Page 2 of 2 FirstFirst 12
Results 16 to 29 of 29

Thread: PackerBreaker - Yet another universal unpacker tool

  1. #16
    Howdy,

    This has nothing to do with whether or not it's in the correct forum,
    it has to do with the perceived tone of the written words.

    Packing a free program seems silly to me. What does this prove ?
    Unless you are trying to goad people into trying to unpack a variation
    of a protection, why not say so ?.

    If the program is free, why do I need to unpack it to see whats going on ?
    Unless you have new ground breaking coding technology that nobody
    knows about, whats the point ?

    Actually, whats the point to your thread ?
    Can you sum it up in one non-run on sentence without
    countering every point that I have brought up ?

    So, what do you want ? (In one short sentence)

    Woodmann
    Learn Or Die.

  2. #17
    I just want to share my tool and I made a mistake for posting in a wrong place.

    There are tons of tools free but packed, I'm not the only author doing so. IMHO, there is not direct relation between free program and unpacked program.
    Last edited by blabberer; November 2nd, 2012 at 15:41. Reason: removed quote

  3. #18
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    i perceive i started this flurry and let me try to end this before it ends up in a war of words

    niucool
    your intentions look good publishing a well written tool for free is indeed quiet welcome i in fact do not use commercial tools for my hobby
    as far as i can and you can verify it by looking at my postings
    and i know a lot lot of quality free tools that comes from software giants to one time artists.

    so let us leave that part alone you wrote a tool you offered it for free you are an angel done over with it

    now let me try to explain why the post by me

    i also happen to moderate the tool library to which you posted your packer breaker
    and i did not know what i was thinking when i moderated your packer breaker
    i approved it and realized i might have made a very big mistake by approving it without having checked it as your tool was
    new had no previous records in the database had no recommendations whatsoever from supposedly trusted sites

    so i reached your site (it looked legit from first appearance) i downloaded and fed it to my local av
    moved it to a vm's ran it in isolated environments tried to rip it apart to ascertain if it is a
    MAASQUERADEWARE or genuine while at the same time ringing alarm bells to powers that be to re moderate
    the entry if required and all of this happened because your gift appears to be whats shown in image below


    hope you understand the depth of problem and not counter words with words

    please let peace prevail over triumph
    Attached Images Attached Images  
    Last edited by blabberer; November 2nd, 2012 at 01:31.

  4. #19

    Question

    blabberer, thank you for your reply. I appreciate for your test in details.
    To be honest, I did not totally catch what your meaning is. Did that text in image show in your debugger or something else? Is it a debug message from Themida? Since my program does not generate that message indeed.
    I'd like to PM the original packer to you, you could try to pack any exe with it and see if the message persists.
    Last edited by blabberer; November 2nd, 2012 at 15:42. Reason: removed quote

  5. #20
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    niucool, you should also understand that people sometimes present riddles in their replies, the meanings of which are also meant to be reversed. It's actually one of the more enjoyable things about this forum, reversing is not always limited to code reversing here. It may have something to do with the teachings of +Fravia, whom most of the older reversers here were influenced by, and taught us to question and reverse everything we see, not just programs.

    Blabberer has a reputation for clever wit. Try googling for the latin phrase in the image, which is what I had to do, to transcribe the historical reference to the modern day meaning. It's funny and quite appropriate.

    Don't take it the wrong way, your program is appreciated by those who want to use it at their own discretion. But do understand that any program presented here packed under layers of encryption HAS to be questioned, as reversers that just comes as second nature and there's nothing unusual about the skepticism. It's what keeps us all safe.
    (PS, you don't have to quote the entire post you are directly replying to unless it's required to make a point, that just makes it more difficult to read.)


    Oh, and as for the forum name, to go further off topic. Well it used to be called the "Packing and Unpacking" forum or some such silly thing. At some point I got sick and tired of the whole scene here because it had become the "Help me crack Asprotect, here's my broken IAT dump" forum. Hoping to change the focus of it and to cash in on the increasing interest in malware analysis at the time, I changed the name after discussing it with the other moderators. The "Unpacking" part of the name was kept since that aspect of reversing still seemed pertinent. To be honest I never noticed the ambiguity either and always thought of "Malware Analysis" and "Unpacking" as separate aspects of the forum name. Hey, I'm easy, suggest a better name and maybe we'll change it. As long as the IAT dumps don't start again...

    Cheers,
    Kayaker

  6. #21

    Red face

    Wow, this post must be the hottest in our forum now, Cheers~~

    Thanks you Kayaker, I doubt I might be still in chaos without your explain.
    I once believed it was a horrible experience to me since I always thought in my way and treat myself a victim of misunderstood, but I don't think so now. I meet you guys here and know what you think and how you treat a program in your way, I learned a lot, and on the other hand, you might know me a bit more which could make us easier to understand each other in the future.

    Thank you again to Blabberer and other guys who followed this thread.
    Last edited by blabberer; November 2nd, 2012 at 15:33. Reason: removed quote

  7. #22

    As Above

    On the funnier side niucool, you're still quoting previous posts.

    Have Phun
    Blame Microsoft, get l337 !!

  8. #23

    New build released

    Hehe, I will reply to your thread if you did not give me the hint.
    FYI, I just released my new build for some bugs found in other forums, and I added the command line support and removed the anti-debug option of themida for this forum, but still packed, sorry.
    If you are still interested in this tool, you could have a try.

  9. #24
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    To be honest, I did not totally catch what your meaning is.
    i intentionally had to image the virgils aeneid work word knowing fully well that you wont be able catch it
    and partly because this board doesn't support Greek character set
    and i wanted to stress that i could have wrote Wooden Horse that led to the fall of troy
    and appropriately but unsuccessfully warned by the interrogator loocoon of sinon a greek perjurer and the bearer of the gift of trojan horse

    but i packed my wording in Greek / latin so that you are forced to de-maze it before you understand what was written first
    and what was meant secondly and what was intended as a third corallary
    hope you got the point

    btw do not quote this entire reply if and when you are replying
    quote selected parts if you wish so use copy paste one or two relevent lines and use "[" quote "]" XXXXXXXX "[" /Quote "]" tags around it

    i removed all the superfluous quotes in the entire thread

  10. #25
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    Quote Originally Posted by Indy View Post
    SHDE result(tracer").

    Attachment 2667
    Btw, Indy - thanks for posting your AV hook detector and especially the pdb file. It was useful and interesting to trace.

    PS, did you figure out what it was you were really infected by?

    Not to beat a dead horse, but for future reference, these are the kinds of things that are most appreciated by the community here, tools or examples that teach. That's what this whole board is about after all. They don't necessarily require source code, but the stuff that is open to examination is the most desired.

  11. #26

  12. #27
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    PS, did you figure out what it was you were really infected by?
    when i tried testing the Av.exe (indy it is blocked as malware.gen by antivirus ) i saw the hooks in my system only by avast which i use
    the new shde.exe isnt blocked and it too seems to indicate i have hooks by avast

    actually i tested it first in a vm with no av installed and all i got was invalid handle message no debug strings
    and it seemed the debug strings enable bit was toggled by initialize function

    Code:
    7C90E4FF   Exception C0000008 (INVALID HANDLE)
    7C90D05E   COND: settinb break on context->eip = 004015B6
    7C90D05E   Breakpoint at ntdll.ZwContinue
    7C90E4C8   Breakpoint at ntdll.KiRaiseUserExceptionDispatcher
    7C90E4FF   Exception C0000008 (INVALID HANDLE)
    7C90D05E   COND: settinb break on context->eip = 004015B6
    7C90D05E   Breakpoint at ntdll.ZwContinue
    004015B6   Breakpoint at SHDE.004015B6 (ApiGate+0F)
    7C90E4C8   Breakpoint at ntdll.KiRaiseUserExceptionDispatcher
    7C90E4FF   Exception C0000008 (INVALID HANDLE)
    7C90D05E   COND: settinb break on context->eip = 004015EC
    7C90D05E   Breakpoint at ntdll.ZwContinue
    004015EC   Breakpoint at SHDE.004015EC (ApiGate2+17)
    7C90E4C8   Breakpoint at ntdll.KiRaiseUserExceptionDispatcher
    7C90E4FF   Exception C0000008 (INVALID HANDLE)
    7C90D05E   COND: settinb break on context->eip = 004015EC
    7C90D05E   Breakpoint at ntdll.ZwContinue
    7C90E4C8   Breakpoint at ntdll.KiRaiseUserExceptionDispatcher
    7C90E4FF   Exception C0000008 (INVALID HANDLE)
    7C90D05E   COND: settinb break on context->eip = 004015EC
    7C90D05E   Breakpoint at ntdll.ZwContinue
    004015EC   Breakpoint at SHDE.004015EC (ApiGate2+17)
    7C90E4C8   Breakpoint at ntdll.KiRaiseUserExceptionDispatcher
    7C90E4FF   Exception C0000008 (INVALID HANDLE)
    7C90D05E   COND: settinb break on context->eip = 004015EC
    7C90D05E   Breakpoint at ntdll.ZwContinue
    7C90E4C8   Breakpoint at ntdll.KiRaiseUserExceptionDispatcher
    7C90E4FF   Exception C0000008 (INVALID HANDLE)
    7C90D05E   COND: settinb break on context->eip = 004015EC
    7C90D05E   Breakpoint at ntdll.ZwContinue
    004015EC   Breakpoint at SHDE.004015EC (ApiGate2+17)
    7C9484DF   Debug string: Hook: ZwSuspendProcess, 0xA9196D4F, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwDeleteKey, 0xA91D7B05, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwTerminateProcess, 0xA9196789, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwSuspendThread, 0xA9196ECE, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwSetContextThread, 0xA9196A90, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwTerminateThread, 0xA9196910, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwQueueApcThread, 0xA9197060, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwProtectVirtualMemory, 0xA9240AB6, \SystemRoot\System32\Drivers\aswSP.SYS
    7C9484DF   Debug string: Hook: ZwFreeVirtualMemory, 0xA924092D, \SystemRoot\System32\Drivers\aswSP.SYS
    7C9484DF   Debug string: Hook: ZwWriteVirtualMemory, 0xA9196305, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwQueryObject, 0xA919734B, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwDuplicateObject, 0xA919A437, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwQueryKey, 0xA91D768E, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwDeleteValueKey, 0xA91D7DF1, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwSetValueKey, 0xA91D7C5B, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwQueryValueKey, 0xA91D7500, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwEnumerateKey, 0xA91D79AC, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwEnumerateValueKey, 0xA91D7817, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwNotifyChangeKey, 0xA919A482, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwOpenSection, 0xA91A105E, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwOpenProcess, 0xA9199CA9, \SystemRoot\System32\Drivers\aswSnx.SYS
    7C9484DF   Debug string: Hook: ZwOpenThread, 0xA9199EDA, \SystemRoot\System32\Drivers\aswSnx.SYS
               Process terminated, exit code 0

  13. #28
    blabberer
    Any engine will be detected. As 1. no import, 2. contains signature's.

    Works for you as it should. avast it crap.

  14. #29

    packed...

    There is a difference between packed and protected. if you wish to merely pack freeware, use UPX or similar, or protector with protections options all disabled. Hypothetically speaking here, even if your intentions are perfectly well (which they appear to be) what if the Themida protector you use for your free program is not purchased/licensed, which means its more or likely warez'd. If that's the case, do you have any procurement or analysis into the warez'd version to see if it is not infact backdoor'd? cant imagine how many keygens and "packed" or "packer" programs are backdoor'd in warez copies and in turn are inadvertently distributed. its like using poison ivy rat or dark comet, and then realizing the actual servers themselves are vulnerable to exploits... even though you use it legitimately...

Similar Threads

  1. .NET generic unpacker
    By pnluck in forum Tools of Our Trade (TOT) Messageboard
    Replies: 17
    Last Post: September 30th, 2006, 09:01
  2. universal brute force tool
    By Boris in forum The Newbie Forum
    Replies: 4
    Last Post: July 22nd, 2004, 19:48
  3. Is there any universal breakpoint like "hmemcpy" in win2k or xp?
    By chenl in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: March 5th, 2002, 18:34
  4. Is there any unpacker for Asprotect 1.2 ??
    By TrixMan in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: December 12th, 2001, 01:24

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •