Flag: Tornado! Hurricane!


Packer Name Packer Author Classification Analysis By Last Updated
PEX bart Compressor quig June 15 2005
Allocation Anti-Debug Anti-Disassembly Section Name Sample
PE Header no yes blank * 4 N/A
Notes
very cool packer, head to toe opcode asm tricks and lots of different ones.

zip contains idb of all major portions as well as membumps of allocated and
patched regions of memory. disassemble them yourself too for practice

took like 6hrs to get all the way through

Transfer Command
(this block patched back in main memory at EP+1)

00409001   FF15 81934000    CALL VirtualFree
00409007   E8 01000000      CALL 0040900D    
0040900C   E9               db E9
0040900D   83C4 04          ADD ESP,4
00409010   2BC0             SUB EAX,EAX
00409012   64:8F00          POP DWORD PTR FS:[EAX]
00409015   83C4 0C          ADD ESP,0C
00409018   E8 01000000      CALL 0040901E     
0040901D   C7               db C7         
0040901E   58               POP EAX
0040901F   61               POPAD
00409020   E8 15000000      CALL 0040903A ;goto ret address+1   
00409025   E8               db E8
00409026   E8 0F000000      CALL 0040903A ;goto ret address+1   
0040902B   9A               db 9A
0040902C   E8 09000000      CALL 0040903A ;goto ret address+1                             
00409031   E9               db E9
00409032   68 47104000      PUSH 401047 ---------OEP-1 (fake ret address)
00409037   EB 01            JMP SHORT 0040903A  
00409039   C7               db C7
0040903A   58               POP EAX   1st=409025, 2nd=40902B, 3rd=409031, 4th=401047
0040903B   40               INC EAX
0040903C   50               PUSH EAX
0040903D   C3               RETN
Entry Point Signature
00409000 > E9 F5000000      JMP 004090FA                          
00409005   0D 0AC4C4C4      OR EAX,C4C4C40A
0040900A   C4C4             LES EAX,ESP                            
0040900C   C4C4             LES EAX,ESP                               
0040900E   C4C4             LES EAX,ESP                               
Known Unpackers
// PeX 0.99 OEP Finder
// by FEUERRADER [AHTeam]
// http://ahteam.org

/*
    IMPORTANT NOTE: before using this script, CHECK following option -
     Menu -> Options -> Debugging options -> Exceptions -> INT3 breaks   
    Script willnot work if u do not do that!!!!
*/

var s

eob Break 
eoe exp1
mov s, eip
add s, 01
bphws s, "x"
run

exp1:
esto

Break:
eob Break2 
bphwc s
findop eip, #EB01#
bphws $RESULT, "x"
run

Break2:
bphwc $RESULT
sto
sto
sto
sto
sto
cmt eip, "OEP"
ret

There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit