Pyrae
July 31st, 2003, 19:39
Quote:
However, before I continue, I'm just wondering if anyone else has messed with Thinstall before? Are all the juicy parts of the code remote executed, or downloaded? or perhaps is it a simple data transfer? If someone else already knows they are remote executed for sure, then it'll pointless wasting time on this and I'll go find something else to play with |
The critical parts (packing routines) are certainly not executed remotely as there's only very little traffic during the execution.
What I noticed at a quick glance I took at this target some time ago was that the dumped main exe has grown about 20kb after executing the protected functions. So it seems like this code has been transfered for usage. Maybe checking the network traffic with an appropriate tool while debugging might lead somewhere.
I know that nobody on this board releases his/her stuff,

but be aware that there might be some info (e.g. your ip) transfered and "integrated" into your dump that could make it possible to identify you.
regards,
Pyrae