Results 1 to 11 of 11

Thread: An unknown packer

  1. #1

    An unknown packer

    Hi all
    I'm working on an unknown packer.it seems simple,but i think i can't unpack it correctly.
    because of rules,i can't name program that i work on it,but i give some specifications about it,perhaps you could recognize something similar:
    1-if you use HARDCORE scan in PEid it says protection is Petite 1.4, normal scan defines nothing.
    2-this is the only packer I seen it says nothing in olly about EP.I mean when you open up it in olly it seems like a normal application and goes without any message about EP.
    2-the only packer I seen that starts with JMP instruction....
    3-the only packer I seen that has a huge amount of obfuscated codes using JMP and PUSH addr,RET(another JMP way),that make tracing code almost impossible.

    can you identify anything using this details?


    In addition,I should say that I were be able to make a working semi-unpack from target.
    from semi-unpack,I mean I were able to find something that I think is OEP,make a working application by dumping it on that OEP and rebuilding IAT with ImpRec, the the problem is that the main program body that that packers code is still connected in this semi-unpacked and i can't patch this semi-unpacked one because of that strange obfuscated code.
    it really seems a 2-layer protection for me,that Perhaps Petite is only a small part of it,or i do unpacking incorrectly.

    have anybody seen anything similar to this?

    Regards
    I should look out my posts,Or JMI will get mad at me! ;)

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    noo..
    if crackme is, point where it is..

  3. #3
    sry, comerical program then i can't name it...
    but it is a visual studio plugin to detect memeory leak,perhaps you could find it yourself...
    I should look out my posts,Or JMI will get mad at me! ;)

  4. #4
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    nah, forget it.
    don't know Visual Studio:)

  5. #5
    Quote Originally Posted by evaluator View Post
    nah, forget it.
    don't know Visual Studio
    there is an standalone application for that porpose in its folder too,in addition of that visual studio plugin.

    Regards
    I should look out my posts,Or JMI will get mad at me! ;)

  6. #6
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    letz say so:
    if you trust in, we become herroeZ of WWCL, then letz unpuck it!

    btw, why we are going to umnpuking it??

  7. #7
    Hi
    You know,I personally using DevPartner, that detecting memory leaks is a small part of it and I don't need this tool.
    But this program protection made me mad,and I wana learn how I can reverse a program in situations like this that I don't have any tool for backtracking and heuristic tracing from a specific place of code(PUSH addr-RET technic cause that you lose call-stacks,and a huge spagetti code that I can't trace it in a proper way)

    Regards
    I should look out my posts,Or JMI will get mad at me! ;)

  8. #8
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    this looks like execryptor, but Code & RData not crypted.
    so maybe not great works will required for you?
    try trace for OEP.

  9. #9
    Quote Originally Posted by evaluator View Post
    this looks like execryptor, but Code & RData not crypted.
    so maybe not great works will required for you?
    try trace for OEP.
    RCs are encrypted(you will notice if you check it with a resource viewer).
    It was easy to find something that I believe is OEP and make a working dump(the unpacked proram in this way was around 100k bigger than original one).
    but main problem is that how i can seprate original code from its protector code,they are even connected on dumped application(perhaps I didn't find OEP correct).
    This is the way I used for finding OEP:
    1-opened protected exe in a tool to see resources and select rva of a encrypted resource for example 44AD10(a string-table resource).
    2-set a hardware breakpoint for writing in this address and run to reach it.
    3-remove this hardware breakpoint and set another hardware one for execution on a RET command that is 8 commands under current place that debugger stopped and run program to there.
    4-use F7 on ret,you will be on a JMP and another F7,you will be on a "PUSH 60" command that i BELIEVE is OEP.
    what you think about this OEP?is it correct?
    and if you dump program and rebuild IAT with imprec(no invalid at all) you will get a working dump,but still connected to protector....
    donna how to seprate them...

    Regards
    I should look out my posts,Or JMI will get mad at me! ;)

  10. #10
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    now check, what does connection; if nothing, remove.. so on..

  11. #11
    I find out that functions that handles some messages are implemented in other sections,not .text one.
    the codes that show trial messages are in those sections too...

    Regards
    I should look out my posts,Or JMI will get mad at me! ;)

Similar Threads

  1. Another unknown packer in malware
    By Cthulhu in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: July 20th, 2009, 18:34
  2. unknown packer
    By chlankboot in forum Malware Analysis and Unpacking Forum
    Replies: 19
    Last Post: January 19th, 2004, 05:33
  3. IAT rebuilding for unknown packer ??
    By SilSaLaMaTa in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: August 27th, 2002, 18:07
  4. unknown crypter/packer
    By Rip in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: February 2nd, 2002, 16:01
  5. Help with unknown packer
    By Timmy in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 7th, 2000, 06:44

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •