Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 01-30-2014, 12:58 PM
mindoverflow mindoverflow is offline
Member
 
Join Date: Aug 2009
Posts: 35
Default What packer could this be ?

I have this file https://www.dropbox.com/s/l56wjs6ll9lu5f2/SAHEL.exe that I scanned with different PE identifiers but everyone detected a different packer (MEW 11 se v1.2, Morphine, Private EXE Protector ) that I think each of'em is wrong.

According to what I noticed while debugging, all sections are encrypted, dizzing jumps (a jump per expression) anti debugger techniques a thread is created to check for debuggers permanently (window or process name detection, ollyDbg hiding plugins don't hide but I didn't mind to fix it, I simply suspend or terminate the thread and we're done with the anti-debug thing) but IDA/WinDbg isn't detected I think I'm getting everything on memory, but I can't find the OEP yet then I can't have a dump.

I would appreciate if someone can guess the right packer used, or who remembers a packer that creates a thread to check for debuggers even after giving control to the original program.

Thank you
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.