thegeek
December 12th, 2003, 08:56
Hi, first of all I would just like to say that I am forever grateful to the creators and admins of this forum.
Now, to my problem. Lately I've been playing around with some unpacking, and I must confess that I am still very much inexperienced at this great art.
I would however like to learn, and thus I have been playing around with some really simple packers, like upx. Just recently I came across an app packed with Exestealth 2.73, i was initially at a complete loss of how to approach it.
After some research(google
) I managed to discover that the packer is more or less a complete rip of yodas crypter.
With this information I proceeded to attempt unpacking, aided with a great howto by CoDe_InSiDe.
It is however for v. 1.1 of yoda's crypter, and I suspect that exestealth is based on 1.2.
In the howto the following code is mentioned:
I have successfully located this code, and hopefully bypassed all the checks that are located earlier in the code.
However
In my target, the code in question is different:
As you can see there is no ret, and the code is a bit different.
I have tried inserting a ret, but the mem adress is clearly just filled with junk.
What have I done wrong, is this just some attempt to divert me?
I can monitor the memory area where I know the file will be unpacked, and then break there, but the code that writes it is seemingly unconnected to this part of the app.
Please, help a noob
The howto I have been following is : MUP_Yoda's_Crypter_v1.1.zip
A simple search on google will immediatly locate a location to download it

Now, to my problem. Lately I've been playing around with some unpacking, and I must confess that I am still very much inexperienced at this great art.
I would however like to learn, and thus I have been playing around with some really simple packers, like upx. Just recently I came across an app packed with Exestealth 2.73, i was initially at a complete loss of how to approach it.
After some research(google

With this information I proceeded to attempt unpacking, aided with a great howto by CoDe_InSiDe.
It is however for v. 1.1 of yoda's crypter, and I suspect that exestealth is based on 1.2.
In the howto the following code is mentioned:
Code:
xor al, al - al = 00
lea edi, [ebp+00401C84] - Point edi to the beginning of the Decryption Routine.
mov ecx, 0000063E - Move 0000063E in ecx
stosb - And remove...
loop 0040D69E - 1598 (63E) Bytes (He could also use "repz stosb".
lea edi, [ebp+004022DE] - Point edi to the end of the Decryption Routine.
mov ecx, 000002E8 - Move 000002E8 in ecx
stosb - And remove...
loop 0040D6AC - 744 (2E8) Bytes (He could also use "repz stosb".
popad - Pop all Registers back.
mov eax, FFFFFFFF - Move FFFFFFFF (It'll be the OEP) in eax.
push eax - Push eax onto the Stack.
jmp 0040D6B9 - Jump to 0040D6B9 (Skip the Junk Byte.
Junk Byte (87)
ret - And go to the OEP.
I have successfully located this code, and hopefully bypassed all the checks that are located earlier in the code.
However
In my target, the code in question is different:
Code:
0048C7C7 32C0 XOR AL,AL
0048C7C9 8DBD B6274000 LEA EDI,DWORD PTR SS:[EBP+4027B6]
0048C7CF B9 35070000 MOV ECX,735
0048C7D4 AA STOS BYTE PTR ES:[EDI]
0048C7D5 ^E2 FD LOOPD SHORT winupdat.0048C7D4
0048C7D7 8DBD 482F4000 LEA EDI,DWORD PTR SS:[EBP+402F48]
0048C7DD B9 90050000 MOV ECX,590
0048C7E2 AA STOS BYTE PTR ES:[EDI]
0048C7E3 ^E2 FD LOOPD SHORT winupdat.0048C7E2
0048C7E5 61 POPAD
0048C7E6 50 PUSH EAX
0048C7E7 33C0 XOR EAX,EAX
0048C7E9 64:FF30 PUSH DWORD PTR FS:[EAX]
0048C7EC 64:8920 MOV DWORD PTR FS:[EAX],ESP
0048C7EF EB 01 JMP SHORT winupdat.0048C7F2
0048C7F1 8700 XCHG DWORD PTR DS:[EAX],EAX
As you can see there is no ret, and the code is a bit different.
I have tried inserting a ret, but the mem adress is clearly just filled with junk.
What have I done wrong, is this just some attempt to divert me?
I can monitor the memory area where I know the file will be unpacked, and then break there, but the code that writes it is seemingly unconnected to this part of the app.
Please, help a noob

The howto I have been following is : MUP_Yoda's_Crypter_v1.1.zip
A simple search on google will immediatly locate a location to download it
