View Full Version : Unknown packer (header BoG_ *90.0&!!)
arctus
11-08-2003, 08:15 AM
Hi there,
I came accross an application packed with unknown packer to me.
In the file's header, I found:
BoG_ *90.0&!!
Does anybody know anything about this packer and if there's an unpacker available? The application also checks for runtime debuggers present and won't run if so.
Thank you for your replies!
Arctus, SI
there's a little brilliant tool called PEiD which you can download here:
http://www.mesa-sys.com/~snaker/peid/
later versions will tell you that the signature you posted is typical for:
SafeDisc/SafeCast -> Macrovision
cheers! sna
arctus
11-10-2003, 01:39 PM
Hi,
yes, it's SAFEDISC encryption. I discovered this today when I tried to crack it. Here's what I have found.
The file is encrypted and when run, 3 other files are created (extracted) in the wintemp dir. I dumped the processes with PDump32 I got:
- the original application executable
- ~dexxxx.tmp which is the SAFEDISC rutine/module
- 2 other SAFEDISC files
Well, I said to myself, let's start cracking this SAFEDISC rutine when I discovered something I have not seen before. The code was actually changing in runtime when I followed it with softICE (Had to use FrogsICE to hide softICE first!). There were JUMP instructions to addresses witch did not corelate to any command. The command between the address had split up and new commands/instruction were created in the runtime.
Is this some sort of mutation protection algorithm?
Can this file be dumped to it's static form?
Anyway, I would be very thankful for any advice about how to crack the SAFEDISC protection.
Thank you,
arctus, SI
vBulletin® v3.6.4, Copyright ©2000-2016, Jelsoft Enterprises Ltd.