Page 1 of 2 12 LastLast
Results 1 to 15 of 20

Thread: unknown packer

  1. #1
    chlankboot
    Guest

    Cool unknown packer

    hi,
    i have suxessfully reversed a packed proggy using sice driver suite 2.6 under xp (seems that this version is undetectable, i tried on another machine under win98 and sice V4 : the proggy simply exits without any message).
    the problem is not about reversing itself : my question is this : does anyone know the packer used in this file ? i have searched about 1 month over the net (file analyzers, unpackers,...) without any result.
    note that in the exe file i found the string "exestealth" (may be fake) but in the sections i found .upx00, .upx01, .., coban2k (which is the guy that made an unpacker for upx (is it 2 fool the unpacker ???)
    i dont think also that the packing routine was made by the developpers since the proggy was coded in the lazy VB
    i forgot 2 tell u that peid sais : ASPack / ASProtect x.xx -> Alexey Solodovnikov, and there i'm really lost ...
    thank u for replies
    Last edited by chlankboot; January 12th, 2004 at 13:01.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Hmmm.... Maybe you unpacked Xtreme protector !!!

  3. #3
    Howdy,

    Tell us how you unpacked it.
    Maybe some code snippet to explain what you did.

    Woodmann

  4. #4
    using sice driver suite 2.6 under xp (seems that this version is undetectable
    could you expand on this ? what makes it different than any other version before and after?

  5. #5
    chlankboot
    Guest

    Wink still not unpacked

    Quote Originally Posted by Woodmann
    Howdy,

    Tell us how you unpacked it.
    Maybe some code snippet to explain what you did.

    Woodmann
    I did not actually unpacked it, all that i did is dump it with procdump, set a bpx on callprocaddress and then step executilng till i found the oep (popad, jmp xxx), after that i changed the ep in the dumped file and disasm it with ida, this enabled me to analyse the code and found where i can apply the patch, finally i used +dza patcher to patch the file (adding a new section to the original exe)
    note that i am still learning the pe format and trying 2 find out what this patcher did exactly
    the unpacker unpacks great part of its own code at runtime that's why debugging was a little bit difficult and that's why a loader don't work (timing)
    if u want i can mail u the idb file.
    thx.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    chlankboot
    Guest
    Quote Originally Posted by doug
    could you expand on this ? what makes it different than any other version before and after?
    all i know are simple observations, (i have 2 machines at home and in office)under win98 and ice v4 (home) the proggy simply quits without any message, even procdump craches if trying to dump the file, under xp and sids 2.7 it runs (the program) perfectly and it is possible to debug it as any other program.
    this is not the only case, i have seen this on many others programs that (i suppose have routines to detect a debugger) : a common example is a_c_r_o_b_a_t (writer) that behaves exactly the same.
    i can't explain it, so it will be cool if anyone can explain us what is supposed to happen and what is the difference between the versions.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    chlankboot
    Guest
    Quote Originally Posted by Zilot
    Hmmm.... Maybe you unpacked Xtreme protector !!!
    sorry guy it is not Xtreme protector!
    i downloaded the trial version and packed a vb exe with, the differences are :
    • Xtreme protector does not corrupt the original import table (imports are visible in the packed file)
    • it replaces the original .text section with CODE section
    • it adds a XPROT section


    as u can see ther's no .upx0, .upx1 and coban2k sections in the packed file.
    (and i did not unpacked it ) not yet
    Last edited by chlankboot; January 13th, 2004 at 08:24.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Quote Originally Posted by chlankboot
    sorry guy it is not Xtreme protector!
    Really !!!!!??????

  9. #9
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    well, if you see:
    POPAD, JMP xxx

    so you had unpacked UPX.
    If section-names are others, probably they are changed.

    Thats all folks.


    **
    Zilot, you use wrong method with newbies.

  10. #10
    chlankboot
    Guest
    Quote Originally Posted by Zilot
    Really !!!!!??????
    yes
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    chlankboot
    Guest
    evaluator u r great

    things became clearer about renaming the last section (coban2k)

    but as i know the (poad, jmp xxx) is common 2 most packer/protectors such as ASprotect not only upx, dont u think so ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    maybee the exe file you've got was origanly packed with upx and exestealth. but exestealth has been removed with the unpacker coban2k created
    google for exestealth unpacker

  13. #13
    Zilot, you use wrong method with newbies.
    Man !!!
    just a little joke, do you mind it as a joke ?

  14. #14
    I see nobody laughing
    esther


    Reverse the code,Reverse Your Minds First

  15. #15
    So if anybody does, he must write down it ?

Similar Threads

  1. Another unknown packer in malware
    By Cthulhu in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: July 20th, 2009, 18:34
  2. An unknown packer
    By Hero in forum The Newbie Forum
    Replies: 10
    Last Post: December 9th, 2007, 09:31
  3. IAT rebuilding for unknown packer ??
    By SilSaLaMaTa in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: August 27th, 2002, 18:07
  4. unknown crypter/packer
    By Rip in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: February 2nd, 2002, 16:01
  5. Help with unknown packer
    By Timmy in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 7th, 2000, 06:44

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •