Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 04-26-2005, 05:08 AM
Core Core is offline
Junior Member
 
Join Date: Apr 2005
Posts: 4
Default

Hi, first of all I want to say that I am a newbie, only made 2 cracks for now, but now i'm dealing with a packed exe, and I have try everything to unpack. This is the link: http://censored/ . I have try OllyDBG to find the OEP but the application is not running to the end cause I have some access violation. Also I have try SoftIce but than when I launch the app it's detecting that softice is running and is not working. I have also try all unpackers but it's seems that the application is not packed with any exe compressor maybe they have their own algo for packing. What I have noticed when I saw the properties of the file is that it's look like a rar archive with SFX, so I have try to unrar it but it's saying that it has a volume missing and it could not be extract. The exe is running by itself so how could be 1 volume missing. Then I have tested the archive and it said that it's an old format rar 1.5 archive and could not be extracted...I have try also to attach to the process but almost with any app's I have try the answer is that could not attach to process. If i start SoftIce when the app is running the computer crashes. I don't really know what else to do if somebody with more experience want to help, I would gladlly give more details...

THX.
Reply With Quote
  #2  
Old 04-27-2005, 09:30 AM
sna sna is offline
Administrator
 
Join Date: Jun 2003
Posts: 76
Default

Hello.

Well first of all please don't post links back to the software you're working on. There is really no need to identify it and some people might be offended by the idea that their code is under scrutiny. I edited out the link you provided and we'll leave it at that.

I nevertheless had a quick look at the application and confirmed that the file is protected by a new and little-known protection system. Which one is obvious if you know where to look and it is because of this that I'm going to suggest that you do not waste any more time on this. I'm afraid the protection used here is much too complicated for you to deal with, being at the stage you are.

Instead, I'm going to suggest that you learn about the Portable Executable (PE) format while you also read up on debugging and anti-debugging. Grab the PE specification from MSDN and be sure to check out Matt Pietrek's MSDN Magazine columns from early 2002.

Regards, sna
Reply With Quote
  #3  
Old 05-03-2005, 02:19 AM
Core Core is offline
Junior Member
 
Join Date: Apr 2005
Posts: 4
Default

THX sna for the info. But if is possible, can you send me an email or PM, with the name of the protection system maybe there is some unpacker for this packing type, to search for it or if I'm not asking too much and with the risk to make an enemy of you, if is possible can you unpack this file or send me some good indication. So I've read about PE but that magazine I couldn't find.

THX again for the info, and I'll wait your PM or email...
morecorecode@yahoo.com

Reply With Quote
  #4  
Old 05-04-2005, 03:56 AM
sna sna is offline
Administrator
 
Join Date: Jun 2003
Posts: 76
Default

Hello.

Microsoft Portable Executable and Common Object File Format Specification

An In-Depth Look into the Win32 Portable Executable File Format, Part 1
An In-Depth Look into the Win32 Portable Executable File Format, Part 2

Look at the section headers.
Regards, sna
Reply With Quote
  #5  
Old 06-02-2005, 05:48 AM
Core Core is offline
Junior Member
 
Join Date: Apr 2005
Posts: 4
Default


Ok so I resolved unpacking this using a Unprotector&Unpacking program then I have dump the file but I have a new section now and the exe is not running. "Procedure entry point NtOpenThread could not be found in Kernel32.dll"...Tried fixing the pe header also I have the real OEP but exe not working...
If more info needed I will return with it....
Reply With Quote
  #6  
Old 06-02-2005, 12:07 PM
CoDe_InSiDe CoDe_InSiDe is offline
Member
 
Join Date: Nov 2003
Posts: 28
Default

Hi Core,

Quote:
"Procedure entry point NtOpenThread could not be found in Kernel32.dll"
Sounds to me like the Import Table is messed up
Reply With Quote
  #7  
Old 06-07-2005, 04:04 AM
Core Core is offline
Junior Member
 
Join Date: Apr 2005
Posts: 4
Default

What tool should I use for fixing the import table...
Reply With Quote
  #8  
Old 06-07-2005, 06:14 AM
CoDe_InSiDe CoDe_InSiDe is offline
Member
 
Join Date: Nov 2003
Posts: 28
Default

Try ImpREC.
Or if that doesn't work, do it manually
Reply With Quote
  #9  
Old 08-10-2005, 12:52 PM
z3r0 z3r0 is offline
Junior Member
 
Join Date: Aug 2005
Posts: 2
Post

Are you Trying to open a 3.x password protected winrar sfx.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.