Results 1 to 6 of 6

Thread: Unpacking Xenocode App

Hybrid View

  1. #1
    General1337
    Guest

    Unpacking Xenocode App

    Hey everyone,
    I've been trying to unpack an app that uses Xenocode, one of the problems i've faced is that fact that I couldn't figure out it was using Xenocode at all until I asked a friend to help out. His answer to how he got it: "Talent". If anyone could help me out on determining how he knew this app was using Xenocode that would be great. I've tried using regular scanning tools like PEiD but nothing.

    Next is to unpack the app using Xenocode, the method I was trying to use is to go in and follow a tut by (ronchong I think his name was). I also looked around for other methods but couldn't find anything.
    Again, asking my friend. He simply pasted some code and told me to "use it" which I messed around with until it actually was able to unpack.
    Has this method been used before as in a usual method or something unheard of?
    You can view the code at:
    http://allofthem.pastebin.com/m1953fd8d


    If it wasn't for getting this info from him, I would have been debugging a packed app.
    Any help would be great.
    Thanks!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    To crash or not to crash
    Join Date
    Dec 2001
    Posts
    120
    The source you posted doesn't unpack anything. As far as I could see it just copies files from one location to another. The reason that works is because xenocode creates a virtual environment in which the real files are present. The dll just copies it from the virtual world to the real world.

  3. #3
    General1337
    Guest
    Ah, I understand. Thanks

    Is there a way to actually view which dlls are present or how he determined it was xenocode in the first place? For example in the sourcecode he already knows which dlls there are and takes it out from there. He somehow determined that they were being used. This could be shown while debugging but I'm not entirely sure.
    Thanks!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    To crash or not to crash
    Join Date
    Dec 2001
    Posts
    120
    I think if you use the findfirstfile call with *.* you end up with a complete list of files which you can write to a text file or so. I have no experience with xenocode, just guessing here. As it is a virtual file system you should be able to use normal api calls to search for files.

  5. #5
    onupday
    Guest
    nice code
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Quote Originally Posted by General1337 View Post
    If anyone could help me out on determining how he knew this app was using Xenocode that would be great. I've tried using regular scanning tools like PEiD but nothing.
    There is only one true way to determine if a file is virtualized with xenocode. Tools such as Exe Info and peid will not detect the packer. To determine if it is using xenocode, open the executable in ollydbg. Keep it paused and search for all referenced text strings. Scroll down the list. If it is an xenocode software, you will see this line "There has been an error starting this virtual appliance. Error code:". Following this reference you will find the line "Xenocode Virtual Appliance Runtime". Now you know for certain that it is an xenocode application.
    Last edited by chessgod101; February 18th, 2010 at 19:53.

Similar Threads

  1. Xenocode unpack
    By squalito in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: June 30th, 2008, 10:49
  2. The Xenocode Solution v2.0
    By LibX in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: August 6th, 2007, 02:11
  3. The Xenocode Solution v1.2
    By LibX in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: April 27th, 2007, 19:22
  4. Unpacking UPX
    By melvill in forum OllyDbg Support Forums
    Replies: 17
    Last Post: July 5th, 2003, 13:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •