hi,
i have suxessfully reversed a packed proggy using sice driver suite 2.6 under xp (seems that this version is undetectable, i tried on another machine under win98 and sice V4 : the proggy simply exits without any message).
the problem is not about reversing itself : my question is this : does anyone know the packer used in this file ? i have searched about 1 month over the net (file analyzers, unpackers,...) without any result.
note that in the exe file i found the string "exestealth" (may be fake) but in the sections i found .upx00, .upx01, .., coban2k (which is the guy that made an unpacker for upx (is it 2 fool the unpacker ???)
i dont think also that the packing routine was made by the developpers since the proggy was coded in the lazy VB
i forgot 2 tell u that peid sais : ASPack / ASProtect x.xx -> Alexey Solodovnikov, and there i'm really lost ...
thank u for replies

Hmmm.... Maybe you unpacked Xtreme protector !!!

Howdy,

Tell us how you unpacked it.
Maybe some code snippet to explain what you did.

Woodmann

could you expand on this ? what makes it different than any other version before and after?

I did not actually unpacked it, all that i did is dump it with procdump, set a bpx on callprocaddress and then step executilng till i found the oep (popad, jmp xxx), after that i changed the ep in the dumped file and disasm it with ida, this enabled me to analyse the code and found where i can apply the patch, finally i used +dza patcher to patch the file (adding a new section to the original exe)
note that i am still learning the pe format and trying 2 find out what this patcher did exactly
the unpacker unpacks great part of its own code at runtime that's why debugging was a little bit difficult and that's why a loader don't work (timing)
if u want i can mail u the idb file.
thx.

all i know are simple observations, (i have 2 machines at home and in office)under win98 and ice v4 (home) the proggy simply quits without any message, even procdump craches if trying to dump the file, under xp and sids 2.7 it runs (the program) perfectly and it is possible to debug it as any other program.
this is not the only case, i have seen this on many others programs that (i suppose have routines to detect a debugger) : a common example is a_c_r_o_b_a_t (writer) that behaves exactly the same.
i can't explain it, so it will be cool if anyone can explain us what is supposed to happen and what is the difference between the versions.

sorry guy it is not Xtreme protector!
i downloaded the trial version and packed a vb exe with, the differences are :

Xtreme protector does not corrupt the original import table (imports are visible in the packed file)
it replaces the original .text section with CODE section
it adds a XPROT section

as u can see ther's no .upx0, .upx1 and coban2k sections in the packed file.
(and i did not unpacked it ) not yet

Really !!!!!?????? http://www.postsmile.com/img/default/0568.gif

well, if you see:
POPAD, JMP xxx

so you had unpacked UPX.
If section-names are others, probably they are changed.

Thats all folks.


**
Zilot, you use wrong method with newbies.

yes

evaluator u r great

things became clearer about renaming the last section (coban2k)

but as i know the (poad, jmp xxx) is common 2 most packer/protectors such as ASprotect not only upx, dont u think so ?

maybee the exe file you've got was origanly packed with upx and exestealth. but exestealth has been removed with the unpacker coban2k created
google for exestealth unpacker

Man !!!
just a little joke, do you mind it as a joke ?

I see nobody laughing

So if anybody does, he must write down it ?

google at your service :-

http://www.cobans.net/unstealth.php

don't fight.

I was enjoying the joking Zilot, and of course esther can't "see" anyone laughing because this is a written medium, not a video one. If you listen veerrrryyyy carefully, you will, occasionally, hear someone laughing.

You will "usually" hear that sound when +Spla/\ makes one of his offerings, because they usually include some very witty and/or humorous comments or transformation of language. Quite unlike our Musician friend, who speaks an entirely "personal" dialect of English, that we all need source code to understand fully.

Regards,

coz Peter Sellers died long ago

Before, would to thank all of u, ur posts have been very helpful.

it is ASPROTECT, and some garbage have been added to the packed file to fool newbies (like me ), how i found it out ? listen :

(jove.prohosting.com/~predat0r/aspr_mem.doc) old doc but precious.

(reteam.org/essay.viewer?type=essay&short='e'&id=51) excellent essay about unpaking the last version of ASPROTECT (1.23) by AndreaGeddon (a must read), my proggy behaves exactly the same !

2 confirm that i simply tried 2 pack the packed file with ASPROTECT, and guess, it recognizes itself

thank u again.