Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 04-05-2018, 06:11 AM
visions_of_eden visions_of_eden is offline
Member
 
Join Date: Nov 2010
Posts: 13
Default Unknown packer

Hi ,

i have an exe that is undoubtedly packed , but i cannot identify what packer was used .

Could anybody help me ?

Here's a link to the exe : https://we.tl/wKhqszWxFn

Thanks in advance .
Reply With Quote
  #2  
Old 04-06-2018, 03:11 PM
user1 user1 is offline
Senior Member
 
Join Date: Jun 2011
Posts: 271
Question

maybe new enigma???
__________________
dongle backup
Reply With Quote
  #3  
Old 04-09-2018, 06:07 AM
visions_of_eden visions_of_eden is offline
Member
 
Join Date: Nov 2010
Posts: 13
Default

Don't know .
I don't have lot of experience with packer .
I'm trying to figure out what it's doing .
Surely has code obfuscation , checksums on code ,check for soft break on used functions from kernel32 (checking INT3 opcode on first function instruction) , hardware break detection (using VEH).

Exe starts with some selft modofy code, then maps kernel32 functions manually resolving them and checking they are not been hooked and for soft Bp presence . Then decrypts real exe and jumps to OEP , but i still have to find a way to stop on OEP and be able to dump unencrypted exe .
Reply With Quote
  #4  
Old 04-11-2018, 08:29 AM
visions_of_eden visions_of_eden is offline
Member
 
Join Date: Nov 2010
Posts: 13
Default

Made some progress. Finally was able to find OEP and dump unencrypted code , but some problems remains .

For example , all calls to external DLLs are made with a proxy at Runtime , so for now i have no way to statically analyze it since when i dump the exe i lose memory map where those calls are made .

Any idea on how to fix it ?
Reply With Quote
  #5  
Old 04-20-2018, 11:58 AM
visions_of_eden visions_of_eden is offline
Member
 
Join Date: Nov 2010
Posts: 13
Default

Made some progress ,

after partially unkpacking the exe i found that the paker used is non standard and comes from some russian forum member called Dr.Golova . Anybody ever headr about it ?

The exe first decrypts itself by doing repeated XORs mixed with crappy code, then jump to the real packer dinamically created , after fixing relocations and imports .
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.