NFO v1.0

Manual Unpacking Tutorial... Manual UnPacking (MUP) of NFO v1.0
Source Code... None.
Some Info about the Packer/Encrypter and Author... Author: Bart
Homepage: None.
Email: cryogen@free.net.pl
Size of Packer/Encrypter: 6.50 KB
The Packer/Encrypter itself is Packed/Encrypted with UPX v0.99 .
Author Words about the Packer/Encrypter... NFO is very simple executable encryptor.
Features... Import Table handling.
Resources support.
Relocation wiping.
Anti API debug.
Anti-W32dasm.
Structured Exception Handling (SEH).
Cannot be loaded using Loader.exe from SoftICE.
Multilayer encryption support.
Special stuff the Decryption Routine uses... It performs several Structured Exception Handlers (SEH).
It clears the DRx Registers to prevent Breakpoints (And maybe more then just Breakpoints?).
It calls the function _PageModifyPermissions (Dunno what this does exactly ;).
It also Redirects the IAT.
The best API to Break on... The best API to break on for the beginning: _PageModifyPermissions
The best API to break on for the end: GetProcAddress+1

A little note here, if you break on _PageModifyPermissions you've got the chance that you need to Trace a lot (Or press F12 a lot ;) so you can also Break on LoadLibraryA+1.
Recognization of this Packer/Encrypter... Check if all the Section names are "NFO".
Recognization Bytes... 60 9C 8D 50 12 2B C9 B1 1E 8A
OEP Jump... mov eax, OEP
jmp eax

or

push cs
push eax
retf

or

push eax
ret


If you can add any kind of information for this page (Like Homepage/Email of the Author) then send me a Email

Don't trust the Outside, trust the InSiDe !!!

CoDe_InSiDe