Results 1 to 3 of 3

Thread: Molebox Pro 4 Unpacking

  1. #1

    Molebox Pro 4 Unpacking

    Hello.

    I've been trying to unpack a file that is compreesed by Molebox 4, but look's like all methods that I try it doesn't work.

    I found something weird in the address 0x401293 if you want to take a look and see if you can unpack it:

    Link Speedyshare:
    Code:
    http://speedy.sh/rjKTu/Molebox.exe
    Ps: The file has no copyrights, so do not worry about that.

    Edit:Forgot to mentionate that it is a .NET File, but Molebox compress it to not show as a .NET File, so de4dot or any other .NET reverse doesn't work.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Hi

    What exactly do you mean by something weird in the address 0x401293? If you mean the series of CPUID instructions that is first encountered, that's just a standard way of getting processor information and doesn't look too suspicious in itself.

    Sorry if that's not what you're curious about, but by means of explanation, CPUID returns processor identification and feature information to EAX, EBX, ECX, and EDX, according to the input value entered initially in the EAX register. Basic Information: EAX = 0 - 5, Extended Information: EAX = 0x80000000 - 0x80000008.

    For example the first part just checks for CPUID support and is similar to the following code snippet:
    Code:
         /////////////////////////////////////////////////////////////////////////////////
         // Check for CPUID support (if ID flag in EFLAGS can be set and cleared)
         /////////////////////////////////////////////////////////////////////////////////
    
            pushfd
            pop eax
            xor eax, 00200000h      ; flip bit 21 (ID flag)
            push eax
            popfd
            pushfd
            pop ecx
            xor eax, ecx            ; check if bit 21 was flipped
            jz cpuid_supported
            jmp Quit            
            
        cpuid_supported:
    You can figure the rest out if you like from the docs, but I don't know if I'd be too concerned with those instructions per se unless you think something in particular is being targetted.

    http://www.intel.com/content/www/us/en/processors/processor-identification-cpuid-instruction-note.html

  3. #3
    Thank you for the informations.

    I thought that address was related to the Molebox and it's compreesion, beause I'm trying to find a way to reverse this compreesion.

    Since I'm checking some Ollydbg tutorials for that, but it's for old versions and I'm not really finding a way to do that in this file version.

    Do you know some unpacker for Molebox nowdays?

    Thanks again.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. [Olly Script] Molebox 2.x Unpacker / OEP Finder Script
    By Cherry in forum OllyScript Plugin
    Replies: 23
    Last Post: October 29th, 2011, 05:05
  2. Poison-Ivy RAT Packed with Molebox
    By Citrus in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: January 3rd, 2009, 06:10
  3. Help Unpacking
    By name in forum The Newbie Forum
    Replies: 5
    Last Post: February 14th, 2008, 02:58
  4. Unpacking !!
    By Nio-shai in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: September 20th, 2001, 03:31
  5. UPX Unpacking
    By Jack in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: December 11th, 2000, 16:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •