetSystemMenu
1 00102778 user32.dll 0092 DeleteMenu
1 0010277C user32.dll 02B5 UnregisterClassW
1 00102780 user32.dll 015C GetSysColorBrush
1 00102784 user32.dll 0280 SetWindowContextHelpId
1 00102788 user32.dll 01D3 MapDialogRect
1 0010278C user32.dll 0290 ShowOwnedPopups
1 00102790 user32.dll 02B0 UnionRect
1 00102794 user32.dll 01B1 IsZoomed
1 00102798 user32.dll 01A0 IsClipboardFormatAvailable
1 0010279C user32.dll 0096 DestroyCursor
1 001027A0 user32.dll 0250 SetCursorPos
1 001027A4 user32.dll 0245 SetCapture
1 001027A8 user32.dll 02B3 UnpackDDElParam
1 001027AC user32.dll 0231 ReuseDDElParam
1 001027B0 user32.dll 024E SetCursor
1 001027B4 user32.dll 022A ReleaseCapture
1 001027B8 user32.dll 01B5 LoadAcceleratorsW
1 001027BC user32.dll 0190 InsertMenuItemW
1 001027C0 user32.dll 005F CreatePopupMenu
1 001027C4 user32.dll 01FF PeekMessageW
1 001027C8 user32.dll 0216 RedrawWindow
1 001027CC user32.dll 0175 GetWindowRect
1 001027D0 user32.dll 00C3 EnableMenuItem
1 001027D4 user32.dll 01AC IsWindow
1 001027D8 user32.dll 02AB TranslateMessage
1 001027DC user32.dll 00A3 DispatchMessageW
1 001027E0 user32.dll 0122 GetKeyState
1 001027E4 user32.dll 010C GetCursorPos
1 001027E8 user32.dll 012D GetMenu
1 001027EC user32.dll 0096 DestroyCursor
1 001027F0 user32.dll 01BB LoadCursorW
1 001027F4 user32.dll 0232 ScreenToClient
1 001027F8 user32.dll 01C7 LoadMenuW
1 001027FC user32.dll 015A GetSubMenu
1 00102800 user32.dll 0134 GetMenuItemID
1 00102804 user32.dll 0133 GetMenuItemCount
1 00102808 user32.dll 021C RegisterClipboardFormatW
1 0010280C user32.dll 0201 PostMessageW
1 00102810 user32.dll 0146 GetParent
1 00102814 user32.dll 0100 GetClientRect
1 00102818 user32.dll 0241 SendMessageW
1 0010281C user32.dll 01B7 LoadBitmapW
1 00102820 user32.dll 020C PtInRect
1 00102824 user32.dll 00C5 EnableWindow
1 00102828 user32.dll 025E SetMenu
1 0010282C user32.dll 02A9 TranslateAcceleratorW
1 00102830 user32.dll 017C GetWindowThreadProcessId
1 00102834 user32.dll 0098 DestroyMenu
1 00102838 user32.dll 0136 GetMenuItemInfoW
1 0010283C user32.dll 013F GetMessageW
1 00102840 user32.dll 02C6 ValidateRect
1 00102844 user32.dll 0038 CharUpperW
1 00102848 user32.dll 01D7 MapVirtualKeyW
1 0010284C user32.dll 0121 GetKeyNameTextW
1 00102850 user32.dll 00C9 EndPaint
1 00102854 user32.dll 004B CopyRect

FThunk: 0010285C NbFunc: 00000003
1 0010285C version.dll 0003 GetFileVersionInfoSizeW
1 00102860 version.dll 000E VerQueryValueW
1 00102864 version.dll 0004 GetFileVersionInfoW

FThunk: 0010286C NbFunc: 00000001
1 0010286C winmm.dll 000E PlaySoundW

FThunk: 00102874 NbFunc: 00000003
1 00102874 winspool.drv 0086 ClosePrinter
1 00102878 winspool.drv 00B2 DocumentPropertiesW
1 0010287C winspool.drv 0106 OpenPrinterW

FThunk: 00102884 NbFunc: 00000001
1 00102884 comdlg32.dll 006D GetFileTitleW

FThunk: 0010288C NbFunc: 0000001F
1 0010288C ntdll.dll 00AC NtFsControlFile
1 00102890 ntdll.dll 0354 RtlUnwind
1 00102894 ntdll.dll 0067 NtAllocateVirtualMemory
1 00102898 ntdll.dll 02D1 RtlNtStatusToDosError
1 0010289C ntdll.dll 0217 RtlEnterCriticalSection
1 001028A0 ntdll.dll 02B6 RtlLeaveCriticalSection
1 001028A4 ntdll.dll 00AB NtFreeVirtualMemory
1 001028A8 ntdll.dll 01F0 RtlDeleteCriticalSection
1 001028AC ntdll.dll 0280 RtlInitializeCriticalSection
1 001028B0 ntdll.dll 00EB NtQueryDirectoryObject
1 001028B4 ntdll.dll 0046 LdrLoadDll
1 001028B8 ntdll.dll 0104 NtQuerySymbolicLinkObject
1 001028BC ntdll.dll 027A RtlInitString
1 001028C0 ntdll.dll 010D NtQueryVolumeInformationFile
1 001028C4 ntdll.dll 009A NtDeviceIoControlFile
1 001028C8 ntdll.dll 007B NtCreateFile
1 001028CC ntdll.dll 027B RtlInitUnicodeString
1 001028D0 ntdll.dll 00CC NtOpenFile
1 001028D4 ntdll.dll 0111 NtReadFile
1 001028D8 ntdll.dll 016B NtWaitForSingleObject
1 001028DC ntdll.dll 0089 NtCreateSection
1 001028E0 ntdll.dll 00C4 NtMapViewOfSection
1 001028E4 ntdll.dll 0166 NtUnmapViewOfSection
1 001028E8 ntdll.dll 006F NtClose
1 001028EC ntdll.dll 0336 RtlTimeFieldsToTime
1 001028F0 ntdll.dll 0108 NtQuerySystemTime
1 001028F4 ntdll.dll 01EA RtlDecompressBuffer
1 001028F8 ntdll.dll 0050 LdrUnloadDll
1 001028FC ntdll.dll 00D8 NtOpenSymbolicLinkObject
1 00102900 ntdll.dll 0041 LdrGetProcedureAddress
1 00102904 ntdll.dll 00C9 NtOpenDirectoryObject

FThunk: 0010290C NbFunc: 0000001A
1 0010290C ole32.dll 0054 CoRegisterMessageFilter
1 00102910 ole32.dll 005D CoRevokeClassObject
1 00102914 ole32.dll 008D CreateILockBytesOnHGlobal
1 00102918 ole32.dll 0133 StgCreateDocfileOnILockBytes
1 0010291C ole32.dll 0140 StgOpenStorageOnILockBytes
1 00102920 ole32.dll 0024 CoGetClassObject
1 00102924 ole32.dll 0093 CreateStreamOnHGlobal
1 00102928 ole32.dll 001E CoFreeUnusedLibraries
1 0010292C ole32.dll 000A CLSIDFromString
1 00102930 ole32.dll 0008 CLSIDFromProgID
1 00102934 ole32.dll 0017 CoDisconnectObject
1 00102938 ole32.dll 00F9 OleFlushClipboard
1 0010293C ole32.dll 0100 OleIsCurrentClipboard
1 00102940 ole32.dll 0124 RevokeDragDrop
1 00102944 ole32.dll 0045 CoLockObjectExternal
1 00102948 ole32.dll 0122 RegisterDragDrop
1 0010294C ole32.dll 0012 CoCreateInstance
1 00102950 ole32.dll 0111 OleSetClipboard
1 00102954 ole32.dll 0065 CoTaskMemAlloc
1 00102958 ole32.dll 0066 CoTaskMemFree
1 0010295C ole32.dll 0099 DoDragDrop
1 00102960 ole32.dll 00F8 OleDuplicateData
1 00102964 ole32.dll 0123 ReleaseStgMedium
1 00102968 ole32.dll 00FE OleInitialize
1 0010296C ole32.dll 0115 OleUninitialize
1 00102970 ole32.dll 00FB OleGetClipboard

FThunk: 00102978 NbFunc: 00000002
1 00102978 oledlg.dll 000D OleUIAddVerbMenuW
1 0010297C oledlg.dll 000E OleUIBusyW

Actually i must say the protections is kind of strange. If you ask me i think is a mix between standard packer like upx and some simple protector functionalities.

Just start the application, dump it with LordPE for example and you get the IAT. So iat is not destroyed after beeing unpacked...

Maybe someone can apply that too.

Cheers PAPiLLiON

OHPen
May 11th, 2006, 08:18
I have to add something...

Forget what i postet i realised that two exe files of the application are protected by two different protectors. So my IAT was concerning the main application, not for that smaller instant one which seems to be packed with another custom protector...

This company uses really strange philosophy concerning the security of their products

SiGiNT
May 11th, 2006, 23:07
OHPen,

I've already done what you have and, I think that we're being fooled - I don't think the GUI .exe uses that IAT - I suspect that the imports are being found in a .dll that is running simultaneously - kind of like pieces of a puzzle - the GUI combines in memory to make a complete executable but not able to run when dumped - if you dump and re-build you'll see that the physical addresses don't really correspond to the addresses runing in memory - in the mean time I've set this aside for just a moment and moved on to the next one - and I'm on a real fucking roll! - check this out:


Damn Reversers taking legit software jobs!

SiGiNT

Nice touch, but reeeally easy to unpack.

Fake51
May 12th, 2006, 03:44
Heh, that's real sweet Nice to know somebodys got the humor intact.
Was working on a prog yesterday that also made me smile. The programmer had realized that if you wanted to find the funny spots in his software, you could ofcourse look for the reg-strings. So they must be hidden ... what does Joe do? Reverses them! Right, just turned them round backwards. Doesn't look interesting at all when looking at the strings in IDA, no siree, isn't a sore thumb sticking out

Fake

OHPen
May 12th, 2006, 05:17
Hehe,

yeah i agree with you sigint33 OO is propably founded by reversers
It's nice to see that some do this as his job, i wish once i do also.

PAPi

SunBeam
May 15th, 2006, 06:40
Awww, come on. Since you teased us, can you at least also PM me the name of the proggy ? I am so itchy about that SFX section Wanna get my hands inside :rollseyes:

SiGiNT
May 15th, 2006, 17:38
Geesh! you want to take on the one sporting SFX, I don't know you might hurt yourself! - using the PEiD generic unpacker is pretty damn tricky! I allways like to post stuff I run across where the author is sending a message to us.

I just love it when I look up and see DEADC0DE in EAX.

SiGiNT

Harding
May 15th, 2006, 18:56
Quote:
[Originally Posted by sigint33]I just love it when I look up and see DEADC0DE in EAX


yeah or when the program crashes on address DEADBABE

dELTA
May 15th, 2006, 19:10
Not to mention when it bluescreens with a protection fault on 0xSUCKMYBALLS, now that's something...

Hey Harding, long time no see btw.

SunBeam
May 15th, 2006, 23:07
Lolz. s, u, k, m, y, l are not hex code lolz. 0-F

dELTA
May 16th, 2006, 03:41
NOOOOO?

You could have a little better imagination than that though, s (5) and l (1) are not problems at least, and the leet speek 7 = T is a good one too (to shorten things "a7e" can be replaced with "8" too).

Enjoy these to build your own funny compund words and sentences:
(what about "cafebabe 15 0b501e7e"? )

Quote:
aba
abaca
abaf7
aba5e
ab8
abb
abba
abbe55
abb07
abed
abe1e
abe7
ab18
ab1e
ab0de
ab5ce55
accede
acce55
acc01ade
acc057
ace
ace7a1
ace78
ac7
ac7ab1e
add
add1e
ad0
ad0be
aede5
affab1e
affec7
affec7ed
af10a7
af007
af7
a1a
a1a5
a18
a1b
a1ba
a1ba7a
a1bed0
a1ca1de
a1d01
a1d05e
a1e
a1ee
a1fa1fa
a11
a11e1e
a110c8
a1107
a11077ee
a115eed
a10e
a10e5
a10f7
a100f
a150
a17
a170
a5be5705
a5c07
a55
a55e55
a55e7
a55e75
a71a5
a7011
a77e57
a77e57ed
baa
baba
babb1e
babe
bacc8
bad
bade
bae1
baff1e
ba1
ba1a5
ba1a7a
ba1b0a
ba1d
ba1e
ba11
ba11ad
ba11ade
ba11a57
ba11a7a
ba11e7
ba1107
ba115
ba15a
ba0bab
ba5a1
ba5a17
ba5e
ba5eba11
ba5e1e55
ba5e5
ba55
ba55e7
ba550
ba57
ba57e
ba7
ba75
ba77
ba771e
ba771ed
bead
beaded
bead1e
bea57
bea7
bed
bedabb1e
bede1
bedfa57
bed57ead
bee
beef
bee7
bee71e
befa11
bef001
be1
be18d
be11
be11e
be17
be17ed
be5e7
be507
be5077ed
be57
be57ead
be7
be7a
be7e1
be77a
b1ab
b1ade
b1a57
b1a57ed
b1a570c0e1
b1a7
b18
b1ea7
b1eb
b1eed
b1e55
b1e55ed
b1e57
b10a7
b108d
b10b
b10c
b100d
b100ded
b100d1e55
b107
b10770
b0a
b0a57
b0a7
b081
b0a710ad
b0b
b0bb1e
b0bca7
b0b51ed
b0d
b0de
b01a
b01d
b01dface
b01e
b011
b010
b017
b00
b00b
b00d1e
b0057
b007
b007ed
b007ee
b0071ace
b0071e55
b0075
b055
b07
b07e1
b075
b077
b0771e
cab
caba1
caba1a
caba55e7
cabba1a
cab1e
cab1e7
cab0b
cab00d1e
cab005e
caca0
cad
cade
cade11e
cade7
ca1ab005e
ca1ce5
ca1f
ca11
ca11a
ca11ab1e
ca1077e
ca5a
ca5aba
ca5cabe1
ca5cade
ca5e
ca5ea5e
ca5e8
ca5e05e
ca55aba
ca55e77e
ca57
ca57e
ca57e118d
ca571e
ca571ed
ca570ff
ca7
ca7a1a5e
ca7a10
ca7b0a7
ca7ca11
ca7fa11
ca77a10
ca771e
cea5e
cea5e1e55
cede
ce1e57a
ce11
ce11a
ce110
ce17
ce55
ce57a
ce570de
c1ad
c1a55
c1a551e55
c1ea7
c1ef
c1ef7
c10aca
c10d
c105
c105e
c105ed
c105e7
c107
c0ac7
c0a1
c0a1e5ce
c0a57
c0a57a1
c0a7
c08d
c08e
c0b
c0ba17
c0bb1e
c0b1e
c0ca
c0c0
c0c0a
c0c077e
c0d
c0da
c0dd1e
c0de
c0e1057a7
c0ff
c0ffee
c0ff1e
c01
c01a
c01d
c01e
c0118
c011ec7
c011ec7ed
c011e7
c0110c8
c01055a1
c017
c0175f007
c00
c00ee
c001
c007
c05
c05ec
c05e7
c055
c055e7
c057
c057a
c0578
c07
c07e
c077a
c5c
dab
dabb1e
dace
dad
dad0
daeda1
daff
daf7
da1e
da7a
d8d
d81e55
da70
dead
deadbea7
deadfa11
deaf
dea1
dea18
dea17
deb
debac1e
deba5e
deba7ab1e
deb8
deb7
decade
decaf
deca1
decea5e
decea5ed
dec1a55
dec0c7
dec0de
dec0118
deed
deface
defa1c8
defea7
defec8
defec7
def18
def1ec7
def1ec7ed
def7
de18
de1e
de1ec7ab1e
de1ec78
de1e7e
de1f7
de11
de17a
de5018
de7ec7
de7e57
de7e57ab1e
d0ab1e
d0b1a
d0c
d0d0
d0e
d0e5
d0ff
d01
d01ce
d01e
d011
d017
d00dad
d00d1e
d05e
d055
d055a1
d057
d07
d07e
d077ed
d0771e
ea5e
ea5e1
ea57
ea7
ea7ab1e
ea7ab1e5
ea75
ebb
ec1a7
ec70b1a57
edd0
ee1
effab1e
efface
effec7
effec75
effe7e
ef7
e18
e18d
e1d
e1de57
e1ec7
e1f
e11
e15e
e5ca1ade
e5ca18
e55e
e57afe77e
e578
e7a
fab
fab1e
fab1ed
face
face1e55
face7
fac7
fad
fade
fade1e55
fad0
faece5
fa1ba1a
fa1c8
fa1d57001
fa11
fa11a1
fa15e
fa15e770
fa17b0a7
fa5ce5
fa57
fa7
fa7a1
f8d
fa750
fea1
fea57
fea7
feca1
fece5
fed
fee
feeb1e
feed
fee1
fee7
fe1afe1
fe11
fe110e
fe17
fe0ff
fe0ffee
fe55
fe57a1
fe7a1
fe7e
fe771e
f1abe118
f1a7
f1a7b0a7
f1a7f007
f1a7f007ed
f1a75
f1ea
f1ed
f1ee
f1eece
f1ee7
f10a7
f10a7ab1e
f10a75
f10cc05e
f10e
f100d
f100ded
f1055
f0a1
f0b
f0ca1
f0e
f01d
f01db0a7
f00d
f001
f005ba11 f007
f007ba11
f007ed
f007fa11
f0071e
f0071e55
f0071005e
f00757a11
f00757001
f055a
f055e
f055e77e
1ab
1abe1
1ab1ab
1ac
1ace
1ac7a5e
1ac78
1ac7ea1
1ac705e
1ad
1ade
1ad1e
1a5e
1a55
1a550
1a57
1a7
18d
1857
1ea
1ead
1eaf
1eaf1e7
1ea1
1ea5e
1ea57
1ed
1ee
1ee5
1ee7
1ef7
1e55
1e55ee
1e57
1e7
10ad
10aded
10ad5
10af
10b
10b8
10be
10b0
10ca1
10ca1e
10c8
10c0
10de
10e55
10f7
1011
100
1005e
1007
105e
105e1
1055
1057
107
107a
1075
10770
0af
0a57
0a7
0be5e
0b1a57
0b18
0b0e
0b5e55
0b501e5ce
0b501e7e
0b57ac1e
0b7ec7
0b7e57
0ce107
0c7ad
0c7a1
0c7e7
0dd
0ddba11
0dd5
0de
0ff
0ffa1
0ffbea7
0ff5e7
0f7
01d
01de57
01e8
01e0
011a
00d1e5
00f
057ea1
057e0b1a57
057e0c1a57
0770
5ab1e
5ac
5ad
5add1e
5afe
5a1ab1e
5a1ad
5a1ade
5a1e
5a1eab1e
5a1e5
5a11e7
5a101
5a17
5a17ed
5a175
5a55
5a7
5cab
5cabb1e
5cad
5caff01d
5ca1ab1e
5ca1ade
5ca1d
5ca1e
5ca7
5c1aff
5c0ff
5c01d
5c007
5c07
5ea
5eac0a57
5eaf00d
5ea1
5ea1ed
5ea7
5ec
5ecc0
5ecede
5ec7
5ed8
5ee
5eed
5eedbed
5eedca5e
5ee1
5e1ec7
5e1ec7ee
5e1f
5e1f1e55
5e11
5e57e7
5e7
5e7a
5e705e
5e77
5e77ee
5e771e
51ab
51a7
518
51ed
51ee7
510b
510e
5107
50b
50c1e
50d
50da
50fa
50f7
50f7a
50f7ba11
501
501a
501ace
501d
501d0
501e
5010
5007
507
5077ed
57ab
57ab1e
57acca70
57ac7e
57aff
57a1e
57a11
578
578d
5781e55
57ead
57eadfa57
57ea1
57edfa57
57eed
57ee1
57ee15
57e1a
57e1e
57e118
57e7
570a
570a7
570b
5701e
5700d
57001
57055
7ab
7abe5
7ab1e
7ab1e7
7ab00
7ace
7ace7
7ac0
7ac7
7ac71e55
7ad
7ae1
7affe7a
7a1c
7a1e
7a1e5
7a11
7a55
7a55e
7a55e1
7a55e7
7a57e
7a57e1e55
7a7
7a771e
7a771e7a1e
7a7700
7ea
7ea1
7ea5e
7ea5e1
7ea7
7ed
7ee
7ee707a1
7e1eca57
7e1e057
7e11
7e117a1e
7e51a
7e55e118
7e55e118d
7e57
7e57a
7e578
7e57ee
7e57e5
70ad
70ad57001
70a57
70bacc0
70cca7a
70d
70dd1e
70e
70ed
70ffee
70f7
701a
701d
701e
7011
700
7001
7007
70071e
70075
7055
707
707a1
707e

Admiral
May 16th, 2006, 05:50
You, err, missed out 70A57ED.

laola
May 16th, 2006, 21:05
I tend to prefer DEADBEEF

SiGiNT
May 17th, 2006, 01:29
One of my favorites also, actually see that along with BADDF00D, or a variation on that.

SiGiNT

JMI
May 17th, 2006, 01:52
Very old Pace protection programs (circa late 1980's) for the Mac used to use BEEFABAD to start a run of checksum on code sections of the music program protected with their system. If the final checksum failed, it went to DEADBEEF. The Mac would load a code section only when needed and the protection would run a checksum on the section and use the checksum to "decrypt" the code. If the checksum was correct, you didn't get to DEADBEEF.

Regards,

Nacho_dj
May 17th, 2006, 05:16
Very nice all those combinations.

The funniest hexa combination I have seen is this (you need to understand spanish to get the meaning):
CACADEBACA

Anyway, the literal translation is 'BULLSHIT'

Cheers

Nacho_dj

CluelessNoob
May 17th, 2006, 08:18
Funny little tangent...

We always used FEEDC0DE when developing drivers...

So now I wonder if the driver crashes were related to the DEADBEEF being BADDF00D that we were FEEDing the C0DE.


SiGiNT
May 17th, 2006, 09:02
The question I always have had, is this an actual hint that you are on the wrong track or just a diversion because you are in the right code, could be either depending on the authors mood, any way, nice to know they're always thinking about us.

SiGiNT