Hi all,

Manual unpacking is of quiet interesting. But aspr is one of the best. While tracing the packed code with the softice the opcodes just change while tracing. Like

xxxx:345677 JMP 345679
xxxx:345681 POP ESI

if the code look like this where this jump takes me? they r hiding there codes from softice. how can we tackle such problem.


Dipesh
Still Newbie

this appears in the entry point (right?), try 2 change eip to 345679.

they appear to be changing, they are not, the obfuscation tricks like that have been discussed many many times before.
type CODE ON in sice, the code is always the same.

xxxx:345677 JMP 345679
xxxx:345681 POP ESI

hum.. is pop esi directly after the jmp? (didn't know of a 0xA jump opcode)
You posted so little information, that I'm not even sure what your problem is.

Do as chlankboot said, or just trace into (f8), you'll realize what's happening.


then use the newbie section

As doug said below it is typical obfuscated code. The trick here is that the instruction xxxx:345677 JMP 345679 jumps to the middle of some instruction so it changes the assembler reading frame, meaining the next instruction it will execute is NOT POP ESI but wahtever instruction happens to be at position xxxx:345679. when you trace it with F8 or F10, you see the code window of Sice automagically change to the new instruction frame.

Read here.
hxxp://www.cs.arizona.edu/solar/papers/CCS2003.pdf

dipeshrestha:

You may also try entering "obfuscation" in the search window at the top of the Forums and you will find a number of threads, going back to the last two years discussing this issue here.

Regards,

Simply stated, it is sagacious to eschew obfuscation.
- Norman Augustine

And if you will enter "code obfuscation" in your favorite search engine, you will find many. many articles and discussion about obfuscation issue for a great many languages.

Regards,

thank you all for giving me idea about code obfuscation. will be learning about it now...

thank you
dipesh

most packers/encrypters use obfuscation, so that it is not possible for disassemblers to do their job correclty even IDA shows invalid instructions (in red) due to the linear treatment it uses to disassemble the file).
if the obfuscated code appears in the beginng u can trace with ice till u reach the real begenning of code, note the adress and change the entry point of your program to that address.
doing so u can disassemble great part of the file until the next obfuscated block, trace it with ice again, find out exit address, patch the file so that u bypass or nopp it. i know this seems to be so theorical but it works, sometimes u have to correct CRC ...
finally u'll be able 2 disassemble the file and analyse the effective code.
hope this will help.

still newbie toooo

Dear All,

i have just got a new tool 'TRACEDUMP' which remove code obsucation. it is really nice program that remove code obscufation and work in junction with softice.

But still learning to work with it.

Is that Kayaker's TraceDump?

In that case you are in trouble because I have exclusive rights for Advertisement and marketing, see here: http://www.woodmann.com/forum/showthread.php?t=5201&highlight=Tracedump



So that is the real use for Kker tool! that is remarkable.