View Full Version : Help needed to unpack and dissasemble file
Mogsey
October 7th, 2001, 13:44
Can anybody please help me to unpack and dissasemble a file. I have tried all the file analysis to try and detect what type of security sytem it is using and non of them can reconise it. Is it possible that the original programmer has created there own security sytem. I have tried opening the file using IDA Pro 4.0 but it only opens a small sample of code and the rest is comes up unexplored.
Any help will be most appreciated, as I have spent nearly 2 weeks trying to crack the file and got no where.
Thanks
Mogsey
Unregistered
October 7th, 2001, 13:50
Which file ?? url ??
donMAMAvomito
October 7th, 2001, 14:07
greetings
exactly..which target are you talking about..
give the url..so that i may be able to further this..
best regards
donMAMAvomito
Mogsey
October 7th, 2001, 14:23
It's an .exe file if it would help I can email it to you.
Thanks
donMAMAvomito
October 7th, 2001, 22:41
greetings
first: is this application downloadable from the net. if so i will obtain a copy for myself and unpack it..it will save you the trouble of mailing it to me...
also..is it a dos or a win32 app...
here are some tips for you to try your hands once more...
first..assuming its a vc++/bc++ app..(no vb/delphi please..)
* try symbol loader of numega..if proggy does not break at start with [invalid] values (change the .code section characterisits to make it break..i will not explain this in detail..fravias essays should make it clear)
* ok now do a bpx getversion and press F5..
* proggy will hopefully break..look at the code window and see that the name is the same as that of proggys; if so you have arrived at the start section..go back a few lines to something like this
xxxx: push ebp
mov ebp,esp
..
..
..
note down the value of (xxxx) this is the OEP (original entry point)..if the code window shows dll or anything else keep pressing F5...
* ok now clear all breakpoints (bc *) and set load the exe once more using symbol loader..set bpx xxxxx (you noted it down)..
press f5..the proggy will break..assemble jmp eip at current eip..remember to note down the previous overwritten bytes..
* do a procdump/icedump/adump whatever...
* change the PE entry point to the noted (xxxx). and replace the
overwritten bytes using a hex editor..
*exe is now unpacked and ready to run..
this is a very general technique and must be adapted...like for example...screwed up IAT's..or even vb or delphi appz..for that matter even encrypted sections that are decrypted at runtime...
CRC checks...
just use your brain...
keep me posted...
best regards
donMAMAvomito
Mogsey
October 8th, 2001, 05:03
Thankyou for the informative reply I will give it a try and let you know the results
Thanks
Mogsey
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.