Log in

View Full Version : +SplAj - website location ???

Clandestiny
April 23rd, 2001, 20:40
Hi +SplAj,

In my recent searches for some unpacking tuts, I just happened to remember your discompress.com site. Seeking it out, however, I got a 404 not found error. Have you changed locations? The url would be great

Many Thanks,
Clandestiny
SplAj
April 24th, 2001, 03:56
Hi
discompress is still in existence, but not on WWW cos
I donated my space for a worthy cause last month

but now I hope that I get my space back as I used less than 10megs
and I have a backup on my HD at home...somewhere. It will return soon

Basically my thoughts on unpacking are to DL ALL the packers and then use them on notepad.exe then test yourself to manually unpack WITHOUT procdump and icedump (well use it hide SI and do screendumps for your files). Just MANUALLY find the OEiP and then use the 'e eip eb fe' loop and dump with PEditor then rebuild as necessary !
- make notes on each packers attempts to hide the OEiP and how the
API's are scrambled/hidden/redirected in IAT/IT.

Then you are well practised for 'shareware' targets

"I'll be back"
Clandestiny
April 24th, 2001, 17:54
Hi +SplAj,

Thanks for the good advice This is actually the very first time I've manually attempted to unpack something without ProcDump, but I just had great success with my UPXed Windows calculator. (yeah, I know ...probably the easiest packer around ;P... but I'm quite excited nonetheless). In your opinion, what should be my next step... ie. which packers are relatively straightforward for an unpacking newbie like myself. I plan on studying packers in some detail and I would greatly appreaciate a little guidance in this direction.

Thanks,
Clandestiny
+SplAj
April 25th, 2001, 03:57
I would try PEcompact on notepad.exe next....

Actually unpacking is rather boring after a while. It is just a hunt for that final POPAD and JMP EAX in almost ALL packed
targets . Most use the APlib compression code as well. So there is not much difference actually between them. Just goto www.exetools.com and DL the packers and use them on notepad.exe and that's it. Make notes and look for those 'signature' bytes at the end of unpacking and hand over to the original program........

You should also study the PE structure cos some packers like 'telock' f*ck around with the number of sections. Instead of say 0005 you get FFFF and this upsets PEditor and icedump dumping until you correct it BEFORE dumping. So you should get used to looking at the memory around 40000 for the 'PE' start and understand what the next 50+ bytes mean to the
exe; start address , sections blah blah .......

Also your next step would be to FIND the IAT + IT in the target
and understand if it's been f*cked with or not... and nowadays it probably has So most time you have to use a bpm 'itaddress' w to watch the IT being mapped then destroyed. So you have to DUMP this section then continue to the OEiP then DUMP again (after checking the PE header) and then copy+paste the good IT back. Then there are the redirected API tricks that are fixed with Revirgin }>

Practise makes perfect.....

I found the backup and will upload soon.....
SplAj
April 25th, 2001, 08:06
Ok it's up .... try the telock tut .....and

OMG IT IS ALL SO NAF so old and dated......but still I have some good ideas to put in there...... I have a lot of work to do to bring it into 2001 !

CYA

mini me
Muad'Dib
April 25th, 2001, 11:17
Hey +SplAj...I would like to have the archive of the site to put on my site (http://muaddib.immortaldescendants.org) because I recently decided the purpose of my site should be an archive of the best cracking sites...if you could mail it to me I would appreciate it! Thanks.
JMI
April 25th, 2001, 15:59
Could you post a URL for the restored website please. Google can't find Discompress or discompress.com. Thanx.
SplAj
April 26th, 2001, 04:04
Hi.....but it's not a 'crack' site just a 'prep' site , like a school , for newbies and the idea I had was just to concentrate on unpacking MANUALLY using as little 'tools' as possible but to MAXIMISE the brain ! - the best tool available with a little training.

From my own experience trying to follow some unpacking tuts it was all rather confusing ....I thought that a centralised place for unpacking info was needed ...so www.discompress.com was born.

I borrowed the name from some unpacking tut in translated French

If I could help a few new RCE on the right path then I am happy :-D

I want to update it soon. I should have a bit of time in the vacation period again to update it and bring in some upto date
tuts using revirgin and the new features in icedump and PEditor1.7 etc etc.

You know the problem is it is really hard to put down some HTML explaining it. Someone once complained about the quality of tuts. He was right, the focus is usually on the lines of "do this, do that, voila, bob's yer uncle, tac tac , aren't i clever dude" :-(

To make a proper tut complete with the real scenario and a comprehensive follow through is labor intensive :-( cos newbies take a tut VERBATIM and then apply it to the next target which has usually evolved ! - because of the tut ! and the newbie gets frustrated cos he can't find memory location 167:4512AD in the new target !.......ASprotect and ASpack are prime examples of this evolution cycle.

let me update it before I package it up for you.

+SplAj
Clandestiny
April 26th, 2001, 08:59
+SplAj,

Thanks man for uploading the site Your newbie tuts are actually quite good (some of the better ones I've seen so far). For the most part, I try not to follow tuts as a "recipe book" but more as a reference applied to different but similar targets.
IMO, its more interesting that way

Regards,
Clandestiny
+SplAj
April 26th, 2001, 09:18
Clandestiny, thats the way...

The brain beats all protections NOT a tut......

So did you like my te!lock0.71 tut ? I ran through it again myself and it is pretty comprehensive. Should make you think about what you are trying to achieve !

te!lock.80 is the latest and I did some notes a few weeks ago on theEgoiste new tricks and will write a new tut 'soon' - his section renaming spoof is a nice touch

+SplAj
Clandestiny
April 27th, 2001, 20:59
Quote:
+SplAj (04-25-2001 23:18):
So did you like my te!lock0.71 tut ? I ran through it again myself and it is pretty comprehensive. Should make you think about what you are trying to achieve !
+SplAj


Hi again +SplAj,

Heh, I knew there was a reason the te!lock tut was under the "advanced" section !!!

I'm currently giving it a go (and learning a lot in the process). I reread the pe docs and the suggested import rebuilding tut with a fair degree of comprehension, but I'm finding that applying the theory is a whole different ballgame. Following the steps in the tut is no problem...BUT understanding the rationale behind each one of them is a bit more challenging being as I'm the newest newbie to manual unpacking. At the risk of asking a lame question, one thing that is puzzling me is the debugger detection. After setting a bpx on LoadLibraryA, I'm in the loop at 004C4E8. Here it was my first impulse to set a bpx directly after the jump so as to get myself out of the loop and continue single step tracing through the code. Alas, shortly thereafter, I'm thrown out w/ an ExitProcess() and a "Debugger Detected" MessageBox. What exactly is the procedure to escape from this detection portion of code? In contrast, in your tut you go on to set some additional bpm's which avoid this problem ??? ...but like I said, my first impulse is to first single step through this unfamiliar code. Likely, there is some simplistic solution for this, but it has me stumped. Of course I have IceDump loaded (version 6.3) with "/protect on". Needless to say, I have a few additional ?'s, but I'd like to clear up this debugger detection issue and snoop around in te-lock's code a little more before asking them.

Definately I have a LOT yet to learn about unpacking !!!

Cheers,
Clandestiny

PS. You know you've opened up a can of worms
getting me to look at te-lock ... ??'s * infinity
Clandestiny
April 28th, 2001, 12:08
Scratch that last debugger detection problem I mentioned... After tracing a little more carefully I was able to bypass the "Debugger Detected" check. The SMC confused the issue a bit for me at first since I'm not used to tracing code that changes right before my very eyes. Needless to say, after single step tracing for quite some time excepting a few carefully set bpxes to speed my way through the loops, I have concluded that tracing the entire unpacking routine is not the way to go. This was my approach for UPX and PE Compact and though it was admittedly not the most efficient method it was not unfeasible since it allowed me to get familiar with the feel of packer code minus SMC. With te-lock though I'm quickly concluding that a more efficient use of the bpx and bpm (as you illustrated in your tut) is a better approach.

Stumbling onwards through the codewoods...

Clandestiny
Clandestiny
April 28th, 2001, 12:10
Scratch that last debugger detection problem I mentioned... After tracing a little more carefully I was able to bypass the "Debugger Detected" check. The SMC confused the issue a bit for me at first since I'm not used to tracing code that changes right before my very eyes. Needless to say, after single step tracing for quite some time excepting a few carefully set bpxes to speed my way through the loops, I have concluded that tracing the entire unpacking routine is not the way to go. This was my approach for UPX and PE Compact and though it was admittedly not the most efficient method it was not unfeasible since it allowed me to get familiar with the feel of packer code minus SMC. With te-lock though I'm quickly concluding that a more efficient use of the bpx and bpm (as you illustrated in your tut) is a better approach.

Stumbling onwards through the codewoods...

Clandestiny