Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   File Unpacking (http://www.reteam.org/board/forumdisplay.php?f=27)
-   -   Please help with unpacking (http://www.reteam.org/board/showthread.php?t=229)

Core 04-26-2005 05:08 AM

Hi, first of all I want to say that I am a newbie, only made 2 cracks for now, but now i'm dealing with a packed exe, and I have try everything to unpack. This is the link: http://censored/ . I have try OllyDBG to find the OEP but the application is not running to the end cause I have some access violation. Also I have try SoftIce but than when I launch the app it's detecting that softice is running and is not working. I have also try all unpackers but it's seems that the application is not packed with any exe compressor maybe they have their own algo for packing. What I have noticed when I saw the properties of the file is that it's look like a rar archive with SFX, so I have try to unrar it but it's saying that it has a volume missing and it could not be extract. The exe is running by itself so how could be 1 volume missing. Then I have tested the archive and it said that it's an old format rar 1.5 archive and could not be extracted...I have try also to attach to the process but almost with any app's I have try the answer is that could not attach to process. If i start SoftIce when the app is running the computer crashes. I don't really know what else to do if somebody with more experience want to help, I would gladlly give more details...

THX.

sna 04-27-2005 09:30 AM

Hello.

Well first of all please don't post links back to the software you're working on. There is really no need to identify it and some people might be offended by the idea that their code is under scrutiny. I edited out the link you provided and we'll leave it at that.

I nevertheless had a quick look at the application and confirmed that the file is protected by a new and little-known protection system. Which one is obvious if you know where to look and it is because of this that I'm going to suggest that you do not waste any more time on this. I'm afraid the protection used here is much too complicated for you to deal with, being at the stage you are.

Instead, I'm going to suggest that you learn about the Portable Executable (PE) format while you also read up on debugging and anti-debugging. Grab the PE specification from MSDN and be sure to check out Matt Pietrek's MSDN Magazine columns from early 2002.

Regards, sna

Core 05-03-2005 02:19 AM

THX sna for the info. But if is possible, can you send me an email or PM, with the name of the protection system maybe there is some unpacker for this packing type, to search for it or if I'm not asking too much and with the risk to make an enemy of you, if is possible can you unpack this file or send me some good indication. So I've read about PE but that magazine I couldn't find.

THX again for the info, and I'll wait your PM or email...
morecorecode@yahoo.com


sna 05-04-2005 03:56 AM

Hello.

Microsoft Portable Executable and Common Object File Format Specification

An In-Depth Look into the Win32 Portable Executable File Format, Part 1
An In-Depth Look into the Win32 Portable Executable File Format, Part 2

Look at the section headers.
Regards, sna

Core 06-02-2005 05:48 AM


Ok so I resolved unpacking this using a Unprotector&Unpacking program then I have dump the file but I have a new section now and the exe is not running. "Procedure entry point NtOpenThread could not be found in Kernel32.dll"...Tried fixing the pe header also I have the real OEP but exe not working...
If more info needed I will return with it....

CoDe_InSiDe 06-02-2005 12:07 PM

Hi Core,

Quote:

"Procedure entry point NtOpenThread could not be found in Kernel32.dll"
Sounds to me like the Import Table is messed up :)

Core 06-07-2005 04:04 AM

What tool should I use for fixing the import table...

CoDe_InSiDe 06-07-2005 06:14 AM

Try ImpREC.
Or if that doesn't work, do it manually :D

z3r0 08-10-2005 12:52 PM

Are you Trying to open a 3.x password protected winrar sfx.


All times are GMT -4. The time now is 09:28 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.