hello everyone

target: www.codecharge.com
written in VB6
anti-Softice tricks + Packing

1- anti-softice can be bypassed using frogs ice or any other method

2- following most of the unpacking tutorials instructs to change the .text section from c0000040 to E0000020
the problem is that there is no .text section indicated
nevertheless, i assumeds that the first section (no name) is the text and changed it and it worked..

3- how do i find the OEP.. all the techniques i found in tutorials are for common packers.
what really can give me a clue for the OEP?

thanks for all your efforts

how did you unpack it?

If you unpacked manually, the EIP when you dumped should be the OEP.

If you used ProcDump or another tool, it should have been taken care of automagically ;-)

i appreciate ur answer but i geuss my question was not very clear..
my question is how do u find the right spot to unpack?

thanx again

find my "small essay from newbie" about VB dumping in this forum
date : beginning of june

Hi Sharon,
its difficult to tell you which one is correct coz different packers has different
ways to find the oep.
the best way is to find a packer and packed
a notepad or vb progs and upacked it explore the unpacking rountines.
Hopes this helps

noname

I actually suck at unpacking, but I believe most (I know of at least a few hehe) packers use a pushad opcode to store the info in the registers for later use.....then a popad right before the popad ends to restore the registers to their formar state. So if your unpacking routine is sitting at cs:470000+(purely a hypothetical #), and you find a jmp eax (again hypothetical) to say cs:412ef0 (you guessed it), with a popad a line or 3 before it....the address jumped to is probably the OEP.

Hope that helps.....& if it's way off base someone feel free to slap me with a large trout ;-)

Hi Sharon,

Why don't you try Icedump's /Tracex command? I've never used it on a VB app, but it works great on packers in general.

/TRACEX <low EIP> [<high EIP>]

So if your .text section is from 401000 to 480000 you would set

/TRACEX 401000 480000

in Softice wherever you want to start tracing, press F5, go get a drink because it may take awhile, and SI should break in program code. In the command window will be a log with a cs:eip value, the last instruction address executed in packing code. You can then use the 'u' unassemble command on the address to see what the code looks like. If it looks like it was the jump to OEP you can dump it right there.

/Tracex will break anytime there's a jump/call to the code range you specified, but this may not necessarily be the OEP, some packers (like Asprotect) jump into program code a few times before the actual jump to the OEP. If it looks like the code returns quickly to packing code, you can trace back there and set another /Tracex command the same as the first, and it will break on the next jump to program code.

TRW has a built in feature that I think might be able to be used in a similar fashion, PNEWSEC (go until run into a new section in PE image).

Hope this helps,

Kayaker