📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Fake Ninja

Topic created on: October 15, 2007 14:14 CDT by bodzcount .

Does anybody have experience with fake ninja? I dont find any information about it :(

  jms     October 15, 2007 16:18.11 CDT
Are you looking for an unpacker is what you mean?

  nezumi     October 15, 2007 16:31.53 CDT
what's ninja? PENinja? why it's fake?

  jms     October 15, 2007 16:48.59 CDT
If I recall correctly its a packer.

  nezumi     October 15, 2007 17:14.07 CDT
yes, actually it's a packer http://www.exetools.com/files/protectors/win/peninja.zip and I can't unpack this s... well, this stuff, since it doesn't work at all. see, I wrote follow code:

main()
{
   printf("hello,world!\n");
}

compiled it with ms vc 6.0, packed it with peninja, ran exe and got an exception. does anybody have correctly packed file for analyze?

  sovietskicpu     October 15, 2007 17:38.39 CDT
PeNinja is an old packer mr Kris Kaspersky hehe... it ain't targeted at Win2k++, just win9x only. Try to run it under VMWARE stuffs like else try to correct the _exception_ by yourself hehe..

  nezumi     October 15, 2007 17:44.19 CDT
any program that uses os-specific methods _must_ check os version.

  bodzcount     October 15, 2007 17:59.18 CDT
I used RDG and it told me that my target is crypted with fake ninja 2.0 :)
Maybe rdg is not correct...

PS: the actual name is "fake ninja" according to rdg

  sovietskicpu     October 15, 2007 18:18.51 CDT
what do you mean kris ? it is just a packer not a commercial software, it is not supposed that the packer author will check for the os version.

  sovietskicpu     October 15, 2007 18:22.58 CDT
> bodzcount: PS: the actual name is "fake ninja" according to rdg

hehe better saying RDG is fake PEID like tool hehe...

  nezumi     October 15, 2007 18:31.16 CDT
sovietskicpu
even virus must to be correct if it wants to survive.

  sovietskicpu     October 15, 2007 19:27.38 CDT
Hey Mister Kris, i just unpacked it right now, how can i send it to you ?

it is coded with MASM btw.

  anonymouse     October 16, 2007 12:58.11 CDT
iirc the peninja itself is packed with itself (not sure but it is packed and i assume any self respecting authour to use his own product on himself first

anyway the ep is for peninja itself is here


00401581  PUSH 0                                   ; /pModule = NULL
00401583  CALL peninja.004016F3                    ; \GetModuleHandleA
00401588  MOV DWORD PTR DS:[404018],EAX
0040158D  PUSH 0                                   ; /lParam = NULL
0040158F  PUSH peninja.004015AE                    ; |DlgProc = peninja.004015AE
00401594  PUSH 0                                   ; |hOwner = NULL
00401596  PUSH 3E2                                 ; |pTemplate = 3E2
0040159B  PUSH DWORD PTR DS:[404018]               ; |hInst = NULL
004015A1  CALL peninja.0040171D                    ; \DialogBoxParamA
004015A6  PUSH 0                                   ; /ExitCode = 0
004015A8  CALL peninja.004016FF                    ; \ExitProcess
004015AD  RETN



and it probaly crashes here
00401407  |.  0FB758 0C        |MOVZX EBX,WORD PTR DS:[EAX+C]

didnt check much but i had a crash whn i tried to pack so loaded peninja itself and tried to see where it crashes

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit