Results 1 to 7 of 7

Thread: Code Charge (Unpacking)

  1. #1
    sharon
    Guest

    Code Charge (Unpacking)

    hello everyone

    target: www.codecharge.com
    written in VB6
    anti-Softice tricks + Packing

    1- anti-softice can be bypassed using frogs ice or any other method

    2- following most of the unpacking tutorials instructs to change the .text section from c0000040 to E0000020
    the problem is that there is no .text section indicated
    nevertheless, i assumeds that the first section (no name) is the text and changed it and it worked..

    3- how do i find the OEP.. all the techniques i found in tutorials are for common packers.
    what really can give me a clue for the OEP?

    thanks for all your efforts
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    qferret
    Guest
    how did you unpack it?

    If you unpacked manually, the EIP when you dumped should be the OEP.

    If you used ProcDump or another tool, it should have been taken care of automagically ;-)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    sharon
    Guest
    i appreciate ur answer but i geuss my question was not very clear..
    my question is how do u find the right spot to unpack?

    thanx again
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    bobik
    Guest
    find my "small essay from newbie" about VB dumping in this forum
    date : beginning of june

    sharon (07-04-2001 03:14):
    i appreciate ur answer but i geuss my question was not very clear..
    my question is how do u find the right spot to unpack?

    thanx again
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    noname
    Guest
    sharon (07-04-2001 03:14):
    i appreciate ur answer but i geuss my question was not very clear..
    my question is how do u find the right spot to unpack?

    thanx again
    Hi Sharon,
    its difficult to tell you which one is correct coz different packers has different
    ways to find the oep.
    the best way is to find a packer and packed
    a notepad or vb progs and upacked it explore the unpacking rountines.
    Hopes this helps

    noname
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    qferret
    Guest
    I actually suck at unpacking, but I believe most (I know of at least a few hehe) packers use a pushad opcode to store the info in the registers for later use.....then a popad right before the popad ends to restore the registers to their formar state. So if your unpacking routine is sitting at cs:470000+(purely a hypothetical #), and you find a jmp eax (again hypothetical) to say cs:412ef0 (you guessed it), with a popad a line or 3 before it....the address jumped to is probably the OEP.

    Hope that helps.....& if it's way off base someone feel free to slap me with a large trout ;-)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,157
    Blog Entries
    5
    Hi Sharon,

    Why don't you try Icedump's /Tracex command? I've never used it on a VB app, but it works great on packers in general.

    /TRACEX <low EIP> [<high EIP>]

    So if your .text section is from 401000 to 480000 you would set

    /TRACEX 401000 480000

    in Softice wherever you want to start tracing, press F5, go get a drink because it may take awhile, and SI should break in program code. In the command window will be a log with a cs:eip value, the last instruction address executed in packing code. You can then use the 'u' unassemble command on the address to see what the code looks like. If it looks like it was the jump to OEP you can dump it right there.

    /Tracex will break anytime there's a jump/call to the code range you specified, but this may not necessarily be the OEP, some packers (like Asprotect) jump into program code a few times before the actual jump to the OEP. If it looks like the code returns quickly to packing code, you can trace back there and set another /Tracex command the same as the first, and it will break on the next jump to program code.

    TRW has a built in feature that I think might be able to be used in a similar fashion, PNEWSEC (go until run into a new section in PE image).

    Hope this helps,

    Kayaker

Similar Threads

  1. Unpacking Dynamically Allocated Code
    By disavowed in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 2nd, 2012, 03:53
  2. LINK: Grafting Compiled Code: The Ultimate in Code Reuse
    By Cthulhu in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: November 10th, 2007, 03:40
  3. Replies: 10
    Last Post: November 9th, 2002, 04:50
  4. VB P-Code
    By Acid_Cool_178 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: May 1st, 2001, 05:11
  5. No Code, Help!!!
    By Hexon in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: November 10th, 2000, 05:21

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •