Log in

View Full Version : PC Guard


Orthodox
July 24th, 2007, 15:50
here is my tutorial regarding unpacking of PC Guard:

http://www.zshare.net/download/2790110485bf03/


Cheers


Orthodox

JMI
July 24th, 2007, 15:51
Thanks for sharing with our readers!

Regards,

Sab
July 24th, 2007, 21:17
Jesus would be proud. Nice clean tut btw.

LLXX
July 25th, 2007, 01:56
Not bad for a first try, right? I've found that the PDF is best viewed at 133% magnification to preserve the quality of the images, but what did you do to the images in the first place? I advise you next time to not try to stretch or shrink them...
Quote:
So press Shift+F9 and count exceptions. We pressed 13 times Shift+F9 and application starts. So now count 12 exceptions
I'd like to see you try unpacking malware using that method

Have you tried looking at the actual encryption routine itself? Would be a lot easier (and safer) to decrypt offline instead of during live execution. It looks like a very simple algorithm from the images you've supplied -- push the number of bytes to be transformed, call the function to transform the bytes after/before the call for en/decryption.

Orthodox
July 25th, 2007, 07:07
Haven't done anything to the image, probably it depends on your monitor size and screen resolution.
-To decrypt it offline it would take a lot of time because its a big piece of code that its decrypted, and also a lot of calls too, which have different code and since I'm not playing with malware for me its OK.

Cheers

Orthodox

deroko
July 25th, 2007, 07:45
Quote:
[Originally Posted by LLXX;67371]
I'd like to see you try unpacking malware using that method


That's why you are using Virtual Machine right?

naides
July 25th, 2007, 08:39
The new Malwares detect the fucking VM and refuse to unpack

deroko
July 25th, 2007, 09:49
wait a minute, if it is wraped with some of public protections, why wouldn't protection layer run in VM. As far as I know, only themida has option "VM compatibility" or something like that.

LLXX
July 25th, 2007, 22:00
Quote:
[Originally Posted by deroko;67377]That's why you are using Virtual Machine right?
No, hex editor

http://www.woodmann.com/forum/showthread.php?t=10306

deroko
July 29th, 2007, 12:11
looks nicer then IDA