klika
December 10th, 2002, 18:56
Hi, I`m a beeginer and have a question about unpacking this program, program won`t load if Softice is loaded, and
when I load program first and the Softice Windows reboots, W32dsm89 also crashes, I can load it with IDA
and OllyDBg. PEiD reports that file is Win32 PE File - GUI, pe-scan reports that no packer is found, but when I load
it into OllyDBg reports "Compresed code? Quick statistical test of module TREK reports that its code section is
either compressed, encrypted or contains large ammount of embedded data." Here is beginning of program, so can
you please take a look and point me in a right direction.
00412000 > $ E8 17190000 CALL TREK.0041391C
00412005 . 40 INC EAX
00412006 . F2:6F REPNE OUTS DX,DWORD PTR ES:[EDI] ; I/O command
00412008 . C3 RETN
00412009 A8 DB A8
0041200A AF DB AF
0041200B 05 DB 05
0041200C 99 DB 99
0041200D 07 DB 07
0041200E 5D DB 5D ; CHAR ']'
0041200F FF DB FF
00412010 18 DB 18
00412011 84 DB 84
0041391C $ F8 CLC
0041391D . 73 01 JNB SHORT TREK.00413920
0041391F A9 DB A9
00413920 . 60 PUSHAD
00413921 . 836C24 20 05 SUB DWORD PTR SS:[ESP+20],5
00413926 . F9 STC
00413927 . 72 06 JB SHORT TREK.0041392F
00413929 . 54 PUSH ESP
0041392A 2B DB 2B ; CHAR '+'
0041392B A2 DB A2
0041392C 5C DB 5C ; CHAR '\'
0041392D AF DB AF
0041392E D2 DB D2
0041392F . 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]
00413933 . C1CF 20 ROR EDI,20 ; Shift constant out of range 1..31
00413936 . C602 D2 MOV BYTE PTR DS:[EDX],0D2
00413939 . C742 01 6EAF67>MOV DWORD PTR DS:[EDX+1],7367AF6E
00413940 . BF 1C190000 MOV EDI,191C
00413945 . BB 4292666F MOV EBX,6F669242
0041394A > C00A 0F ROR BYTE PTR DS:[EDX],0F
0041394D . C102 CC ROL DWORD PTR DS:[EDX],0CC ; Shift constant out of range 1..31
00413950 . 87C0 XCHG EAX,EAX
00413952 . 66:8102 15EF ADD WORD PTR DS:[EDX],0EF15
00413957 . C1C6 20 ROL ESI,20 ; Shift constant out of range 1..31
0041395A . 66:C102 10 ROL WORD PTR DS:[EDX],10
0041395E . 8002 8D ADD BYTE PTR DS:[EDX],8D
00413961 . 8032 A2 XOR BYTE PTR DS:[EDX],0A2
00413964 . EB 00 JMP SHORT TREK.00413966
00413966 > 802A 09 SUB BYTE PTR DS:[EDX],9
00413969 . 87D2 XCHG EDX,EDX
0041396B . 311A XOR DWORD PTR DS:[EDX],EBX
0041396D . 66:812A 3FEC SUB WORD PTR DS:[EDX],0EC3F
00413972 . 8102 02155647 ADD DWORD PTR DS:[EDX],47561502
00413978 . F8 CLC
00413979 . 73 02 JNB SHORT TREK.0041397D
0041397B . 40 INC EAX
0041397C 89 DB 89
0041397D . C10A BE ROR DWORD PTR DS:[EDX],0BE ; Shift constant out of range 1..31
00413980 . EB 01 JMP SHORT TREK.00413983
00413982 ? 08F9 OR CL,BH
00413984 . 72 04 JB SHORT TREK.0041398A
00413986 15 DB 15
00413987 32 DB 32 ; CHAR '2'
00413988 . 95 XCHG EAX,EBP
00413989 . 3F AAS
0041398A . 83C2 04 ADD EDX,4
0041398D . C1CB 77 ROR EBX,77 ; Shift constant out of range 1..31
00413990 . C1C6 20 ROL ESI,20 ; Shift constant out of range 1..31
00413993 . 83EF 04 SUB EDI,4
00413996 .^0F85 AEFFFFFF JNZ TREK.0041394A
0041399C . 61 POPAD
0041399D . C3 RETN
Program starts to loop in this part.
Also when I attach to the proccess I cant see part of the program in which I want to change few jumps (when program is in the main menu), that part becomes
visible only when I click on button which starts that part of the program, so I cant patch it, strings in that part are
not visible when program is in main menu, is that some sort of realtime encryption/decryption. Here is that part when program
is in main menu and after that is listing which becomes visible when I click on button that starts that part of program.
00B9C5EF C7 ??? ; Unknown command
00B9C5F0 B8 81D64D42 MOV EAX,424DD681
00B9C5F5 7C 03 JL SHORT 00B9C5FA
00B9C5F7 092D 06122820 OR DWORD PTR DS:[20281206],EBP
00B9C5FD 2118 AND DWORD PTR DS:[EAX],EBX
00B9C5FF 21A2 BC554BE5 AND DWORD PTR DS:[EDX+E54B55BC],ESP
00B9C605 96 XCHG EAX,ESI
00B9C606 57 PUSH EDI
00B9C607 4A DEC EDX
00B9C608 90 NOP
when button is clicked:
00B9C5EB 8B95 78FBFFFF MOV EDX,DWORD PTR SS:[EBP-488]
00B9C5F1 B8 F0CBB900 MOV EAX,0B9CBF0
00B9C5F6 E8 6D8BF4FF CALL 00AE5168
00B9C5FB 85C0 TEST EAX,EAX
00B9C5FD 74 16 JE SHORT 00B9C615
00B9C5FF B9 00CCB900 MOV ECX,0B9CC00
00B9C604 B2 01 MOV DL,1
00B9C606 A1 FC69B900 MOV EAX,DWORD PTR DS:[B969FC]
00B9C60B E8 000FF5FF CALL 00AED510
00B9C610 E8 E77EF4FF CALL 00AE44FC
00B9C615 8D95 74FBFFFF LEA EDX,DWORD PTR SS:[EBP-48C]
00B9C61B 8BC3 MOV EAX,EBX
00B9C61D 8B08 MOV ECX,DWORD PTR DS:[EAX]
00B9C61F FF51 1C CALL DWORD PTR DS:[ECX+1C]
00B9C622 8B95 74FBFFFF MOV EDX,DWORD PTR SS:[EBP-48C]
00B9C628 B8 30CCB900 MOV EAX,0B9CC30
00B9C62D E8 368BF4FF CALL 00AE5168
00B9C632 85C0 TEST EAX,EAX
00B9C634 0F85 A9000000 JNZ 00B9C6E3
when I load program first and the Softice Windows reboots, W32dsm89 also crashes, I can load it with IDA
and OllyDBg. PEiD reports that file is Win32 PE File - GUI, pe-scan reports that no packer is found, but when I load
it into OllyDBg reports "Compresed code? Quick statistical test of module TREK reports that its code section is
either compressed, encrypted or contains large ammount of embedded data." Here is beginning of program, so can
you please take a look and point me in a right direction.
00412000 > $ E8 17190000 CALL TREK.0041391C
00412005 . 40 INC EAX
00412006 . F2:6F REPNE OUTS DX,DWORD PTR ES:[EDI] ; I/O command
00412008 . C3 RETN
00412009 A8 DB A8
0041200A AF DB AF
0041200B 05 DB 05
0041200C 99 DB 99
0041200D 07 DB 07
0041200E 5D DB 5D ; CHAR ']'
0041200F FF DB FF
00412010 18 DB 18
00412011 84 DB 84
0041391C $ F8 CLC
0041391D . 73 01 JNB SHORT TREK.00413920
0041391F A9 DB A9
00413920 . 60 PUSHAD
00413921 . 836C24 20 05 SUB DWORD PTR SS:[ESP+20],5
00413926 . F9 STC
00413927 . 72 06 JB SHORT TREK.0041392F
00413929 . 54 PUSH ESP
0041392A 2B DB 2B ; CHAR '+'
0041392B A2 DB A2
0041392C 5C DB 5C ; CHAR '\'
0041392D AF DB AF
0041392E D2 DB D2
0041392F . 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]
00413933 . C1CF 20 ROR EDI,20 ; Shift constant out of range 1..31
00413936 . C602 D2 MOV BYTE PTR DS:[EDX],0D2
00413939 . C742 01 6EAF67>MOV DWORD PTR DS:[EDX+1],7367AF6E
00413940 . BF 1C190000 MOV EDI,191C
00413945 . BB 4292666F MOV EBX,6F669242
0041394A > C00A 0F ROR BYTE PTR DS:[EDX],0F
0041394D . C102 CC ROL DWORD PTR DS:[EDX],0CC ; Shift constant out of range 1..31
00413950 . 87C0 XCHG EAX,EAX
00413952 . 66:8102 15EF ADD WORD PTR DS:[EDX],0EF15
00413957 . C1C6 20 ROL ESI,20 ; Shift constant out of range 1..31
0041395A . 66:C102 10 ROL WORD PTR DS:[EDX],10
0041395E . 8002 8D ADD BYTE PTR DS:[EDX],8D
00413961 . 8032 A2 XOR BYTE PTR DS:[EDX],0A2
00413964 . EB 00 JMP SHORT TREK.00413966
00413966 > 802A 09 SUB BYTE PTR DS:[EDX],9
00413969 . 87D2 XCHG EDX,EDX
0041396B . 311A XOR DWORD PTR DS:[EDX],EBX
0041396D . 66:812A 3FEC SUB WORD PTR DS:[EDX],0EC3F
00413972 . 8102 02155647 ADD DWORD PTR DS:[EDX],47561502
00413978 . F8 CLC
00413979 . 73 02 JNB SHORT TREK.0041397D
0041397B . 40 INC EAX
0041397C 89 DB 89
0041397D . C10A BE ROR DWORD PTR DS:[EDX],0BE ; Shift constant out of range 1..31
00413980 . EB 01 JMP SHORT TREK.00413983
00413982 ? 08F9 OR CL,BH
00413984 . 72 04 JB SHORT TREK.0041398A
00413986 15 DB 15
00413987 32 DB 32 ; CHAR '2'
00413988 . 95 XCHG EAX,EBP
00413989 . 3F AAS
0041398A . 83C2 04 ADD EDX,4
0041398D . C1CB 77 ROR EBX,77 ; Shift constant out of range 1..31
00413990 . C1C6 20 ROL ESI,20 ; Shift constant out of range 1..31
00413993 . 83EF 04 SUB EDI,4
00413996 .^0F85 AEFFFFFF JNZ TREK.0041394A
0041399C . 61 POPAD
0041399D . C3 RETN
Program starts to loop in this part.
Also when I attach to the proccess I cant see part of the program in which I want to change few jumps (when program is in the main menu), that part becomes
visible only when I click on button which starts that part of the program, so I cant patch it, strings in that part are
not visible when program is in main menu, is that some sort of realtime encryption/decryption. Here is that part when program
is in main menu and after that is listing which becomes visible when I click on button that starts that part of program.
00B9C5EF C7 ??? ; Unknown command
00B9C5F0 B8 81D64D42 MOV EAX,424DD681
00B9C5F5 7C 03 JL SHORT 00B9C5FA
00B9C5F7 092D 06122820 OR DWORD PTR DS:[20281206],EBP
00B9C5FD 2118 AND DWORD PTR DS:[EAX],EBX
00B9C5FF 21A2 BC554BE5 AND DWORD PTR DS:[EDX+E54B55BC],ESP
00B9C605 96 XCHG EAX,ESI
00B9C606 57 PUSH EDI
00B9C607 4A DEC EDX
00B9C608 90 NOP
when button is clicked:
00B9C5EB 8B95 78FBFFFF MOV EDX,DWORD PTR SS:[EBP-488]
00B9C5F1 B8 F0CBB900 MOV EAX,0B9CBF0
00B9C5F6 E8 6D8BF4FF CALL 00AE5168
00B9C5FB 85C0 TEST EAX,EAX
00B9C5FD 74 16 JE SHORT 00B9C615
00B9C5FF B9 00CCB900 MOV ECX,0B9CC00
00B9C604 B2 01 MOV DL,1
00B9C606 A1 FC69B900 MOV EAX,DWORD PTR DS:[B969FC]
00B9C60B E8 000FF5FF CALL 00AED510
00B9C610 E8 E77EF4FF CALL 00AE44FC
00B9C615 8D95 74FBFFFF LEA EDX,DWORD PTR SS:[EBP-48C]
00B9C61B 8BC3 MOV EAX,EBX
00B9C61D 8B08 MOV ECX,DWORD PTR DS:[EAX]
00B9C61F FF51 1C CALL DWORD PTR DS:[ECX+1C]
00B9C622 8B95 74FBFFFF MOV EDX,DWORD PTR SS:[EBP-48C]
00B9C628 B8 30CCB900 MOV EAX,0B9CC30
00B9C62D E8 368BF4FF CALL 00AE5168
00B9C632 85C0 TEST EAX,EAX
00B9C634 0F85 A9000000 JNZ 00B9C6E3