Can anyone successfully unpack this?

If anyone figures it out, please tell me what programs you used to unpack it.

So I unpacked it and all, but it doesn't do anything!

It deletes itself if it detects a debugger, I guess, and merely exits immediately otherwise.

Is that what it's supposed to do?

The only interesting thing in the EXE, aside from the self-deleting batchfile, is the string "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ!!!!!!!!!!!!!! !!!!!!!!!:)" .
Is that a message or just a VB artifact?

It was an interesting weekend project.


Tools:
IDA Pro (legally registered)
SoftIce (legally registered)
Custom debugger using Win32 Debug API.
Peditor v1.7
Vim
GCC


517A5D out.

Wow you're good. I know the program does nothing so I just wanted someone to unpack it successfully, nothing else.

Actually, I just ran the unpacked version and it exits because of the CRC check. Can anyone figure that out?

[/quote]
Originally posted by orangutang@Jul 18 2005, 10:07 PM
Actually, I just ran the unpacked version and it exits because of the CRC check. Can anyone figure that out?


Darnit, I must have missed something. Oh well, the program text is decrypted and the imports work. I don't intend to devote more time to it.

BTW, was this commercial protection or your own homebrew?

517A5D out.

It was both. I used a "commercial" protector and then I edited it a little to make it a little harder to unpack and added some of my own stuff.

Originally posted by orangutang@Jul 19 2005, 12:39 PM
It was both. I used a "commercial" protector and then I edited it a little to make it a little harder to unpack and added some of my own stuff.
1114



I figured it must be commercial since there was a lot of code that was never called. For example, there are several routines that deal with Thread Local Storage, which this program didn't have.

But I thought it was pretty easy for a commercial product. There were some interesting tricks, but not nearly enough of them. Mostly it was a couple layers of weak crypto.

And then there was this stuff:


seg006:004083F0 * * * * * * * * * * db * * *36h
seg006:004083F0 018 * * * * * * * * mov * * esi, [ebp+arg_0]
seg006:004083F4 * * * * * * * * * * db * * *36h
seg006:004083F4 018 * * * * * * * * mov * * edi, [ebp+arg_4]
seg006:004083F8 * * * * * * * * * * db * * *36h
seg006:004083F8 018 * * * * * * * * mov * * ecx, [ebp+arg_8]
seg006:004083FC 018 * * * * * * * * xor * * eax, eax
seg006:004083FE 018 * * * * * * * * xor * * ebx, ebx
seg006:00408400 018 * * * * * * * * xor * * edx, edx
seg006:00408402 * *
seg006:00408402 * * @@loop:
seg006:00408402 * * * * * * * * * * db * * *3Eh
seg006:00408402 018 * * * * * * * * mov * * al, [esi]
seg006:00408405 * * * * * * * * * * db * * *3Eh
seg006:00408405 018 * * * * * * * * mov * * bl, [edi]


Those db 36h's are SS: overrides, and the db 3E's are DS: overrides. Neither are useful in Win32 code. It looked to me like someone forgot to set his assembler's ASSUMEs. That strikes me as a newbie error that should have been caught somewhere in the development process. It doesn't even really serve as obfuscation.

517A5D out.

I'm not even a newbie at file unpacking. I don't know any of that debugging and dissasembling stuff. I just like playing around with exes and trying to make them unpackable. I'm just really, really bored.

By the way, how long did it take you to unpack this?

Originally posted by orangutang@Jul 19 2005, 07:03 PM
By the way, how long did it take you to unpack this?


Oh, I suppose I spent six or seven hours on it, spread over two and a half days.

517A5D out.

What are Vim and GCC and where do I get them?

Vim is a text editor, and GCC is a compiler. Look up DJGPP for windows if you want the win32 clone of gcc. They are both unix tools, so if you don't have unix, i wouldn't bother. Ultraedit/vc++/masm work fine.

-DR

Can anyone unpack this one? Just unpack it, nothing else. It should be really easy, but tell me how long it takes you.