Log in

View Full Version : Is this packer New ??

Zilot
August 18th, 2003, 11:22
I don't know if this packer is old.

PeId cann't recognize it. I never dealt before with it. I posted it because there is some try to avoid OEP finding with stack overloading by infinite calling loop.

Then he generates some kind of exception.
I found OEP, but earlier methods for it falied. After that everyhting was easy,
if one wants to try by himself here is info

EventHelix.com/EventStudio

This should be event charter, but is almost useless comparing to competition
Tola
August 18th, 2003, 11:49
click the 'buy' button and see what happens.
Shoob
August 18th, 2003, 12:47
Looks like a Vbox clones Oep is 432E54 as you know so whats actually your problem? set a breakpoint on the 2 crypted thunks (first kernel32, sec user32.dll) in olly and follow them (go into jmp eax) they are stored there uncrypted. Or set an breakpoint on where the apis (stored in dword) get moved to eax thats much easier. I have attached IAT so you can have a compare.

Not anymore you haven't...

anyone is interested in iat pm me ....
Zilot
August 19th, 2003, 03:59
I have no problem, just wanted to know what this is. Your OEP is good.

Quote:
set a breakpoint on the 2 crypted thunks (first kernel32, sec user32.dll) in olly and follow them (go into jmp eax) they are stored there uncrypted. Or set an breakpoint on where the apis (stored in dword) get moved to eax thats much easier.


Have you ever tried to use TrapFlag option in ImpRec ? Inspect for that in the future !
Shoob
August 19th, 2003, 10:35
no cause my os crashed when i use it.
Zilot
August 19th, 2003, 11:23
What is your OS. And which version if ImpRec you use.

I tried to identify this packer with new PeId 0.9 but it lacked to do it. This must be something really tough, maybe we should write to PeId makers to introduce them into our new discovered packer. Or maybe they considered this packer is to stupid to put it into database, I don't think so.
Zilot
August 19th, 2003, 11:28
Esther http://smilies.sofrayt.com/%5E/u/cop.gif!?

Is this your work ------> Not anymore you haven't... and this ------>pm me
dELTA
August 19th, 2003, 13:41
I removed the iat, and Shoob added the "pm me" when he saw that it was deleted.

Esther cannot edit other people's posts, since he's not a moderator.


dELTA
hobferret
August 19th, 2003, 14:52
Hi all

Zilot you state "tried to identify this packer with new PeId 0.9 but it lacked to do it. This must be something really tough, maybe we should write to PeId makers to introduce them into our new discovered packer. Or maybe they considered this packer is to stupid to put it into database, I don't think so."

You don't think so eh?

Well I D/L this prog and it took only 5mins to remove encryption.

IMHO It is pretty useless let's just wait and see what the "old boys" think of this protection!

/hobferret
seven
August 20th, 2003, 04:05
i think this progge packed .
with wat , i dont know .