xOptiMus
December 20th, 2000, 13:51
Hi all
Have just disassembled a target (ispeed.exe) in w32dasm and have noticed that it can only disassemble about a dozen or so lines. I realise that it must be packed/encrypted because there is no code. I have tested the file with several file analyzers including file sniffer, but have failed to identify the packer. As a last resort I have copied the first few lines from w32dasm and pasted them here in the hope that someone will be able to identify the packer by looking at the object data - there are some weird entries there, such as BSS and kdata.
Incidently, this target (beta version) was taken from January's issue cover disc of Dot Net mag. The latest version which can be downloaded from: http://www.hms.com/apps/issetup.exe gives a slightly different sections listing in W32Dasm, but it still cannot be disassembled! I've been told that it is a modified version of Asprotect ver 1.1.
+Teshp, I hope you and your eagerly awaited new iat rebuilder can solve this one!
Disassembly of File: iSpeed.EXE
Code Offset = 00000000, Code Size = 00000000
Data Offset = 00055000, Data Size = 00002C00
Number of Objects = 0010 (dec), Imagebase = 00400000h
Object01: CODE RVA: 00001000 Offset: 00000400 Size: 00054C00 Flags: C0000040
Object02: DATA RVA: 000E8000 Offset: 00055000 Size: 00002C00 Flags: C0000040
Object03: BSS RVA: 000ED000 Offset: 00057C00 Size: 00000000 Flags: C0000040
Object04: .idata RVA: 000EF000 Offset: 00057C00 Size: 00001000 Flags: C0000040
Object05: .tls RVA: 000F2000 Offset: 00058C00 Size: 00000000 Flags: C0000040
Object06: .rdata RVA: 000F3000 Offset: 00058C00 Size: 00000200 Flags: C0000040
Object07: .reloc RVA: 000F4000 Offset: 00058E00 Size: 00000000 Flags: C0000040
Object08: .rsrc RVA: 00104000 Offset: 00058E00 Size: 0001A600 Flags: C0000040
Object09: .kdata RVA: 00139000 Offset: 00073400 Size: 00002200 Flags: C0000040
Object10: .data RVA: 0013C000 Offset: 00075600 Size: 00000000 Flags: C0000040
Hope someone recognizes the packer from the above code.
Any help greatly appreciated
xOptiMus
Have just disassembled a target (ispeed.exe) in w32dasm and have noticed that it can only disassemble about a dozen or so lines. I realise that it must be packed/encrypted because there is no code. I have tested the file with several file analyzers including file sniffer, but have failed to identify the packer. As a last resort I have copied the first few lines from w32dasm and pasted them here in the hope that someone will be able to identify the packer by looking at the object data - there are some weird entries there, such as BSS and kdata.
Incidently, this target (beta version) was taken from January's issue cover disc of Dot Net mag. The latest version which can be downloaded from: http://www.hms.com/apps/issetup.exe gives a slightly different sections listing in W32Dasm, but it still cannot be disassembled! I've been told that it is a modified version of Asprotect ver 1.1.
+Teshp, I hope you and your eagerly awaited new iat rebuilder can solve this one!
Disassembly of File: iSpeed.EXE
Code Offset = 00000000, Code Size = 00000000
Data Offset = 00055000, Data Size = 00002C00
Number of Objects = 0010 (dec), Imagebase = 00400000h
Object01: CODE RVA: 00001000 Offset: 00000400 Size: 00054C00 Flags: C0000040
Object02: DATA RVA: 000E8000 Offset: 00055000 Size: 00002C00 Flags: C0000040
Object03: BSS RVA: 000ED000 Offset: 00057C00 Size: 00000000 Flags: C0000040
Object04: .idata RVA: 000EF000 Offset: 00057C00 Size: 00001000 Flags: C0000040
Object05: .tls RVA: 000F2000 Offset: 00058C00 Size: 00000000 Flags: C0000040
Object06: .rdata RVA: 000F3000 Offset: 00058C00 Size: 00000200 Flags: C0000040
Object07: .reloc RVA: 000F4000 Offset: 00058E00 Size: 00000000 Flags: C0000040
Object08: .rsrc RVA: 00104000 Offset: 00058E00 Size: 0001A600 Flags: C0000040
Object09: .kdata RVA: 00139000 Offset: 00073400 Size: 00002200 Flags: C0000040
Object10: .data RVA: 0013C000 Offset: 00075600 Size: 00000000 Flags: C0000040
Hope someone recognizes the packer from the above code.
Any help greatly appreciated
xOptiMus