Hi all
I'm working on an unknown packer.it seems simple,but i think i can't unpack it correctly.
because of rules,i can't name program that i work on it,but i give some specifications about it,perhaps you could recognize something similar:
1-if you use HARDCORE scan in PEid it says protection is Petite 1.4, normal scan defines nothing.
2-this is the only packer I seen it says nothing in olly about EP.I mean when you open up it in olly it seems like a normal application and goes without any message about EP.
2-the only packer I seen that starts with JMP instruction....
3-the only packer I seen that has a huge amount of obfuscated codes using JMP and PUSH addr,RET(another JMP way),that make tracing code almost impossible.

can you identify anything using this details?


In addition,I should say that I were be able to make a working semi-unpack from target.
from semi-unpack,I mean I were able to find something that I think is OEP,make a working application by dumping it on that OEP and rebuilding IAT with ImpRec, the the problem is that the main program body that that packers code is still connected in this semi-unpacked and i can't patch this semi-unpacked one because of that strange obfuscated code.
it really seems a 2-layer protection for me,that Perhaps Petite is only a small part of it,or i do unpacking incorrectly.

have anybody seen anything similar to this?

Regards

noo..
if crackme is, point where it is..

sry, comerical program then i can't name it...
but it is a visual studio plugin to detect memeory leak,perhaps you could find it yourself...

nah, forget it.
don't know Visual Studio

there is an standalone application for that porpose in its folder too,in addition of that visual studio plugin.

Regards

letz say so:
if you trust in, we become herroeZ of WWCL, then letz unpuck it!

btw, why we are going to umnpuking it??

Hi
You know,I personally using DevPartner, that detecting memory leaks is a small part of it and I don't need this tool.
But this program protection made me mad,and I wana learn how I can reverse a program in situations like this that I don't have any tool for backtracking and heuristic tracing from a specific place of code(PUSH addr-RET technic cause that you lose call-stacks,and a huge spagetti code that I can't trace it in a proper way)

Regards

this looks like execryptor, but Code & RData not crypted.
so maybe not great works will required for you?
try trace for OEP.

RCs are encrypted(you will notice if you check it with a resource viewer).
It was easy to find something that I believe is OEP and make a working dump(the unpacked proram in this way was around 100k bigger than original one).
but main problem is that how i can seprate original code from its protector code,they are even connected on dumped application(perhaps I didn't find OEP correct).
This is the way I used for finding OEP:
1-opened protected exe in a tool to see resources and select rva of a encrypted resource for example 44AD10(a string-table resource).
2-set a hardware breakpoint for writing in this address and run to reach it.
3-remove this hardware breakpoint and set another hardware one for execution on a RET command that is 8 commands under current place that debugger stopped and run program to there.
4-use F7 on ret,you will be on a JMP and another F7,you will be on a "PUSH 60" command that i BELIEVE is OEP.
what you think about this OEP?is it correct?
and if you dump program and rebuild IAT with imprec(no invalid at all) you will get a working dump,but still connected to protector....
donna how to seprate them...

Regards

now check, what does connection; if nothing, remove.. so on..

I find out that functions that handles some messages are implemented in other sections,not .text one.
the codes that show trial messages are in those sections too...

Regards