Results 1 to 7 of 7

Thread: KaZaA 1.71: packed with pex variant?

  1. #1
    roulic
    Guest

    Question KaZaA 1.71: packed with pex variant?

    Hello,

    I'm very new to this sort of thing, so please excuse my ineptitude.

    I've been trying unsuccessfully for a little while to unpack the latest KaZaA version. One of the file ID programs claims that kazaa.exe is packed with pex 0.99, but this is not the case according to DeX. I have poked around the pex sources, however, and noticed that its code is virtually identical to that in KaZaA. Also, a previous version of KaZaA /was/ encrypted with pex 0.99 and could be unpacked with DeX. This leads me to think that the KaZaA team has altered pex in order to provide slightly better protection.

    So anyway, my question is: How in God's name does one unpack this mutha? I've traced through it a ton of times with SoftICE and my favourite debugger and I simply cannot do it. I've read the unpacking tutorials, and still no go.

    If anybody could provide some helpful tips, I would be forever greatful.

    Sorry about the tone of this message; I'm just a little frustrated.

    Thanks again!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    CoDe_InSiDe
    Guest
    Hi roulic,

    Yes, it's still protected with PeX, but i think the KaZaA people manually removed the label (+ beginning jmp) of PeX v0.99 .
    Anyway, PeX isn't difficult to remove you could try a Tutorial from me which can be found at:

    lunarpages.com/codeinside

    I hope it can be usefull, if not search for more Unpack Tutorials

    Cya...

    CoDe_InSiDe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    roulic
    Guest

    Great!

    Hi,

    First, let me thank you for your awesome tutorial on unpacking PeX programs. The only thing I can't understand is the part where you say to do this:

    d fs:00
    d csoffset in data window)+4
    bpx (offset in data window)

    What's the 'offset in data window'? Like, when I do 'd fs:00', and it spurts out '12 FC 44 00', am I supposed to piece that together and use it as the offset?

    Thanks in advance!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Hi,

    First, let me thank you for your awesome tutorial on unpacking PeX programs. The only thing I can't understand is the part where you say to do this:

    d fs:00
    d csoffset in data window)+4
    bpx (offset in data window)

    What's the 'offset in data window'? Like, when I do 'd fs:00', and it spurts out '12 FC 44 00', am I supposed to piece that together and use it as the offset?
    If you haven't noticed, 44fc12h lies in a range that would suggest your normal win32 exe. Consider using dd sometimes instead of db (in softice, ofcourse) to see things clearer.

    Fake

  5. #5
    roulic
    Guest
    Ah, got it. Excellent.

    Thanks a lot!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    oLD SpeKKeLed HeN SpeKKeL's Avatar
    Join Date
    Aug 2001
    Location
    earth....
    Posts
    153

    pex 0.99

    Hajo,

    I had a chat with our aspro-guru splaj, about writing a plugin for pex0.99.
    This is nice packer and it misleads imprec and r.v in resolving..
    I wrote a plugin for imprec/r.v (not tested on r.v but should work)
    so they recognise the called (jumped) api's.
    It's just a re-calculation:[ jumped api ] sub the[ pre-api-codes] that are made.
    I tested on pex 0.99 itself and it resolves all.
    This should make resolving a piece of cake.

    attached pex 0.99.dll and pex 0.99.asm
    Attached Files Attached Files

  7. #7
    SOLDIER8514
    Guest

    HI

    I ve unpack kazaa thanks to MUP_PeX_v0.99 under softice

    http://www1.lunarpages.com/codeinside/MUP_PeX_v0.99.zip

    then dump it under procdump and change the EP and Raw offsets

    but the dump.exe of it idoesn t work

    Someone can help me ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Unknown packed file prob Zbot variant
    By d0ne in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: July 15th, 2010, 11:47
  2. IDC scripting a Win32.Virut variant - Part 2
    By Kayaker in forum Blogs Forum
    Replies: 11
    Last Post: July 23rd, 2009, 23:03
  3. Apple's variant of ptrace()
    By Hex Blog in forum Blogs Forum
    Replies: 0
    Last Post: February 7th, 2009, 16:50
  4. IDC scripting a Win32.Virut variant - Part 1
    By Kayaker in forum Blogs Forum
    Replies: 4
    Last Post: January 1st, 2008, 16:51
  5. Packed sdbot variant
    By stsam in forum Malware Analysis and Unpacking Forum
    Replies: 14
    Last Post: August 22nd, 2007, 17:31

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •