 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
#1
04-05-2018, 06:11 AM
|
|||
|
|||
Unknown packer
Hi ,
i have an exe that is undoubtedly packed , but i cannot identify what packer was used . Could anybody help me ? Here's a link to the exe : https://we.tl/wKhqszWxFn Thanks in advance . 
|
|
#3
04-09-2018, 06:07 AM
|
|||
|
|||
|
Don't know .
I don't have lot of experience with packer . I'm trying to figure out what it's doing . Surely has code obfuscation , checksums on code ,check for soft break on used functions from kernel32 (checking INT3 opcode on first function instruction) , hardware break detection (using VEH). Exe starts with some selft modofy code, then maps kernel32 functions manually resolving them and checking they are not been hooked and for soft Bp presence . Then decrypts real exe and jumps to OEP , but i still have to find a way to stop on OEP and be able to dump unencrypted exe .
|
|
#4
04-11-2018, 08:29 AM
|
|||
|
|||
|
Made some progress. Finally was able to find OEP and dump unencrypted code , but some problems remains .
For example , all calls to external DLLs are made with a proxy at Runtime , so for now i have no way to statically analyze it since when i dump the exe i lose memory map where those calls are made . Any idea on how to fix it ?
|
|
#5
04-20-2018, 11:58 AM
|
|||
|
|||
|
Made some progress ,
after partially unkpacking the exe i found that the paker used is non standard and comes from some russian forum member called Dr.Golova . Anybody ever headr about it ? The exe first decrypts itself by doing repeated XORs mixed with crappy code, then jump to the real packer dinamically created , after fixing relocations and imports .
|
|
#6
07-09-2018, 01:08 PM
|
|||
|
|||
|
Memory redirection tool I'm working at...
Quote:
I am working currently on a tool which will redirect allocations to only one memory block being able after to easy save that and add a new section to the PE file.
|
Linear Mode
