Flag: Tornado! Hurricane!


Packer Name Packer Author Classification Analysis By Last Updated
Teraphy unknown Crypter quig April 30 2005
Allocation Anti-Debug Anti-Disassembly Section Name Sample
VirtualAlloc() + PE Header no no .teraphy N/A
Notes
sections are munged first and decoded in place.
then memory buffer allocated and demunged values decoded to it.
decoded opcodes are transfered from buffer back to section
IAT is restored
restores all registers and hops to OEP

note could not modify large blocks of exe or else err in decrypt
idb is availabe for this one only. (could not sanitize sample)

idb has had actual code sections removed just packer stub remains

Transfer Command
0044307F   8B85 95334000    MOV EAX,DWORD PTR SS:[EBP+403395]
00443085   8B9D 9A334000    MOV EBX,DWORD PTR SS:[EBP+40339A]
0044308B   03C3             ADD EAX,EBX
...
00443093   FFE0             JMP EAX   --------------- OEP
Entry Point Signature
00443000 > 53               PUSH EBX
00443001   51               PUSH ECX
00443002   52               PUSH EDX
00443003   56               PUSH ESI
00443004   57               PUSH EDI
00443005   55               PUSH EBP
00443006   E8 00000000      CALL $+5    
0044300B   5D               POP EBP                    ;ebp=eip
0044300C   8BD5             MOV EDX,EBP
0044300E   81ED A2304000    SUB EBP,4030A2
00443014   2B95 91334000    SUB EDX,DWORD PTR SS:[EBP+403391]
0044301A   81EA 0B000000    SUB EDX,0B
00443020   8995 9A334000    MOV DWORD PTR SS:[EBP+40339A],EDX
00443026   80BD 99334000 00 CMP BYTE PTR SS:[EBP+403399],0
0044302D   74 50            JE SHORT 0044307F                        
0044302F   E8 02010000      CALL 00443136        ----Load ptrs to Virtual Alloc/Free
00443034   8BFD             MOV EDI,EBP
         deryptNextSection:
00443036   8D9D 9A334000    LEA EBX,DWORD PTR SS:[EBP+40339A]
0044303C   8B1B             MOV EBX,DWORD PTR DS:[EBX]
0044303E   8D87 9E334000    LEA EAX,DWORD PTR DS:[EDI+40339E]
00443044   8B00             MOV EAX,DWORD PTR DS:[EAX]
00443046   03D8             ADD EBX,EAX
00443048   8D8F A2334000    LEA ECX,DWORD PTR DS:[EDI+4033A2]
0044304E   8B09             MOV ECX,DWORD PTR DS:[ECX]
00443050   66:8B85 8F334000 MOV AX,WORD PTR SS:[EBP+40338F]
00443057   8003 10          ADD BYTE PTR DS:[EBX],10         ----
0044305A   3003             XOR BYTE PTR DS:[EBX],AL            |
0044305C   3023             XOR BYTE PTR DS:[EBX],AH            |
0044305E   8003 AA          ADD BYTE PTR DS:[EBX],0AA           +--Demunge sect
00443061   66:C1C0 03       ROL AX,3                            |
00443065   86E0             XCHG AL,AH                          |
00443067   43               INC EBX                             |
00443068  ^E2 ED            LOOPD SHORT 00443057             ----    
0044306A   E8 FF000000      CALL 0044316E  ;decrypt section to mem copyback to sect  
0044306F   83C7 08          ADD EDI,8
00443072   FE8D 99334000    DEC BYTE PTR SS:[EBP+403399]
00443078  ^75 BC            JNZ SHORT 00443036  ----deryptNextSection 
0044307A   E8 16000000      CALL 00443095       --- restore IAT Stuff
0044307F   8B85 95334000    MOV EAX,DWORD PTR SS:[EBP+403395] ;OEP offset
00443085   8B9D 9A334000    MOV EBX,DWORD PTR SS:[EBP+40339A] ;400000
0044308B   03C3             ADD EAX,EBX
0044308D   5D               POP EBP
0044308E   5F               POP EDI
0044308F   5E               POP ESI
00443090   5A               POP EDX
00443091   59               POP ECX
00443092   5B               POP EBX
00443093   FFE0             JMP EAX   ---------------jmp OEP 
Known Unpackers

There are 30,636 total registered users.


Recently Created Topics
Reversing opcode
Apr/24
Question about debbu...
Apr/16
IDA PRO Struct Point...
Apr/15
problems with pseudo...
Apr/04
Problem with ollydbg
Mar/22
Should binaries be n...
Mar/22
Ida pro on infineon ...
Mar/10
need help about an D...
Feb/25
Stop a VB6 Applicati...
Feb/13
Add one new segment,...
Jan/23


Recent Forum Posts
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin
Pydbg load() issue
phreak
Pydbg load() issue
netw0rm
How would you interp...
mbin
Pydbg load() issue
phreak


Recent Blog Entries
oleavr
Apr/17
frida.re 1.2.0 is out, with...

gareebnavas
Jan/21
Android Malware Analysis

oleavr
Dec/21
frida.github.io: scriptable...

chr1x
Nov/05
!apilookup - Win32 API Func...

hasherezade
Aug/24
Andromeda (W32/Kryptik.AX!t...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

NeOXQuiCk on:
Nov/26
DONGLE

maharlee on:
Nov/21
Cheap Nike Shoes NZ,Nike Sh...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit