LLXX
October 1st, 2006, 22:59
I've been working on this thing for a few hours and asking here is probably one of the last things I'd do. Anyway...
It somehow detected my SoftICE, even though I'd already hidden it and never had any detections by other programs in the past. The message is similar to Asprotect's, though the file looks nothing like it.
PEiD latest version (0.94) couldn't identify it.
OllyDBG couldn't stop it from running on load when set to break on the module entrypoint; it sort of worked when set to break at system entrypoint. I was able to trace through it a bit (and NOP *many* Int3s scattered throughout the somewhat obfuscated code) but OllyDBG behaved strangely - sometimes F7 would make it jump somewhere into the kernel (once again, it's as hidden as I could make it).
I was able to dump it while it was running with LordPE, but the dump is next-to-useless with a missing import table and unknown OEP. The only thing I could tell from inspection was that it was written in VB and the resources section is placed before all the other sections.
ImpRec says "can't open process" - I'm a bit confused by this, as LordPE apparently had no problem dumping it. This is definitely a packer and not a cryptor, as the dump is ~400Kb whereas the original was 260Kb. Inspecting the original I can see bits of recognisable text, so the compression algorithm is probably LZ-based.
The entrypoint of this packer looks like nothing I've seen before:
...and the bottom of the above listing is the last byte in the file.
Any suggestions as to how to approach this? At the moment it seems all I can do is dump it, everything else fails.
It somehow detected my SoftICE, even though I'd already hidden it and never had any detections by other programs in the past. The message is similar to Asprotect's, though the file looks nothing like it.
PEiD latest version (0.94) couldn't identify it.
OllyDBG couldn't stop it from running on load when set to break on the module entrypoint; it sort of worked when set to break at system entrypoint. I was able to trace through it a bit (and NOP *many* Int3s scattered throughout the somewhat obfuscated code) but OllyDBG behaved strangely - sometimes F7 would make it jump somewhere into the kernel (once again, it's as hidden as I could make it).
I was able to dump it while it was running with LordPE, but the dump is next-to-useless with a missing import table and unknown OEP. The only thing I could tell from inspection was that it was written in VB and the resources section is placed before all the other sections.
ImpRec says "can't open process" - I'm a bit confused by this, as LordPE apparently had no problem dumping it. This is definitely a packer and not a cryptor, as the dump is ~400Kb whereas the original was 260Kb. Inspecting the original I can see bits of recognisable text, so the compression algorithm is probably LZ-based.
The entrypoint of this packer looks like nothing I've seen before:
Code:
00467581: E8F7FEFFFF call 00046747D
00467586: 05044A0000 add eax,000004A04
0046758B: FFE0 jmp eax
0046758D: E8EBFEFFFF call 00046747D
00467592: 055E240000 add eax,00000245E
00467597: FFE0 jmp eax
00467599: E804000000 call 0004675A2
0046759E: FFFF ??? edi
004675A0: FFFF ??? edi
004675A2: 5E pop esi
004675A3: C3 retn
004675A4: 00 add bh,bh
Any suggestions as to how to approach this? At the moment it seems all I can do is dump it, everything else fails.
