View Full Version : PC Guard
Orthodox
July 24th, 2007, 15:50
here is my tutorial regarding unpacking of PC Guard:
http://www.zshare.net/download/2790110485bf03/
Cheers
Orthodox
JMI
July 24th, 2007, 15:51
Thanks for sharing with our readers!
Regards,
Sab
July 24th, 2007, 21:17
Jesus would be proud. Nice clean tut btw.
LLXX
July 25th, 2007, 01:56
Not bad for a first try, right? I've found that the PDF is best viewed at 133% magnification to preserve the quality of the images, but what did you do to the images in the first place? I advise you next time to not try to stretch or shrink them...
Quote:
So press Shift+F9 and count exceptions. We pressed 13 times Shift+F9 and application starts. So now count 12 exceptions |
I'd like to see you try unpacking malware using that method
Have you tried looking at the actual encryption routine itself? Would be a lot easier (and safer) to decrypt offline instead of during live execution. It looks like a very simple algorithm from the images you've supplied -- push the number of bytes to be transformed, call the function to transform the bytes after/before the call for en/decryption.
Orthodox
July 25th, 2007, 07:07
Haven't done anything to the image, probably it depends on your monitor size and screen resolution.
-To decrypt it offline it would take a lot of time because its a big piece of code that its decrypted, and also a lot of calls too, which have different code and since I'm not playing with malware for me its OK.
Cheers
Orthodox
deroko
July 25th, 2007, 07:45
Quote:
[Originally Posted by LLXX;67371]
I'd like to see you try unpacking malware using that method 
|
That's why you are using Virtual Machine

right?

naides
July 25th, 2007, 08:39
The new Malwares detect the fucking VM and refuse to unpack
deroko
July 25th, 2007, 09:49
wait a minute, if it is wraped with some of public protections, why wouldn't protection layer run in VM. As far as I know, only themida has option "VM compatibility" or something like that.
LLXX
July 25th, 2007, 22:00
Quote:
[Originally Posted by deroko;67377]That's why you are using Virtual Machine right?  |
No, hex editor
http://www.woodmann.com/forum/showthread.php?t=10306
deroko
July 29th, 2007, 12:11

looks nicer then IDA

Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.