Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 07-08-2005, 10:49 PM
orangutang orangutang is offline
Member
 
Join Date: May 2005
Posts: 20
Default

Can anyone successfully unpack this?
Reply With Quote
  #2  
Old 07-11-2005, 07:11 PM
orangutang orangutang is offline
Member
 
Join Date: May 2005
Posts: 20
Default

If anyone figures it out, please tell me what programs you used to unpack it.
Reply With Quote
  #3  
Old 07-18-2005, 10:37 PM
0x517A5D 0x517A5D is offline
Member
 
Join Date: Jul 2005
Posts: 13
Default

So I unpacked it and all, but it doesn't do anything!

It deletes itself if it detects a debugger, I guess, and merely exits immediately otherwise.

Is that what it's supposed to do?

The only interesting thing in the EXE, aside from the self-deleting batchfile, is the string "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ!!!!!!!!!!!!! !!!!!!!!!!:)" .
Is that a message or just a VB artifact?

It was an interesting weekend project.


Tools:
IDA Pro (legally registered)
SoftIce (legally registered)
Custom debugger using Win32 Debug API.
Peditor v1.7
Vim
GCC


517A5D out.
Reply With Quote
  #4  
Old 07-19-2005, 01:04 AM
orangutang orangutang is offline
Member
 
Join Date: May 2005
Posts: 20
Default

Wow you're good. I know the program does nothing so I just wanted someone to unpack it successfully, nothing else.
Reply With Quote
  #5  
Old 07-19-2005, 01:07 AM
orangutang orangutang is offline
Member
 
Join Date: May 2005
Posts: 20
Default

Actually, I just ran the unpacked version and it exits because of the CRC check. Can anyone figure that out?
Reply With Quote
  #6  
Old 07-19-2005, 02:09 AM
0x517A5D 0x517A5D is offline
Member
 
Join Date: Jul 2005
Posts: 13
Default

[/quote]
Quote:
Originally posted by orangutang@Jul 18 2005, 10:07 PM
Actually, I just ran the unpacked version and it exits because of the CRC check. Can anyone figure that out?
Darnit, I must have missed something. Oh well, the program text is decrypted and the imports work. I don't intend to devote more time to it.

BTW, was this commercial protection or your own homebrew?

517A5D out.
Reply With Quote
  #7  
Old 07-19-2005, 03:39 PM
orangutang orangutang is offline
Member
 
Join Date: May 2005
Posts: 20
Default

It was both. I used a "commercial" protector and then I edited it a little to make it a little harder to unpack and added some of my own stuff.
Reply With Quote
  #8  
Old 07-19-2005, 09:06 PM
0x517A5D 0x517A5D is offline
Member
 
Join Date: Jul 2005
Posts: 13
Default

Quote:
Originally posted by orangutang@Jul 19 2005, 12:39 PM
It was both. I used a "commercial" protector and then I edited it a little to make it a little harder to unpack and added some of my own stuff.
[snapback]1114[/snapback]

I figured it must be commercial since there was a lot of code that was never called. For example, there are several routines that deal with Thread Local Storage, which this program didn't have.

But I thought it was pretty easy for a commercial product. There were some interesting tricks, but not nearly enough of them. Mostly it was a couple layers of weak crypto.

And then there was this stuff:

Code:
seg006:004083F0 * * * * * * * * * * db * * *36h
seg006:004083F0 018 * * * * * * * * mov * * esi, [ebp+arg_0]
seg006:004083F4 * * * * * * * * * * db * * *36h
seg006:004083F4 018 * * * * * * * * mov * * edi, [ebp+arg_4]
seg006:004083F8 * * * * * * * * * * db * * *36h
seg006:004083F8 018 * * * * * * * * mov * * ecx, [ebp+arg_8]
seg006:004083FC 018 * * * * * * * * xor * * eax, eax
seg006:004083FE 018 * * * * * * * * xor * * ebx, ebx
seg006:00408400 018 * * * * * * * * xor * * edx, edx
seg006:00408402 * * 
seg006:00408402 * * @@loop:
seg006:00408402 * * * * * * * * * * db * * *3Eh
seg006:00408402 018 * * * * * * * * mov * * al, [esi]
seg006:00408405 * * * * * * * * * * db * * *3Eh
seg006:00408405 018 * * * * * * * * mov * * bl, [edi]
Those db 36h's are SS: overrides, and the db 3E's are DS: overrides. Neither are useful in Win32 code. It looked to me like someone forgot to set his assembler's ASSUMEs. That strikes me as a newbie error that should have been caught somewhere in the development process. It doesn't even really serve as obfuscation.

517A5D out.
Reply With Quote
  #9  
Old 07-19-2005, 10:03 PM
orangutang orangutang is offline
Member
 
Join Date: May 2005
Posts: 20
Default

I'm not even a newbie at file unpacking. I don't know any of that debugging and dissasembling stuff. I just like playing around with exes and trying to make them unpackable. I'm just really, really bored.
Reply With Quote
  #10  
Old 07-19-2005, 10:03 PM
orangutang orangutang is offline
Member
 
Join Date: May 2005
Posts: 20
Default

By the way, how long did it take you to unpack this?
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.