Page 1 of 3 123 LastLast
Results 1 to 15 of 36

Thread: Unpacked app deletes itself

  1. #1

    Unpacked app deletes itself

    I wanted to evaluate a tool today which doesn't have a trial, I foolishly used a serial which is checked online and reported as being leaked and was therefore blacklisted. The system then shuts my system down.

    The keylicensing algo is a crypto nightmare (Adler32/BASE64/BLOWFISH/LockBoxMD5/SHA1) and well beyond my current abilites.

    I removed the registry entry for the serial and restarted the app which now reports it is no longer registered. I set my firewall to block the app and reentered the blacklisted serial. Now the app refuses to run without online validation.

    I used Regmon and filemon to check what files and hives were being accessed, but I found nothing out of the ordinary(to me anyway).

    Okay I thought, let's disassemble it and see if I can find the message box and work back from there. Hmm, its packed. Okay I unpacked it and ran it again, the unpacked program deletes the itself and then shuts down! What a pain.

    Can anyone suggest how I proceed from here? I found the DeleteFileA API thinking that would be a good place to start but the program shuts down before reaching it? I'll need to confirm this to be certain. (Confirmed)

    I can't add attachments to show the resolved imports tree so listed them below I hope this is okay : Can anyone suggest what other APIs are worth a look?

    At this point, all I really want is to do remove the blacklisting. Having the upacked app running with a patch would be a bonus.

    Code:
    FThunk: 001031E0	NbFunc: 0000002C
    1	001031E0	kernel32.dll	0080	DeleteCriticalSection
    1	001031E4	kernel32.dll	0242	LeaveCriticalSection
    1	001031E8	kernel32.dll	0097	EnterCriticalSection
    1	001031EC	kernel32.dll	0217	InitializeCriticalSection
    1	001031F0	kernel32.dll	036F	VirtualFree
    1	001031F4	kernel32.dll	036C	VirtualAlloc
    1	001031F8	kernel32.dll	024D	LocalFree
    1	001031FC	kernel32.dll	0249	LocalAlloc
    1	00103200	kernel32.dll	013F	GetCurrentThreadId
    1	00103204	kernel32.dll	021B	InterlockedDecrement
    1	00103208	kernel32.dll	021F	InterlockedIncrement
    1	0010320C	kernel32.dll	0374	VirtualQuery
    1	00103210	kernel32.dll	0380	WideCharToMultiByte
    1	00103214	kernel32.dll	0266	MultiByteToWideChar
    1	00103218	kernel32.dll	03B4	lstrlen
    1	0010321C	kernel32.dll	03B1	lstrcpyn
    1	00103220	kernel32.dll	0244	LoadLibraryExA
    1	00103224	kernel32.dll	01CE	GetThreadLocale
    1	00103228	kernel32.dll	01AE	GetStartupInfoA
    1	0010322C	kernel32.dll	0199	GetProcAddress
    1	00103230	kernel32.dll	0177	GetModuleHandleA
    1	00103234	kernel32.dll	0175	GetModuleFileNameA
    1	00103238	kernel32.dll	016C	GetLocaleInfoA
    1	0010323C	kernel32.dll	0169	GetLastError
    1	00103240	kernel32.dll	010A	GetCommandLineA
    1	00103244	kernel32.dll	00F1	FreeLibrary
    1	00103248	kernel32.dll	00D1	FindFirstFileA
    1	0010324C	kernel32.dll	00CD	FindClose
    1	00103250	kernel32.dll	00B7	ExitProcess
    1	00103254	kernel32.dll	00B8	ExitThread
    1	00103258	kernel32.dll	006D	CreateThread
    1	0010325C	kernel32.dll	038D	WriteFile
    1	00103260	kernel32.dll	0359	UnhandledExceptionFilter
    1	00103264	kernel32.dll	0308	SetFilePointer
    1	00103268	kernel32.dll	02FF	SetEndOfFile
    1	0010326C	kernel32.dll	02C6	RtlUnwind
    1	00103270	kernel32.dll	02A5	ReadFile
    1	00103274	kernel32.dll	0298	RaiseException
    1	00103278	kernel32.dll	01B0	GetStdHandle
    1	0010327C	kernel32.dll	015C	GetFileSize
    1	00103280	kernel32.dll	01BD	GetSystemTime
    1	00103284	kernel32.dll	015F	GetFileType
    1	00103288	kernel32.dll	0050	CreateFileA
    1	0010328C	kernel32.dll	0032	CloseHandle
    
    FThunk: 00103294	NbFunc: 00000004
    1	00103294	user32.dll	0128	GetKeyboardType
    1	00103298	user32.dll	01C9	LoadStringA
    1	0010329C	user32.dll	01DD	MessageBoxA
    1	001032A0	user32.dll	002B	CharNextA
    
    FThunk: 001032A8	NbFunc: 00000003
    1	001032A8	advapi32.dll	01EE	RegQueryValueExA
    1	001032AC	advapi32.dll	01E4	RegOpenKeyExA
    1	001032B0	advapi32.dll	01CB	RegCloseKey
    
    FThunk: 001032B8	NbFunc: 00000003
    1	001032B8	oleaut32.dll	0006	SysFreeString
    1	001032BC	oleaut32.dll	0005	SysReAllocStringLen
    1	001032C0	oleaut32.dll	0004	SysAllocStringLen
    
    FThunk: 001032C8	NbFunc: 00000004
    1	001032C8	kernel32.dll	0350	TlsSetValue
    1	001032CC	kernel32.dll	034F	TlsGetValue
    1	001032D0	kernel32.dll	0249	LocalAlloc
    1	001032D4	kernel32.dll	0177	GetModuleHandleA
    
    FThunk: 001032DC	NbFunc: 00000012
    1	001032DC	advapi32.dll	020B	ReportEventA
    1	001032E0	advapi32.dll	0200	RegisterEventSourceA
    1	001032E4	advapi32.dll	01FB	RegSetValueExA
    1	001032E8	advapi32.dll	01EE	RegQueryValueExA
    1	001032EC	advapi32.dll	01E9	RegQueryInfoKeyA
    1	001032F0	advapi32.dll	01E4	RegOpenKeyExA
    1	001032F4	advapi32.dll	01DD	RegFlushKey
    1	001032F8	advapi32.dll	01DB	RegEnumValueA
    1	001032FC	advapi32.dll	01D8	RegEnumKeyExA
    1	00103300	advapi32.dll	01D4	RegDeleteValueA
    1	00103304	advapi32.dll	01D2	RegDeleteKeyA
    1	00103308	advapi32.dll	01CF	RegCreateKeyExA
    1	0010330C	advapi32.dll	01CB	RegCloseKey
    1	00103310	advapi32.dll	01AB	OpenProcessToken
    1	00103314	advapi32.dll	014E	LookupPrivilegeValueA
    1	00103318	advapi32.dll	0125	GetUserNameA
    1	0010331C	advapi32.dll	00B2	DeregisterEventSource
    1	00103320	advapi32.dll	001E	AdjustTokenPrivileges
    
    FThunk: 00103328	NbFunc: 0000006D
    1	00103328	kernel32.dll	03AE	lstrcpy
    1	0010332C	kernel32.dll	03AA	lstrcmpW
    1	00103330	kernel32.dll	03A8	lstrcmp
    1	00103334	kernel32.dll	0396	WriteProcessMemory
    1	00103338	kernel32.dll	0392	WritePrivateProfileStringA
    1	0010333C	kernel32.dll	038D	WriteFile
    1	00103340	kernel32.dll	0380	WideCharToMultiByte
    1	00103344	kernel32.dll	037C	WaitForSingleObject
    1	00103348	kernel32.dll	0374	VirtualQuery
    1	0010334C	kernel32.dll	0372	VirtualProtect
    1	00103350	kernel32.dll	0370	VirtualFreeEx
    1	00103354	kernel32.dll	036D	VirtualAllocEx
    1	00103358	kernel32.dll	036C	VirtualAlloc
    1	0010335C	kernel32.dll	0348	TerminateProcess
    1	00103360	kernel32.dll	0342	SuspendThread
    1	00103364	kernel32.dll	0341	SleepEx
    1	00103368	kernel32.dll	0340	Sleep
    1	0010336C	kernel32.dll	033F	SizeofResource
    1	00103370	kernel32.dll	032E	SetThreadLocale
    1	00103374	kernel32.dll	02C0	RestoreLastError
    1	00103378	kernel32.dll	0308	SetFilePointer
    1	0010337C	kernel32.dll	0306	SetFileAttributesA
    1	00103380	kernel32.dll	0303	SetEvent
    1	00103384	kernel32.dll	0302	SetErrorMode
    1	00103388	kernel32.dll	02FF	SetEndOfFile
    1	0010338C	kernel32.dll	02C1	ResumeThread
    1	00103390	kernel32.dll	02BE	ResetEvent
    1	00103394	kernel32.dll	02B4	RemoveDirectoryA
    1	00103398	kernel32.dll	02B2	ReleaseMutex
    1	0010339C	kernel32.dll	02A5	ReadFile
    1	001033A0	kernel32.dll	0276	OpenProcess
    1	001033A4	kernel32.dll	0266	MultiByteToWideChar
    1	001033A8	kernel32.dll	0265	MulDiv
    1	001033AC	kernel32.dll	0260	MoveFileExA
    1	001033B0	kernel32.dll	0256	LockResource
    1	001033B4	kernel32.dll	0248	LoadResource
    1	001033B8	kernel32.dll	0243	LoadLibraryA
    1	001033BC	kernel32.dll	0242	LeaveCriticalSection
    1	001033C0	kernel32.dll	0217	InitializeCriticalSection
    1	001033C4	kernel32.dll	01FE	GlobalUnlock
    1	001033C8	kernel32.dll	01FB	GlobalSize
    1	001033CC	kernel32.dll	01FA	GlobalReAlloc
    1	001033D0	kernel32.dll	01F6	GlobalHandle
    1	001033D4	kernel32.dll	01F7	GlobalLock
    1	001033D8	kernel32.dll	01F3	GlobalFree
    1	001033DC	kernel32.dll	01EF	GlobalFindAtomA
    1	001033E0	kernel32.dll	01EE	GlobalDeleteAtom
    1	001033E4	kernel32.dll	01EC	GlobalAlloc
    1	001033E8	kernel32.dll	01EA	GlobalAddAtomA
    1	001033EC	kernel32.dll	01DD	GetVersionExA
    1	001033F0	kernel32.dll	01DC	GetVersion
    1	001033F4	kernel32.dll	01D7	GetUserDefaultLCID
    1	001033F8	kernel32.dll	01D6	GetTimeZoneInformation
    1	001033FC	kernel32.dll	01D3	GetTickCount
    1	00103400	kernel32.dll	01CE	GetThreadLocale
    1	00103404	kernel32.dll	01CA	GetTempPathA
    1	00103408	kernel32.dll	01BA	GetSystemInfo
    1	0010340C	kernel32.dll	01B2	GetStringTypeExA
    1	00103410	kernel32.dll	01B0	GetStdHandle
    1	00103414	kernel32.dll	01AC	GetShortPathNameA
    1	00103418	kernel32.dll	0199	GetProcAddress
    1	0010341C	kernel32.dll	0195	GetPrivateProfileStringA
    1	00103420	kernel32.dll	0177	GetModuleHandleA
    1	00103424	kernel32.dll	0176	GetModuleFileNameW
    1	00103428	kernel32.dll	0175	GetModuleFileNameA
    1	0010342C	kernel32.dll	016C	GetLocaleInfoA
    1	00103430	kernel32.dll	016B	GetLocalTime
    1	00103434	kernel32.dll	0169	GetLastError
    1	00103438	kernel32.dll	015C	GetFileSize
    1	0010343C	kernel32.dll	0157	GetFileAttributesA
    1	00103440	kernel32.dll	0154	GetExitCodeThread
    1	00103444	kernel32.dll	0153	GetExitCodeProcess
    1	00103448	kernel32.dll	0151	GetEnvironmentVariableA
    1	0010344C	kernel32.dll	0146	GetDiskFreeSpaceA
    1	00103450	kernel32.dll	0140	GetDateFormatA
    1	00103454	kernel32.dll	013F	GetCurrentThreadId
    1	00103458	kernel32.dll	013D	GetCurrentProcessId
    1	0010345C	kernel32.dll	013C	GetCurrentProcess
    1	00103460	kernel32.dll	010E	GetComputerNameA
    1	00103464	kernel32.dll	010B	GetCommandLineW
    1	00103468	kernel32.dll	00FE	GetCPInfo
    1	0010346C	kernel32.dll	00F7	GetACP
    1	00103470	kernel32.dll	00F3	FreeResource
    1	00103474	kernel32.dll	00F1	FreeLibrary
    1	00103478	kernel32.dll	00EC	FormatMessageA
    1	0010347C	kernel32.dll	00E0	FindResourceA
    1	00103480	kernel32.dll	00DA	FindNextFileA
    1	00103484	kernel32.dll	00D1	FindFirstFileA
    1	00103488	kernel32.dll	00CD	FindClose
    1	0010348C	kernel32.dll	00C4	FileTimeToSystemTime
    1	00103490	kernel32.dll	00C3	FileTimeToLocalFileTime
    1	00103494	kernel32.dll	00C2	FileTimeToDosDateTime
    1	00103498	kernel32.dll	00A4	EnumResourceNamesA
    1	0010349C	kernel32.dll	0098	EnumCalendarInfoA
    1	001034A0	kernel32.dll	0097	EnterCriticalSection
    1	001034A4	kernel32.dll	0082	DeleteFileA
    1	001034A8	kernel32.dll	0080	DeleteCriticalSection
    1	001034AC	kernel32.dll	006D	CreateThread
    1	001034B0	kernel32.dll	0068	CreateRemoteThread
    1	001034B4	kernel32.dll	0063	CreateProcessA
    1	001034B8	kernel32.dll	005D	CreateMutexA
    1	001034BC	kernel32.dll	0053	CreateFileW
    1	001034C0	kernel32.dll	0050	CreateFileA
    1	001034C4	kernel32.dll	004C	CreateEventA
    1	001034C8	kernel32.dll	0048	CreateDirectoryA
    1	001034CC	kernel32.dll	0040	CopyFileA
    1	001034D0	kernel32.dll	0039	CompareStringW
    1	001034D4	kernel32.dll	0038	CompareStringA
    1	001034D8	kernel32.dll	0032	CloseHandle
    
    FThunk: 001034E0	NbFunc: 00000003
    1	001034E0	version.dll	000B	VerQueryValueA
    1	001034E4	version.dll	0002	GetFileVersionInfoSizeA
    1	001034E8	version.dll	0001	GetFileVersionInfoA
    
    FThunk: 001034F0	NbFunc: 00000052
    1	001034F0	gdi32.dll	0253	UnrealizeObject
    1	001034F4	gdi32.dll	024B	StretchDIBits
    1	001034F8	gdi32.dll	024A	StretchBlt
    1	001034FC	gdi32.dll	0244	SetWindowOrgEx
    1	00103500	gdi32.dll	0242	SetWinMetaFileBits
    1	00103504	gdi32.dll	0240	SetViewportOrgEx
    1	00103508	gdi32.dll	023D	SetTextColor
    1	0010350C	gdi32.dll	0239	SetStretchBltMode
    1	00103510	gdi32.dll	0236	SetROP2
    1	00103514	gdi32.dll	0232	SetPixel
    1	00103518	gdi32.dll	022C	SetMapMode
    1	0010351C	gdi32.dll	0223	SetEnhMetaFileBits
    1	00103520	gdi32.dll	021F	SetDIBColorTable
    1	00103524	gdi32.dll	021A	SetBrushOrgEx
    1	00103528	gdi32.dll	0217	SetBkMode
    1	0010352C	gdi32.dll	0216	SetBkColor
    1	00103530	gdi32.dll	0210	SelectPalette
    1	00103534	gdi32.dll	020F	SelectObject
    1	00103538	gdi32.dll	0208	SaveDC
    1	0010353C	gdi32.dll	0202	RoundRect
    1	00103540	gdi32.dll	0201	RestoreDC
    1	00103544	gdi32.dll	01F7	Rectangle
    1	00103548	gdi32.dll	01F6	RectVisible
    1	0010354C	gdi32.dll	01F4	RealizePalette
    1	00103550	gdi32.dll	01EF	Polyline
    1	00103554	gdi32.dll	01E1	PlayEnhMetaFile
    1	00103558	gdi32.dll	01DE	PatBlt
    1	0010355C	gdi32.dll	01D2	MoveToEx
    1	00103560	gdi32.dll	01CF	MaskBlt
    1	00103564	gdi32.dll	01CE	LineTo
    1	00103568	gdi32.dll	01CC	LPtoDP
    1	0010356C	gdi32.dll	01C8	IntersectClipRect
    1	00103570	gdi32.dll	01C4	GetWindowOrgEx
    1	00103574	gdi32.dll	01C2	GetWinMetaFileBits
    1	00103578	gdi32.dll	01BD	GetTextMetricsA
    1	0010357C	gdi32.dll	01B7	GetTextExtentPointA
    1	00103580	gdi32.dll	01B6	GetTextExtentPoint32W
    1	00103584	gdi32.dll	01B5	GetTextExtentPoint32A
    1	00103588	gdi32.dll	01AA	GetSystemPaletteEntries
    1	0010358C	gdi32.dll	01A6	GetStockObject
    1	00103590	gdi32.dll	01A5	GetRgnBox
    1	00103594	gdi32.dll	019D	GetPixel
    1	00103598	gdi32.dll	019B	GetPaletteEntries
    1	0010359C	gdi32.dll	0196	GetObjectA
    1	001035A0	gdi32.dll	0176	GetEnhMetaFilePaletteEntries
    1	001035A4	gdi32.dll	0175	GetEnhMetaFileHeader
    1	001035A8	gdi32.dll	0173	GetEnhMetaFileDescriptionA
    1	001035AC	gdi32.dll	0172	GetEnhMetaFileBits
    1	001035B0	gdi32.dll	016C	GetDeviceCaps
    1	001035B4	gdi32.dll	016B	GetDIBits
    1	001035B8	gdi32.dll	016A	GetDIBColorTable
    1	001035BC	gdi32.dll	0168	GetDCOrgEx
    1	001035C0	gdi32.dll	0166	GetCurrentPositionEx
    1	001035C4	gdi32.dll	0161	GetClipBox
    1	001035C8	gdi32.dll	0151	GetBrushOrgEx
    1	001035CC	gdi32.dll	014B	GetBitmapBits
    1	001035D0	gdi32.dll	00DF	ExtTextOutW
    1	001035D4	gdi32.dll	00DE	ExtTextOutA
    1	001035D8	gdi32.dll	00D8	ExcludeClipRect
    1	001035DC	gdi32.dll	0095	Ellipse
    1	001035E0	gdi32.dll	0090	DeleteObject
    1	001035E4	gdi32.dll	008E	DeleteEnhMetaFile
    1	001035E8	gdi32.dll	008D	DeleteDC
    1	001035EC	gdi32.dll	0051	CreateSolidBrush
    1	001035F0	gdi32.dll	004E	CreateRoundRectRgn
    1	001035F4	gdi32.dll	004C	CreateRectRgn
    1	001035F8	gdi32.dll	0049	CreatePenIndirect
    1	001035FC	gdi32.dll	0048	CreatePen
    1	00103600	gdi32.dll	0046	CreatePalette
    1	00103604	gdi32.dll	0040	CreateHalftonePalette
    1	00103608	gdi32.dll	003B	CreateFontIndirectA
    1	0010360C	gdi32.dll	0038	CreateEnhMetaFileA
    1	00103610	gdi32.dll	0034	CreateDIBitmap
    1	00103614	gdi32.dll	0033	CreateDIBSection
    1	00103618	gdi32.dll	002E	CreateCompatibleDC
    1	0010361C	gdi32.dll	002D	CreateCompatibleBitmap
    1	00103620	gdi32.dll	002A	CreateBrushIndirect
    1	00103624	gdi32.dll	0028	CreateBitmap
    1	00103628	gdi32.dll	0024	CopyEnhMetaFileA
    1	0010362C	gdi32.dll	0022	CombineRgn
    1	00103630	gdi32.dll	001D	CloseEnhMetaFile
    1	00103634	gdi32.dll	0013	BitBlt
    
    FThunk: 0010363C	NbFunc: 000000CC
    1	0010363C	user32.dll	02D6	WindowFromPoint
    1	00103640	user32.dll	02D3	WinHelpA
    1	00103644	user32.dll	02D1	WaitMessage
    1	00103648	user32.dll	02C6	ValidateRect
    1	0010364C	user32.dll	02BC	UpdateWindow
    1	00103650	user32.dll	02B5	UnregisterClassW
    1	00103654	user32.dll	02B4	UnregisterClassA
    1	00103658	user32.dll	02AF	UnhookWindowsHookEx
    1	0010365C	user32.dll	02AB	TranslateMessage
    1	00103660	user32.dll	02AA	TranslateMDISysAccel
    1	00103664	user32.dll	02A5	TrackPopupMenu
    1	00103668	user32.dll	029A	SystemParametersInfoA
    1	0010366C	user32.dll	0293	ShowWindow
    1	00103670	user32.dll	0291	ShowScrollBar
    1	00103674	user32.dll	0290	ShowOwnedPopups
    1	00103678	user32.dll	028F	ShowCursor
    1	0010367C	user32.dll	0285	SetWindowRgn
    1	00103680	user32.dll	028C	SetWindowsHookExW
    1	00103684	user32.dll	028B	SetWindowsHookExA
    1	00103688	user32.dll	0288	SetWindowTextW
    1	0010368C	user32.dll	0287	SetWindowTextA
    1	00103690	user32.dll	0284	SetWindowPos
    1	00103694	user32.dll	0283	SetWindowPlacement
    1	00103698	user32.dll	0282	SetWindowLongW
    1	0010369C	user32.dll	0281	SetWindowLongA
    1	001036A0	user32.dll	027B	SetTimer
    1	001036A4	user32.dll	0271	SetScrollRange
    1	001036A8	user32.dll	0270	SetScrollPos
    1	001036AC	user32.dll	026F	SetScrollInfo
    1	001036B0	user32.dll	026D	SetRect
    1	001036B4	user32.dll	026B	SetPropA
    1	001036B8	user32.dll	0264	SetMenuItemInfoW
    1	001036BC	user32.dll	0263	SetMenuItemInfoA
    1	001036C0	user32.dll	025E	SetMenu
    1	001036C4	user32.dll	0258	SetForegroundWindow
    1	001036C8	user32.dll	0257	SetFocus
    1	001036CC	user32.dll	024E	SetCursor
    1	001036D0	user32.dll	024B	SetClipboardData
    1	001036D4	user32.dll	0248	SetClassLongA
    1	001036D8	user32.dll	0245	SetCapture
    1	001036DC	user32.dll	0244	SetActiveWindow
    1	001036E0	user32.dll	0241	SendMessageW
    1	001036E4	user32.dll	023C	SendMessageA
    1	001036E8	user32.dll	0235	ScrollWindow
    1	001036EC	user32.dll	0232	ScreenToClient
    1	001036F0	user32.dll	022D	RemovePropA
    1	001036F4	user32.dll	022C	RemoveMenu
    1	001036F8	user32.dll	022B	ReleaseDC
    1	001036FC	user32.dll	022A	ReleaseCapture
    1	00103700	user32.dll	021B	RegisterClipboardFormatA
    1	00103704	user32.dll	021B	RegisterClipboardFormatA
    1	00103708	user32.dll	021A	RegisterClassW
    1	0010370C	user32.dll	0217	RegisterClassA
    1	00103710	user32.dll	0216	RedrawWindow
    1	00103714	user32.dll	020C	PtInRect
    1	00103718	user32.dll	0203	PostThreadMessageA
    1	0010371C	user32.dll	0202	PostQuitMessage
    1	00103720	user32.dll	0201	PostMessageW
    1	00103724	user32.dll	0200	PostMessageA
    1	00103728	user32.dll	01FE	PeekMessageA
    1	0010372C	user32.dll	01F4	OpenClipboard
    1	00103730	user32.dll	01F3	OffsetRect
    1	00103734	user32.dll	01EF	OemToCharA
    1	00103738	user32.dll	01EB	MsgWaitForMultipleObjects
    1	0010373C	user32.dll	01E4	MessageBoxW
    1	00103740	user32.dll	01DD	MessageBoxA
    1	00103744	user32.dll	01DC	MessageBeep
    1	00103748	user32.dll	01D8	MapWindowPoints
    1	0010374C	user32.dll	01D7	MapVirtualKeyW
    1	00103750	user32.dll	01D4	MapVirtualKeyA
    1	00103754	user32.dll	01CA	LoadStringW
    1	00103758	user32.dll	01C9	LoadStringA
    1	0010375C	user32.dll	01C0	LoadKeyboardLayoutA
    1	00103760	user32.dll	01BC	LoadIconA
    1	00103764	user32.dll	01B8	LoadCursorA
    1	00103768	user32.dll	01B6	LoadBitmapA
    1	0010376C	user32.dll	01B3	KillTimer
    1	00103770	user32.dll	01B1	IsZoomed
    1	00103774	user32.dll	01B0	IsWindowVisible
    1	00103778	user32.dll	01AF	IsWindowUnicode
    1	0010377C	user32.dll	01AD	IsWindowEnabled
    1	00103780	user32.dll	01AC	IsWindow
    1	00103784	user32.dll	01A9	IsRectEmpty
    1	00103788	user32.dll	01A7	IsIconic
    1	0010378C	user32.dll	01A1	IsDialogMessage
    1	00103790	user32.dll	019F	IsChild
    1	00103794	user32.dll	0194	InvalidateRect
    1	00103798	user32.dll	0193	IntersectRect
    1	0010379C	user32.dll	018F	InsertMenuItemA
    1	001037A0	user32.dll	018E	InsertMenuA
    1	001037A4	user32.dll	018B	InflateRect
    1	001037A8	user32.dll	017C	GetWindowThreadProcessId
    1	001037AC	user32.dll	017A	GetWindowTextLengthW
    1	001037B0	user32.dll	017B	GetWindowTextW
    1	001037B4	user32.dll	0178	GetWindowTextA
    1	001037B8	user32.dll	0175	GetWindowRect
    1	001037BC	user32.dll	0174	GetWindowPlacement
    1	001037C0	user32.dll	0170	GetWindowLongW
    1	001037C4	user32.dll	016F	GetWindowLongA
    1	001037C8	user32.dll	016D	GetWindowDC
    1	001037CC	user32.dll	0164	GetTopWindow
