I've been lurking in this forum for a while, and I've come across a problem that I need some help with.

I have a program that I'd like to some "work" with, but I am unable to identify what protection is used. It's a publically available beta demo of a game that I'd like to write some hacks for.

PE-Scan reports "no recognised packer/encryptor found" and PEiD reports "Nothing found *"

When I try to open it in OllyDbg, it says that it's packed or encrypted and when loaded it shows code that is clearly packed/or encrypted.

Since I'm a newbie in the field, I don't know where to go from here. Any help would be appreciated.

A good start is to load the program into LordPE or PEditor and take a look at the sections. How many are there and what are there names, etc. This can usually strongly point towards the protection used.

If you can post this info without giving away the name of the target (DONT TELL US THE TARGET) then do so and maybe one of us might recognize it.

-nt20

Also, I guess the authors of programs like PEiD are always interested in samples of unknown packers, and if you're lucky you might be able to get the information you want from them at the same time. Try to find out as much as possible yourself first though, to make it easier for them.

Thanks for the tips, guys.

Here is what LordPE told me:
.CODE
.rsrc
.idata
.ext
XPROT
.vmtext

I might be wrong here , but I think it's Xprotector (Extreme protector.)

/Harding

It looks extreme protector...but maybe it's not. I thought that extreme put all the sections in one or 2, but not so many as I can see in your program. Maybe the section names have been manipulated manually.

As Delta proposed, PEiD could solve your problem.

Get the latest PeID out there

I do believe that the latest ver out there is 0.92....

I double checked that I had the latest version (released may 4) and copied all the userdb info out of the forums that i could find and still nothing.

What about file analyzer XL....

I hope hacks != cheats.

Why? As long as it isn't a networked multiplayer game I really can't see any harm in it?

Are you xollox from MPC forums (bf1942/bfv)?

If so ... nice to meet ya here ... i used to visit the boards/forums under different aliases



Hehe .. of course cheats
Lots of multiplayer stuff for quite some time now ... leaving Punkbuster in dust (it aint a challenge in its current state, really) ...

Lots of ppl have learned how to build their own private hacks now ... my personal estimate by visiting EA (pb enabled) servers that at least 5-10% cheat .. but well

The same (:


To be honest, it does equal cheats. Over the past few months I've become less and less interested in actually playing games and more interested in reversing them, seeing how they work, making modifications, etc. For a while I probably spent 20+ hours/week reversing and 3 or 4 hours every other week playing. My online play time is severly limited by my bandwidth (56k) for the time being. Luckily I have friends nearby with broadband...


I tried both file inspector XL and file analyzer. (I googled file analyzer XL and couldn't find anything by that name...) Both report the packer as "ASPack 1.02b or 1.08.03" Is this a potential misreport or do these older anaylzers pick up something that doesn't PEiD doesn't?


Should I try to contact the authors and let them know about the program? I looked over the PEiD website and can't find any sort of reporting method...

Tssk.. that puts you in my bad book I'm afraid (not that anybody cares about that ).. but some people still have ethics.. and spoiling other peoples fun/day isn't something I enjoy...

Yeah, I'm sure they'll appreciate it, just ask in their forum (http://peidforums.has.it), maybe giving them a link to the file in question too.

It's just a lame in-house packer that tries to mimic xprotector by adding an 'XPROT' section.

Do you know what program I am talking about or are you just guessing?

I'm not guessing

Do you have any hints as to how to go about unpacking the program? Generic unpackers didn't seem to do the trick (although I'm not really experienced with unpacking at all, so I could be using them incorrectly)

Other than following manual unpacking steps, nope, sorry.

you could:
Dump it at runtime to get an idea of what your facing, and what you have to rebuild/fix.
use tools such as ImpRec to rebuild as many imports as it can. (Or do it by hand, and you'll learn much more)
post a specific question if you are _really_ stuck at some point. (How to unpack X or How to unpack X using Y isn't considered specific )

besides, if what you want to do is find cheats burried in the game or write a trainer; you don't need a 100% working rebuilt exe.. you just want a fairly clean/readable disassembly.

Alright, I guess I have my work laid out for me. Thanks for the help and info guys, I'll report back if I have any specific questions.

Use a technic of Injections.... for work...
/CreateRemoteThread.../