Well I was walking around over all the posts here (and of corse used the "search"-Button) to get all infos about this.

My problem was:
Some *.exe was able to crush my W32dasm893, when tryed to open them.

Questions:
Is Imhotep the right (and only) tool to remove all the known anti-disassembling tricks?
What is the last version? (mine is 1.7.0.8)
Where to get a newer one, if exists?

Does Imhotep remove all the known anti-debugging-tricks from a file which is protected like SD2?

Thanx for any help!

Hi Mefeus,

Does Imhotep remove Anti-stuff ?
I thought it only removed Obfuscation code hmm...

Cya...

CoDe_InSiDe

This is the problem with all kind's of Boards:
Don't search for the topics - even find the good ones.

But yes, I have seen posts, where they talked about anti-disassembling and promised on Imhotep - it isn't only some kinda cosmetics for your lovely PE-File.

Cirkutz told me:
400000 JMP 401000

401000 JMP 400000
Such infinite jumps r one of the bastards.

What else?

Hi mefeus,

Have you tried using IDA??? it should work...

Also, to make W32dasm disassemble correctly, you have to patch those jumps i guess... usually, each prog uses the same method of obfuscation, hence you can try to code a simple file scanner to nop out those jmp... but IDA is THE tool to use man :>>

good luck
crUsAdEr

Alternatively, you can also use MOW. It is supposed to be a superb obfuscator remover! Alas, I don't have a copy that I can upload it here

Signed,
-- FoxThree

The latest version of IDA version 4.17 will get rid of most of the crap put in. W32dasm will not work on most of this stuff, unless you patch all those jumps, I always miss one or two which screws stuff up. FYI IDA is very powerfull in this regard however, it is so SLOW, start it overnight on any good size exe (>10Mb). I had one example that took +24 hours on a 800 Mhz AMD machine running 98SE.

MTB

Well I have seen IDA once upon a time and it does not looks embrasing to me, that's why I'm still using W32dasm as first (and from the beginning of corse) - maybe I have to give IDA a second chance
MOW is digged in my archive here, don't need a link to this, I will try it on the weekend, maybe it's surprising.

Thanx all, hope it worx!

Mefeus:

If you review this thread you will find some directions to information on anti-dissambler tricks contained in the AntiCrack Archive.

http://www.woodmann.net/forum/showthread.php?threadid=3239


Regards.

Thanx JMI, why the hell I didn't found it???

Maybe there IS something wrong with this mysteric "Search"-Button?

Mefeus:

The reason that a search would not have "discovered" my post with the references to the anti-disassembler materials is that it was posted after you asked the question here. The search button is good, but has not yet developed the capability to predict what will be posted in the future.

Regards.

ANTI-WDASM trick
mov eax, edx
jmp loc_1
db 0F
loc_1: inc eax
jmp loc_2
db 85
loc_2: call sub_1

But I guess, this will only give shit out in the disassembled output, may not even strike Wdasm to crush suddenly when open a file!
There must be a coruption in the PE-Header (some kinda killing-flag-combination or impossible segment-size).

Is it possible to insert a section with an negative size?