    1	001037D0	user32.dll	015E	GetSystemMetrics
    1	001037D4	user32.dll	015D	GetSystemMenu
    1	001037D8	user32.dll	015B	GetSysColor
    1	001037DC	user32.dll	015A	GetSubMenu
    1	001037E0	user32.dll	0158	GetScrollRange
    1	001037E4	user32.dll	0157	GetScrollPos
    1	001037E8	user32.dll	0156	GetScrollInfo
    1	001037EC	user32.dll	014B	GetPropA
    1	001037F0	user32.dll	0146	GetParent
    1	001037F4	user32.dll	016B	GetWindow
    1	001037F8	user32.dll	013E	GetMessageTime
    1	001037FC	user32.dll	013D	GetMessagePos
    1	00103800	user32.dll	013B	GetMessageA
    1	00103804	user32.dll	013A	GetMenuStringW
    1	00103808	user32.dll	0139	GetMenuStringA
    1	0010380C	user32.dll	0138	GetMenuState
    1	00103810	user32.dll	0136	GetMenuItemInfoW
    1	00103814	user32.dll	0135	GetMenuItemInfoA
    1	00103818	user32.dll	0134	GetMenuItemID
    1	0010381C	user32.dll	0133	GetMenuItemCount
    1	00103820	user32.dll	012D	GetMenu
    1	00103824	user32.dll	0129	GetLastActivePopup
    1	00103828	user32.dll	0127	GetKeyboardState
    1	0010382C	user32.dll	0124	GetKeyboardLayoutList
    1	00103830	user32.dll	0123	GetKeyboardLayout
    1	00103834	user32.dll	0122	GetKeyState
    1	00103838	user32.dll	0121	GetKeyNameTextW
    1	0010383C	user32.dll	0120	GetKeyNameTextA
    1	00103840	user32.dll	011B	GetIconInfo
    1	00103844	user32.dll	0118	GetForegroundWindow
    1	00103848	user32.dll	0117	GetFocus
    1	0010384C	user32.dll	0112	GetDlgItem
    1	00103850	user32.dll	010F	GetDesktopWindow
    1	00103854	user32.dll	010E	GetDCEx
    1	00103858	user32.dll	010D	GetDC
    1	0010385C	user32.dll	010C	GetCursorPos
    1	00103860	user32.dll	0109	GetCursor
    1	00103864	user32.dll	0102	GetClipboardData
    1	00103868	user32.dll	0100	GetClientRect
    1	0010386C	user32.dll	00FE	GetClassNameW
    1	00103870	user32.dll	00FD	GetClassNameA
    1	00103874	user32.dll	00FA	GetClassInfoW
    1	00103878	user32.dll	00F7	GetClassInfoA
    1	0010387C	user32.dll	00F4	GetCapture
    1	00103880	user32.dll	00EC	GetActiveWindow
    1	00103884	user32.dll	00EA	FrameRect
    1	00103888	user32.dll	00E4	FindWindowA
    1	0010388C	user32.dll	00E3	FillRect
    1	00103890	user32.dll	00E2	ExitWindowsEx
    1	00103894	user32.dll	00E0	EqualRect
    1	00103898	user32.dll	00DF	EnumWindows
    1	0010389C	user32.dll	00DC	EnumThreadWindows
    1	001038A0	user32.dll	00CD	EnumClipboardFormats
    1	001038A4	user32.dll	00C9	EndPaint
    1	001038A8	user32.dll	00C5	EnableWindow
    1	001038AC	user32.dll	00C4	EnableScrollBar
    1	001038B0	user32.dll	00C3	EnableMenuItem
    1	001038B4	user32.dll	00C2	EmptyClipboard
    1	001038B8	user32.dll	00C0	DrawTextW
    1	001038BC	user32.dll	00BD	DrawTextA
    1	001038C0	user32.dll	00B9	DrawMenuBar
    1	001038C4	user32.dll	00B8	DrawIconEx
    1	001038C8	user32.dll	00B7	DrawIcon
    1	001038CC	user32.dll	00B6	DrawFrameControl
    1	001038D0	user32.dll	00B4	DrawFocusRect
    1	001038D4	user32.dll	00B3	DrawEdge
    1	001038D8	user32.dll	00A3	DispatchMessageW
    1	001038DC	user32.dll	00A2	DispatchMessageA
    1	001038E0	user32.dll	009A	DestroyWindow
    1	001038E4	user32.dll	0098	DestroyMenu
    1	001038E8	user32.dll	0096	DestroyCursor
    1	001038EC	user32.dll	0096	DestroyCursor
    1	001038F0	user32.dll	0092	DeleteMenu
    1	001038F4	user32.dll	0090	DefWindowProcW
    1	001038F8	user32.dll	008F	DefWindowProcA
    1	001038FC	user32.dll	008D	DefMDIChildProcW
    1	00103900	user32.dll	008C	DefMDIChildProcA
    1	00103904	user32.dll	008B	DefFrameProcW
    1	00103908	user32.dll	008A	DefFrameProcA
    1	0010390C	user32.dll	0062	CreateWindowExW
    1	00103910	user32.dll	0061	CreateWindowExA
    1	00103914	user32.dll	005F	CreatePopupMenu
    1	00103918	user32.dll	005E	CreateMenu
    1	0010391C	user32.dll	005D	CreateMDIWindowW
    1	00103920	user32.dll	0058	CreateIcon
    1	00103924	user32.dll	0043	CloseClipboard
    1	00103928	user32.dll	0041	ClientToScreen
    1	0010392C	user32.dll	003D	ChildWindowFromPoint
    1	00103930	user32.dll	003A	CheckMenuItem
    1	00103934	user32.dll	0037	CharUpperBuffW
    1	00103938	user32.dll	0038	CharUpperW
    1	0010393C	user32.dll	001D	CallWindowProcW
    1	00103940	user32.dll	001C	CallWindowProcA
    1	00103944	user32.dll	001B	CallNextHookEx
    1	00103948	user32.dll	0010	BringWindowToTop
    1	0010394C	user32.dll	000E	BeginPaint
    1	00103950	user32.dll	002B	CharNextA
    1	00103954	user32.dll	0028	CharLowerBuffA
    1	00103958	user32.dll	0027	CharLowerA
    1	0010395C	user32.dll	0036	CharUpperBuffA
    1	00103960	user32.dll	0035	CharUpperA
    1	00103964	user32.dll	0003	AdjustWindowRectEx
    1	00103968	user32.dll	0001	ActivateKeyboardLayout
    
    FThunk: 00103970	NbFunc: 00000001
    1	00103970	kernel32.dll	0340	Sleep
    
    FThunk: 00103978	NbFunc: 00000016
    1	00103978	oleaut32.dll	0094	SafeArrayPtrOfIndex
    1	0010397C	oleaut32.dll	001A	SafeArrayPutElement
    1	00103980	oleaut32.dll	0019	SafeArrayGetElement
    1	00103984	oleaut32.dll	0013	SafeArrayGetUBound
    1	00103988	oleaut32.dll	0014	SafeArrayGetLBound
    1	0010398C	oleaut32.dll	0028	SafeArrayRedim
    1	00103990	oleaut32.dll	000F	SafeArrayCreate
    1	00103994	oleaut32.dll	0074	VarBstrFromBool
    1	00103998	oleaut32.dll	0072	VarBstrFromDate
    1	0010399C	oleaut32.dll	0071	VarBstrFromCy
    1	001039A0	oleaut32.dll	007D	VarBoolFromStr
    1	001039A4	oleaut32.dll	0068	VarCyFromStr
    1	001039A8	oleaut32.dll	005E	VarDateFromStr
    1	001039AC	oleaut32.dll	0054	VarR8FromStr
    1	001039B0	oleaut32.dll	0040	VarI4FromStr
    1	001039B4	oleaut32.dll	00AE	VarNot
    1	001039B8	oleaut32.dll	00AD	VarNeg
    1	001039BC	oleaut32.dll	0093	VariantChangeTypeEx
    1	001039C0	oleaut32.dll	000B	VariantCopyInd
    1	001039C4	oleaut32.dll	000A	VariantCopy
    1	001039C8	oleaut32.dll	0009	VariantClear
    1	001039CC	oleaut32.dll	0008	VariantInit
    
    FThunk: 001039D4	NbFunc: 0000000C
    1	001039D4	ole32.dll	0093	CreateStreamOnHGlobal
    1	001039D8	ole32.dll	00D7	IsAccelerator
    1	001039DC	ole32.dll	00F7	OleDraw
    1	001039E0	ole32.dll	0113	OleSetMenuDescriptor
    1	001039E4	ole32.dll	0066	CoTaskMemFree
    1	001039E8	ole32.dll	0117	ProgIDFromCLSID
    1	001039EC	ole32.dll	0143	StringFromCLSID
    1	001039F0	ole32.dll	0012	CoCreateInstance
    1	001039F4	ole32.dll	0024	CoGetClassObject
    1	001039F8	ole32.dll	006A	CoUninitialize
    1	001039FC	ole32.dll	003C	CoInitialize
    1	00103A00	ole32.dll	00D8	IsEqualGUID
    
    FThunk: 00103A08	NbFunc: 00000003
    1	00103A08	oleaut32.dll	00C8	GetErrorInfo
    1	00103A0C	oleaut32.dll	0023	GetActiveObject
    1	00103A10	oleaut32.dll	0006	SysFreeString
    
    FThunk: 00103A18	NbFunc: 00000019
    1	00103A18	comctl32.dll	0052	ImageList_SetIconSize
    1	00103A1C	comctl32.dll	003D	ImageList_GetIconSize
    1	00103A20	comctl32.dll	0055	ImageList_Write
    1	00103A24	comctl32.dll	0045	ImageList_Read
    1	00103A28	comctl32.dll	003A	ImageList_GetDragImage
    1	00103A2C	comctl32.dll	0033	ImageList_DragShowNolock
    1	00103A30	comctl32.dll	004F	ImageList_SetDragCursorImage
    1	00103A34	comctl32.dll	0032	ImageList_DragMove
    1	00103A38	comctl32.dll	0031	ImageList_DragLeave
    1	00103A3C	comctl32.dll	0030	ImageList_DragEnter
    1	00103A40	comctl32.dll	0038	ImageList_EndDrag
    1	00103A44	comctl32.dll	002C	ImageList_BeginDrag
    1	00103A48	comctl32.dll	003C	ImageList_GetIcon
    1	00103A4C	comctl32.dll	004B	ImageList_Remove
    1	00103A50	comctl32.dll	0035	ImageList_DrawEx
    1	00103A54	comctl32.dll	004C	ImageList_Replace
    1	00103A58	comctl32.dll	0034	ImageList_Draw
    1	00103A5C	comctl32.dll	0039	ImageList_GetBkColor
    1	00103A60	comctl32.dll	004E	ImageList_SetBkColor
    1	00103A64	comctl32.dll	004D	ImageList_ReplaceIcon
    1	00103A68	comctl32.dll	0029	ImageList_Add
    1	00103A6C	comctl32.dll	003E	ImageList_GetImageCount
    1	00103A70	comctl32.dll	002F	ImageList_Destroy
    1	00103A74	comctl32.dll	002E	ImageList_Create
    1	00103A78	comctl32.dll	0011	InitCommonControls
    
    FThunk: 00103A80	NbFunc: 00000002
    1	00103A80	shell32.dll	0167	ShellExecuteA
    1	00103A84	shell32.dll	0120	SHFileOperation
    
    FThunk: 00103A8C	NbFunc: 00000004
    1	00103A8C	shell32.dll	0138	SHGetPathFromIDList
    1	00103A90	shell32.dll	0136	SHGetMalloc
    1	00103A94	shell32.dll	0127	SHGetDesktopFolder
    1	00103A98	shell32.dll	0110	SHBrowseForFolder
    
    FThunk: 00103AA0	NbFunc: 00000002
    1	00103AA0	comdlg32.dll	006A	FindTextA
    1	00103AA4	comdlg32.dll	006E	GetOpenFileNameA
    
    FThunk: 00103AAC	NbFunc: 00000001
    1	00103AAC	winmm.dll	00A6	timeGetTime
    
    FThunk: 00103AB4	NbFunc: 00000004
    1	00103AB4	imagehlp.dll	0069	UnMapAndLoad
    1	00103AB8	imagehlp.dll	0020	MapAndLoad
    1	00103ABC	imagehlp.dll	001B	ImageRvaToVa
    1	00103AC0	imagehlp.dll	0011	ImageDirectoryEntryToData
    
    FThunk: 00103AC8	NbFunc: 0000000C
    1	00103AC8	advapi32.dll	0240	StartServiceA
    1	00103ACC	advapi32.dll	0241	StartServiceCtrlDispatcherA
    1	00103AD0	advapi32.dll	023B	SetServiceStatus
    1	00103AD4	advapi32.dll	0203	RegisterServiceCtrlHandlerA
    1	00103AD8	advapi32.dll	01C2	QueryServiceStatus
    1	00103ADC	advapi32.dll	01BD	QueryServiceConfigA
    1	00103AE0	advapi32.dll	01AE	OpenServiceA
    1	00103AE4	advapi32.dll	01AC	OpenSCManagerA
    1	00103AE8	advapi32.dll	00B1	DeleteService
    1	00103AEC	advapi32.dll	0066	CreateServiceA
    1	00103AF0	advapi32.dll	0044	ControlService
    1	00103AF4	advapi32.dll	0040	CloseServiceHandle
    
    FThunk: 00103AFC	NbFunc: 00000002
    1	00103AFC	kernel32.dll	01DD	GetVersionExA
    1	00103B00	kernel32.dll	01B7	GetSystemDefaultUILanguage
    
    FThunk: 00103B08	NbFunc: 00000001
    1	00103B08	advapi32.dll	0064	CreateProcessWithLogonW
    Last edited by 5aLIVE; September 24th, 2007 at 12:50.

  2. #2
    Googling "system shutdown api" (without the quotes) tells me you should look into ExitWindowsEx. Good luck.
    I have nothing to say and I am saying it and that is poetry as I need it.
    -John Cage

  3. #3
    Hi xenakis, I tried the very same thing. You'll notice that this isn't one of the imports listed though.
    Whoops yes it is. I overlooked that thanks.

  4. #4
    1. Adler32 is just a 32-bit checksum, nothing more complex than CRC32.

    2. Base64 is not considered cryptographic.

    3. You might want to investigate more on the Blowfish/MD5/SHA though, and since it seems like you just posted the results of an automated scan, there is the possibility that the protection does not involve them (try the same analyser on the well-known md5sum.exe, even though it has absolutely no protection at all) but is only a part of the program's working.

    4. Redirect the validation server's address to localhost via HOSTS file or your router (preferred, I've seen some protections that circumvent the HOSTS file), if it is standard HTTP then setting up a local server to handle the requests should not be too difficult. Again, monitor the traffic generated. Although I don't see any network-related imports in that list, there are several service-related calls which suggest that another process is responsible for the validation.

    5. An unpacked file that deletes itself, will only do so if you run it, and you don't need to run it to analyse it. Hint: It's probably checking the file on the disk. bp kernel32.CreateFileA/W and work from there. Again, maybe an external service is doing this.

    6. Beware of debugger detection.

  5. #5
    Hi, thanks for the helpful tips.

    Quote Originally Posted by LLXX View Post
    1. Adler32 is just a 32-bit checksum, nothing more complex than CRC32.
    >I'll need to read up on that, I hadn't heard of it before.

    Quote Originally Posted by LLXX View Post
    2. Base64 is not considered cryptographic.
    >I can't argue with that.

    Quote Originally Posted by LLXX View Post
    3. You might want to investigate more on the Blowfish/MD5/SHA though, and since it seems like you just posted the results of an automated scan, there is the possibility that the protection does not involve them (try the same analyser on the well-known md5sum.exe, even though it has absolutely no protection at all) but is only a part of the program's working.
    >You are quite correct to suggest I ran a cryptographic scan on the file PEiD (Krypto Analyzer). I realize why you suggest these algorithms might not be in use. Although I am reasonably confident in that most if not all of them probably are given that a keygen I found for a earlier version lists them. Perhaps with time I'll be able to tackle crypto crackmes some day.

    Quote Originally Posted by LLXX View Post
    4. Redirect the validation server's address to localhost via HOSTS file or your router (preferred, I've seen some protections that circumvent the HOSTS file), if it is standard HTTP then setting up a local server to handle the requests should not be too difficult. Again, monitor the traffic generated. Although I don't see any network-related imports in that list, there are several service-related calls which suggest that another process is responsible for the validation.
    >Hmm. The program opens a browser to display online help, It was when accessing this that I had the key blacklisted. I see advapi32.dll service related imports that must be used here. I'll see what I can find, I know it uses windows sockets so far, I was hoping to patch the server check if possible.

    Quote Originally Posted by LLXX View Post
    5. An unpacked file that deletes itself, will only do so if you run it, and you don't need to run it to analyse it. Hint: It's probably checking the file on the disk. bp kernel32.CreateFileA/W and work from there. Again, maybe an external service is doing this.
    >An interesting idea, a quick look at the Win32 API manual lists CreateFileA/W has a flag called "FILE_FLAG_DELETE_ON_CLOSE" which
    indicates the operating system is to delete the file immediately after all of its handles have been closed. So that is definitely worth some investigating.


    Quote Originally Posted by LLXX View Post
    6. Beware of debugger detection.
    >Will do. I've been using hardware breakpoints up to now.
    Last edited by 5aLIVE; September 24th, 2007 at 15:06.

  6. #6
    Quote Originally Posted by 5aLIVE View Post
    Okay I unpacked it and ran it again, the unpacked program deletes the itself and then shuts down!
    Just a guess, but if the program is doing what I think it is doing this happens the other way around: program shuts down Windows, then upon rebooting the file is deleted. The unpacked program detects it is unpacked, invokes MoveFileEx with MOVEFILE_DELAY_UNTIL_REBOOT, then shuts down (and reboots) with ExitWindowsEx. Could be wrong, but worth checking out.
    But as mentioned above, the easiest way to avoid all this is to BP on CreateFileA/W to catch the program checking the file on disk. And forget about the FILE_FLAG_DELETE_ON_CLOSE flag, as far as I know you can't delete the invoking program this way. Happy hunting.
    I have nothing to say and I am saying it and that is poetry as I need it.
    -John Cage

  7. #7
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    @xenakis: i think it pretty difficult to hint to a possible way the application is doin' the shutdown with following removal from disk due to the variety of Possibilities.

    @5aLIVE: A part of a disassembly would be nice. Try to isolate the shutdown controlling call and erase it if possible. Then mistakes won't be a pain in the ass any longer

    Cheers and OHPen aka PAPiLLiON
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  8. #8
    That's why I started my post with "Just a guess"
    The OP should indeed post a little more information. As far as I have read he/she doesn't seem to even know how the program is shutting down the machine.
    I have nothing to say and I am saying it and that is poetry as I need it.
    -John Cage

  9. #9
    I found where to patch the unpacked app to stop it from shutting Windows down. Works okay when changing the code/flag in memory but the exe detects changes if i write the change to the file. So must be CRC check somewhere. I've also found the general area where it detects if a blacklisted key has been used, I'm learning as I go so I don't see much point in posting code up just yet. I've still to find out what it is being check to test for this.

    I've learned quite a bit just by single stepping through the code although I have much to learn. I know for example that the key is checked using the LDAP protocol as far as I can tell.

    The only recent crack I've seen of this tool is a a loader is patched to the compressed exe to bypass the CRC(s). I would prefer to run it unpacked and hard patched if possible. So much to learn. Any tips on finding the CRC check? Is createfile normally used for this (still to search on this)?

    Thanks,
    5Alive

  10. #10
    hmm i thought of another way it could delete itself...
    virtualallocex to another process -> inject code, createremotethread (to start thread @ injected code), exit its process, the remote thread can then happily delete the exe and you wouldnt see it in olly etc, because another process would do it.. filemon would surely see it though......

  11. #11
    In the meantime, I've had a play with the packed exe, just breaking at OEP and trying to find the message that reports a leaked key. I found that without too much hardship and then found the code which triggers the SEH to display the error. I found that okay, changed the zero flag to force a jump and the app loads up.
    The app is still is still crippled, stopping me from clicking on particular checkboxes, so I need to work backwards some more to find the cause. I'm not sure if I can do this but I'll give it a go. Any hints or pointers would be great.

    I'll continue playing around with this as time permits as I'm learning new things as I go.

  12. #12
    Why haven't you actually disassembled the unpacked file and inspected it?

  13. #13
    Quote Originally Posted by LLXX View Post
    Why haven't you actually disassembled the unpacked file and inspected it?
    I've been using the IDA disassembly of the unpacked file as my reference when working with the packed version. The reason I started to focus on the packed version is twofold.

    1. It produces the black listed error message which I've attempted to find the check. There is a SEH chain which I've attempted to follow but can't seem to find what I am looking for so far. My primary goal is to remove all traces of this program being used with a leaked key to remove this nag.

    2. The app in packed form is a little "friendlier" to analyse in a OllyDbg for the moment given that it runs without CRC errors.

    Would anyone like to have a look at this and perhaps give me a helping hand please? Just respond here and I'll PM whoever accepts.

    Thankyou.

  14. #14
    Quote Originally Posted by 5aLIVE View Post
    I've been using the IDA disassembly of the unpacked file as my reference when working with the packed version. The reason I started to focus on the packed version is twofold.
    I meant actually inspecting the unpacked file, NOT messing around precariously in a debugger. The former tends to uncover more details, especially since you don't go into a "step-into step-over now where am I and what's going on" thought process. I advise all practicioners of RCE to carefully look through the static disassembly and form hypotheses about the operation of the code, then get out the debugger and confirm/deny those hypotheses.

  15. #15
    Thats good advice which I intend to follow. EDIT#1: Removed a question I asked over 2 yeara ago about .MAP files

    EDIT #2:
    Dammit. I've still got this problem despite reading Blabberer and the godfather+ replies here: What else could be causes a map file not be applied correctly to a debugged program?

    From the IDA map file:
    Start Length Name Class
    0001:00000000 0000F1000H .main BSS
    0002:00000000 0000D7000H .data DATA
    0003:00000000 000004000H .rdata DATA
    0004:00000000 000004000H .mackt DATA

    The above is the same using Olly memory view.
    Memory map
    Address Size Owner Section Contains Type Access Initial Mapped as
    00400000 00001000 myapp PE header Imag R RWE
    00401000 000F1000 myapp .main Imag R RWE
    004F2000 000D7000 myapp .data code Imag R RWE
    005C9000 00004000 myapp .rdata data,resourc Imag R RWE
    005CD000 00004000 myapp .mackt imports Imag R RWE

    Is the addres of the PE header also the image base?

    I tried loading the TQN Delphi 6 and 7 signature file directly into Olly using the Godup plugin.
    5 procedures are recognised, with 33 being unrecognised. When I first ran IDA Free it didn't recognise a compiler (Delphi 6&7 .sigs were missing) so I copied these and manually applied the Delphi 6 sig file to the disassembly. The disassembled output recognised a lot of known Delphi functions.

    PEiD recognised the app as Delphi 6-7, but the Godup plugin Resource analyser doesn't detect a signature.

    Thanks.
    Last edited by 5aLIVE; September 28th, 2007 at 15:32.

Similar Threads

  1. Unpacked executable won't break
    By riptide in forum OllyDbg Support Forums
    Replies: 7
    Last Post: February 8th, 2004, 22:47
  2. Unpacked prog. does not run on different OS.
    By Harding in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: September 5th, 2003, 22:09
  3. CommView 3.3 Unpacked but have question
    By foxthree in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 17th, 2002, 09:31
  4. Unpacked exe and dll
    By KillingJoke in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 8th, 2002, 20:07
  5. loader32 deletes my .nms file after creating it?
    By latigo in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: August 3rd, 2001, 17:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •