Hey everyone,
I've been trying to unpack an app that uses Xenocode, one of the problems i've faced is that fact that I couldn't figure out it was using Xenocode at all until I asked a friend to help out. His answer to how he got it: "Talent". If anyone could help me out on determining how he knew this app was using Xenocode that would be great. I've tried using regular scanning tools like PEiD but nothing.

Next is to unpack the app using Xenocode, the method I was trying to use is to go in and follow a tut by (ronchong I think his name was). I also looked around for other methods but couldn't find anything.
Again, asking my friend. He simply pasted some code and told me to "use it" which I messed around with until it actually was able to unpack.
Has this method been used before as in a usual method or something unheard of?
You can view the code at:
http://allofthem.pastebin.com/m1953fd8d


If it wasn't for getting this info from him, I would have been debugging a packed app.
Any help would be great.
Thanks!

The source you posted doesn't unpack anything. As far as I could see it just copies files from one location to another. The reason that works is because xenocode creates a virtual environment in which the real files are present. The dll just copies it from the virtual world to the real world.

Ah, I understand. Thanks

Is there a way to actually view which dlls are present or how he determined it was xenocode in the first place? For example in the sourcecode he already knows which dlls there are and takes it out from there. He somehow determined that they were being used. This could be shown while debugging but I'm not entirely sure.
Thanks!

I think if you use the findfirstfile call with *.* you end up with a complete list of files which you can write to a text file or so. I have no experience with xenocode, just guessing here. As it is a virtual file system you should be able to use normal api calls to search for files.

nice code

There is only one true way to determine if a file is virtualized with xenocode. Tools such as Exe Info and peid will not detect the packer. To determine if it is using xenocode, open the executable in ollydbg. Keep it paused and search for all referenced text strings. Scroll down the list. If it is an xenocode software, you will see this line "There has been an error starting this virtual appliance. Error code:". Following this reference you will find the line "Xenocode Virtual Appliance Runtime". Now you know for certain that it is an xenocode application.