Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: .NET generic unpacker

  1. #1

    Wink .NET generic unpacker

    oK, this is my generic unpacker for .net app, i never see software like this on the web hihihi

    uggc://cayhpx.nygreivfgn.bet

    EDIT KAYAKER: See post below

    People test it and contact me for bug or for software which wouldn't be unpacked
    :P

  2. #2
    I do a little update, I add an icon :P

  3. #3
    Registered User fly's Avatar
    Join Date
    Jul 2004
    Location
    CrackTool
    Posts
    15
    Good job.

    http://www.unpack.cn

    一蓑烟雨任平生!

  4. #4
    madmanaenewman
    Guest

    Thumbs down

    Wooooaa. !!!!!! W A R N I N G !!!!!!!!

    As a newbie currently researching unpacking software, this was the first one my search uncovered. I followed the link and went to download the software. What I started to get looked real suspicious, so I tried to stop it. I got several messages along the line of "Please download me, I am completely safe -- no viruses guaranteed" or words to that effect. Anyway, 100 or so clicks later (no, actually, I really don't want to visit another casino site!) I finally managed to terminate the endless string of pop-ups. When I went back to IE, guess what my home page now was? Another 100 clicks and, well, you get the picture. I can only pray that nothing more serious was done to my system.

    I had intended on at least another week's worth of research before stooping to the inevitably necessary post crying for help, but this kind of ##$%@ in a great forum like this is sooo out of place that I thought someone should point it out. Hopefully, a moderator will check the link and take whatever action seems appropriate.

    My humble appologies if the link was originally posted in good faith, but I get real testy when someone messes with my computer settings maliciously like that.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Yes, do not go to that page. There was also another thread in another forum (arteam I think) where people noticed there was a trojan on that webpage and told the author to stick it where the code doesn't shine

    -nt20

  6. #6
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Not to detract from pnluck's work, he has made many contributions - but even though it's a huge download - M$ offers the entire .net SDK including decompiler/compiler simply as a download - I have it but usually IDA suffices.

    SiGiNT

    And just as a note to our new member - GET ANOTHER BROWSER, if you want problems use IE.
    Last edited by SiGiNT; March 11th, 2006 at 20:12.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    That's very strange, the site used to be OK, at least with Opera. To save anyone else from the same fate by accident, I encrypted the link with ROT13. If you are really desperate go to rot13.com and decrypt the uggc:// link to find the original site.

  8. #8
    Keep your scripting off and you won't have any problems

    I was able to download and inspect the file, it's completely harmless.

  9. #9
    madmanaenewman
    Guest
    I am building a ******* and found the perfect tool to assist in the design, *****.exe. Of course, I have to learn how to use it first, so on to the tutorials. Wait a minute, the program isn't supposed to do that! I thought this thing was cracked!
    Reserch reveals that people think they've got the dongle licked but do'nt actually try the program to test their hard work. Hmmm. Why not, I'm up for a challange.
    The next evening I find your home here. Read, download, tutorial, more reading, search this, oops, that tutorial is outdated, and that program is no longer supported, more reading, another download. Dang -- a trojan. Fix that, vent some steam. Hey, it's paying off. I now know that ****.exe crashes on the command FSTP ST! Hmmm, I wonder what FSTP ST means? Oh well, my search for Assembly tutorials will have to wait, for now it seems I have to change browsers too! Is there an end to this madness, you ask? Sorry, not you you -- my wife you. Yes there is honey , now leave me alone, I'm coming to bed in a few hours, or days, or ... never mind.

    Seriously, I did see a reference to this community's dislike for IE. I had it on my list of things to research. Really. I guess I'll do it immediately after posting this.

    I'm sure to be back with questions for you guys. First I've got to figure out what the question is and be able to word it in a matter that makes it at least look like I've done my homework. In the interim, thanks for a great forum.

    Say Hun, could I get a back massage before you go to bed. Er, never mind. Hey, put the knife away . This isn't funny Dear!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Old Retired Man Uradox's Avatar
    Join Date
    Sep 2002
    Location
    Australia
    Posts
    42
    what the
    In life we learn to challange the impossible. In death do we learn to live?

  11. #11
    Uffaaaaaaaaaaaaaaaaaaa!!! there aren't any trojan and malware, it is only html and javascript for ajax, and stopppp!!

    However I uploaded my software to 0.5, now it lists all .net processes running on current machine

    pnluck.altervista.org
    or
    pmode.net

  12. #12
    Registered User cRk's Avatar
    Join Date
    Apr 2003
    Location
    out of hell
    Posts
    152
    when i went to your site pnluck.altervista.org when i clicked Software or something says Loading..... suddenly i got this image i attached.. this happend once... i tried to reproduced this but never appeared again.. maybe PopupCop has blocked everything since first time...but didn't pay much attention to this.. look to me like a common trojan.. i'm using IE 6 SP1 with all patches up to date..

    My Best regards
    Attached Images Attached Images  

  13. #13
    Well, if I remember well many months ago I went there and java vm popped up in the traybar -which was not... excepted to start at all, when I clicked on the authors link (or such, don't remember). Hoping all this is not intentional, maybe their hosting service is meddling with their pages?
    @cRK: throw IE off the windows, unless you are 'examining' it With FireFox and Opera, why IE?
    Last edited by Maximus; April 4th, 2006 at 16:30.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  14. #14
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    I had a similar experience with another site, and numerous people here - essentially said I was nuts - could it be that the pop-ups and other garbage are activated by the visitors IP address (country of origin?), anyway pnluck no one here would even think of accusing you of doing anything malicious! Please keep up the good work!

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  15. #15
    @cRk: I tried some RCE on the 605689.exe at the URL shown. It's packed with PEpack (which I don't have an automated unpacker at the moment and I suspect malware so I don't want to run it either), but noticing the numerical URL I tried 600000 - not found, kept going until I got a 603000.exe packed with UPX. Unpacked it and took a look with a hex editor.

    Seems to modify Internet security settings, install itself in the Run key of the registry, and access "flat.trafficadvance.net/?d=603000&R=". Does "dkfibjjcnlplceoibcppeenjdjafgeia" mean anything to you? It occurs several times in all the numbered files I checked. It looks like a simple cipher but I can't figure it out...

    I've accessed the page many times and inspected the source, but nothing appeared.
    Quote Originally Posted by sigint33
    - could it be that the pop-ups and other garbage are activated by the visitors IP address
    I tried with 5 different proxies. Still nothing.

    This is certainly most wierd.

Similar Threads

  1. Replies: 26
    Last Post: August 24th, 2010, 13:45
  2. [ARTeam] generic unpacker source
    By deroko in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: August 1st, 2007, 12:02
  3. I want to write a generic static disassemler
    By wjinbo in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: September 20th, 2004, 03:30
  4. My First Script: Stack based generic a s p r u n p
    By orion in forum OllyScript Plugin
    Replies: 10
    Last Post: July 5th, 2004, 16:49
  5. A new generic multipurpose patcher tool
    By druvo in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: March 28th, 2003, 16:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •