Results 1 to 12 of 12

Thread: Unable to unpack a file wrapped by Bit-arts

  1. #1
    paco
    Guest

    Post Unable to unpack a file ***I will not be lame*** wrapped by Bit-arts

    Hi,
    First of all , I introduce myself as a newbie in unpacking. I read a lot of tutorials and forums but I'm still not able to unpack a file called Dont be lame. .This program is packed with bit-arts by Read the FAQ sofware wrapper (crunched/PE heuristic as checked by PEiD) . It has no evaluation possibility and you must to be connected to their server for validation before the software can be unpacked on the drive.
    I tried to manually unpack it but the dumped file is always below the original weight ( 1.5Mb and the packed file weights 4.47Mb) . The Import segment is always destroyed each time I disassemble the file.When I use Ollydbg, it always warns that the Module Entry Point is outside the range... . This is very confusing to me and I can't find the OEP.

    When I read Heathcliff tute about fusion v3 (bit-arts), I thought that I found my way. Unfortunately the approch was quite different because here I have no demo or evaluation version available.
    I spent more than three months, using a lot of tools ( SI/PEiD/Revirgin/Ollydbg/IDA Pro...) without success, so questions :
    1- Is it possible that an unpacked file weights lower than the packed one ?
    2- How can I achieve this unpacking without connection to their server ?
    3- Does anyone have experience with this kind of file or protection?
    Any help will be highly appreciated.
    Tks for helping me cause I'm really newbie . I came to this forum for education purpose and as French-speaking, it is also an opportunity to improve my English. So sorry for all the mistakes I made.
    Regards
    Paco
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Quote Originally Posted by paco
    Hi,
    First of all , I introduce myself as a newbie in unpacking. I read a lot of tutorials and forums but I'm still not able to unpack a file called I will not be lame .This program is packed with bit-arts by Read the FAQ sofware wrapper (crunched/PE heuristic as checked by PEiD) . It has no evaluation possibility and you must to be connected to their server for validation before the software can be unpacked on the drive.
    I tried to manually unpack it but the dumped file is always below the original weight ( 1.5Mb and the packed file weights 4.47Mb) . The Import segment is always destroyed each time I disassemble the file.When I use Ollydbg, it always warns that the Module Entry Point is outside the range... . This is very confusing to me and I can't find the OEP.

    When I read Heathcliff tute about fusion v3 (bit-arts), I thought that I found my way. Unfortunately the approch was quite different because here I have no demo or evaluation version available.
    I spent more than three months, using a lot of tools ( SI/PEiD/Revirgin/Ollydbg/IDA Pro...) without success, so questions :
    1- Is it possible that an unpacked file weights lower than the packed one ?
    2- How can I achieve this unpacking without connection to their server ?
    3- Does anyone have experience with this kind of file or protection?
    Any help will be highly appreciated.
    Tks for helping me cause I'm really newbie . I came to this forum for education purpose and as French-speaking, it is also an opportunity to improve my English. So sorry for all the mistakes I made.
    Regards
    Paco
    Hey JMI

    You are slipping here - Links to progs Wot next

    /hobferret

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,145
    Blog Entries
    5
    I agree any kind of link or proggy name should be unnecessary, will gladly delete it, but it all depends on what comes next, generic or target specific response(s). One stays, the other leaves

  4. #4
    Shit,

    The bus is full for today.............

    And Paco, you have already been warned about posting
    like this. I did not realize that it was you who sent me an email
    until after I re-instated you under your email nick.
    Now I check the IP address and see that you were deleted
    for being a lamer.

    This will be your last chance to redeem yourself.

    -cbo-

  5. #5
    paco
    Guest
    Hi Woodmann,
    I sincerely apologize for having written the name of a file in my first post. I thought it was useful to people to have an

    idea of wich kind of protection I am dealing with. Sorry, I'm faulty.
    My concern about the mail I sent to you was related to a problem of registration. In fact, I didn't receive the e-mail

    validation so I couldn't post my message.Thank for having validated it.
    Anyway, I'm still trying to unpack this file, but as I said before, this protection seems unbeatable compared to the others

    files I have been able to unpack or patch. This leads me to the conclusion that maybe it's the end of manual unpacking or

    I've not enough experience to defeat the need of server connection before the file is unwrapped. Remember it's not a demo or

    an evaluation or shareware version.
    The last think I did is trying to dump the file using Ollydump plugin (with FrogIce active) . The problem encountered is that

    the prog is lanched while tracing and ,again I have to face the need of internet connection .
    I've not found any tute yet concerning this kind of protection , so I will keep on trying,
    Hope you'll forgive me
    Tks a lot ("Merci beaucoup" in French)
    Paco
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    OK,

    So you have read some tuts and they do not help you in this situation.
    I have an old saying: If a PERSON made it then another PERSON can take it apart.

    Since this prog needs access to work, you need to find where it makes this "call".
    Next, how do you find this information it desires?
    Can you find it hidden in a validation routine?

    But you say that you cant unpack it. You can, you just haven't found out
    how to do it yet.

    Woodmann

  7. #7
    paco
    Guest
    Hello Woodmann,
    Thanks for your wise advice. I'm still trying to find out the "call" concerning the access. I think it is hidden in a packed area of the file so it can't be accessed unless it is unpacked.
    In the meantime, I dumped the memory map and the log data while tracing with Ollydbg. Both are attached to my post . You will notice the different system files .DLL/.OCX related to the net.
    Hope it can help....
    Regards
    Paco
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Mr. Jiggyfly.........

    I have some bad news for you but, you already know this.

  9. #9
    Winds of Change
    Join Date
    Feb 2004
    Location
    Reality, unlike some people
    Posts
    43
    Eh paco, PM (Private Message) me with the target and URL, I'll take a look and see what advice I can offer.
    Regards,
    %UNDEFINED%

    "Without change one cannot evolve."

  10. #10
    paco
    Guest
    Quote Originally Posted by Woodmann
    Mr. Jiggyfly.........

    I have some bad news for you but, you already know this.
    HI Jiggy,
    I've read a tute from Heathcliff in a thread called "Fusion v3 cracked, Titanium v3 defeated, Bit-arts fooled..." Perhaps you should read it and if by chance you can contact Heathcliff, maybe you'l have info about Fusion 3 by Bit-arts. Myself , I don't have it. GOOD LUCK
    Paco
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Jiggy
    Guest
    Quote Originally Posted by paco
    HI Jiggy,
    I've read a tute from Heathcliff in a thread called "Fusion v3 cracked, Titanium v3 defeated, Bit-arts fooled..." Perhaps you should read it and if by chance you can contact Heathcliff, maybe you'l have info about Fusion 3 by Bit-arts. Myself , I don't have it. GOOD LUCK
    Paco

    Thank you very much, I'll search it and I'll find it. I'm really glad about your post !!!

    Bye
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    paco
    Guest

    Unable to unpack

    HI,
    I've not succeeded with manual unpacking of the file so I tried PEiD v0.92 .
    I scanned the file using PEiD v0.92 and found the OEP at 00401F30. After that, I unpacked it with snaker's Generic Unpacker v0.1 ( wich is part of PEiD) and rebuild the imports with ImpREC. The unpacked file generated has a size of 1,16 Mb , while the original one was 4,47 mb .
    When I launch the unpacked exe, I get a message saying that the file size is incorrect...
    How can an unpacked file have a size smaller than the packed one ?
    There is still something else to do but I don't know what !!!
    Tks coop
    Paco
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Unable to create signature file in IDA Pro
    By akovid in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: January 28th, 2014, 01:31
  2. Can anybody unpack this file
    By localcrack in forum The Newbie Forum
    Replies: 2
    Last Post: February 13th, 2009, 19:31
  3. Suspicious file - Can't unpack
    By 0x0804 in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: April 26th, 2007, 05:23
  4. how to unpack Dll file for Aspack 2.12 ?
    By kernel5 in forum Malware Analysis and Unpacking Forum
    Replies: 29
    Last Post: March 14th, 2002, 17:23

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •