Log in

View Full Version : Xenocode unpack


squalito
June 29th, 2008, 10:15
Hello,

I'm looking for some informations about Xenocode. How it works, what solutions exists to unpack, etc.

In fact, what I've found is that xenocode pack the exe and the dll. Then at runtime it unpack them in memory (surely with also the virt machine)

I've been able to unpack the exe and the dll but I've done this from a bad way I think (I looked for MZ in memory map)

Also the obfuscation is well done, and I had a lot of pbms to find my way.
Finally I've been able to create a Keygen, but one more time I've done this using a long and bad way.

So do you have some informations of how we could unpack xenocode ?

ps: The LibX tool doesn't work with last xencode verison, and I don't want to use an unpacker but rather find a good/general way to upack xenocode

The idea behind this is to rip xenocode functions, and maybe create an unpacker..

So all informations that could put me on the good way are welcome

Thanks by advance

JMI
June 29th, 2008, 12:22
The FIRST thing you should have done, because you haven't said that you have already done so, is actually READ the FAQ!

It will tell you that we expect new posters on these Forums to do certain things BEFORE they post here and that they actually tells us "what they have done" to attempt to solve THEIR problem, BEFORE they ask for help.

That's WHY the BIG RED LETTERS are at the top of all the Forums.

What you appear to have failed to do, besides actually READ the FAQ, is to do some searching, here and on the net, for the possible answers to YOUR question and then tell US what you have actually done to try to actually help yourself.

For example, did you put some rather "obvious" search criteria in YOUR favorite search engine and read what you found?? If you did, how would we know that you have done so, or what you may have actually done to try to solve "your" problem??

Using: xenocode unpacking

I got 491 hits.

Using: xenocode keygenning

I got 87 hits.

Have YOU read any of these??? If you have not, go do that first. If you have, how would we know that you have searched for information on your own???

Regards,

squalito
June 30th, 2008, 04:38
Hello,

I've readen the FAQ and I always read the post it, before posting. I have also done a search on this forum, and as all others (in general) there is only tools like LibX one (xenocode solutions)

i've also searched on the net about Xenocode unpack and found a good tut made by rongchaua.
In fact if you "google" xenocode unpack you won't find so much information. of course there is LibX tools and as I said the rongchaua tut.

I just think the rongchua tut is not a generic solution for xenocode.

What I'm looking for is try to know if some of you have already "played" with xenocode, and if so what are the API it uses.
What I found myself is that xenocode hooks these ntdll apis : ZwCreateFile, ZwMapViewOfSection, ZwCreateKey

I used the rongchaua tut to unpack this xenocode, but I think the best would be to :
1- Ripp the crypt/decompress routines of xenocode and create a little tool
or
2- Hook these apis ZwReadFile et ZwMapViewOfSection to find the protected map file and be able to dump them

So here are my ideas, the question is, does somebody has already tried this ? do you think I am on the good way ?

I don't want to hurt somebody and if my questions doesn't have to be there, so do not hesitate to delete this post and so please excuse me for this

Thanks by advance
sQuaLito

JMI
June 30th, 2008, 10:29
You are not "hurting" anyone with your post, but your second post contains the kind of information which you should have included in your first post and then you would not have heard from me about following the directions of the FAQ.

Regards,

squalito
June 30th, 2008, 10:43
Quote:
[Originally Posted by JMI;75514]You are not "hurting" anyone with your post, but your second post contains the kind of information which you should have included in your first post and then you would not have heard from me about following the directions of the FAQ.

Regards,


No pbms so and promise next time I'll explain everything since the 1st post.

JMI
June 30th, 2008, 10:49
And welcome aboard the Forums.

Regards,