Flag: Tornado! Hurricane!


Packer Name Packer Author Classification Analysis By Last Updated
PEX bart Compressor quig June 15 2005
Allocation Anti-Debug Anti-Disassembly Section Name Sample
PE Header no yes blank * 4 N/A
Notes
very cool packer, head to toe opcode asm tricks and lots of different ones.

zip contains idb of all major portions as well as membumps of allocated and
patched regions of memory. disassemble them yourself too for practice

took like 6hrs to get all the way through

Transfer Command
(this block patched back in main memory at EP+1)

00409001   FF15 81934000    CALL VirtualFree
00409007   E8 01000000      CALL 0040900D    
0040900C   E9               db E9
0040900D   83C4 04          ADD ESP,4
00409010   2BC0             SUB EAX,EAX
00409012   64:8F00          POP DWORD PTR FS:[EAX]
00409015   83C4 0C          ADD ESP,0C
00409018   E8 01000000      CALL 0040901E     
0040901D   C7               db C7         
0040901E   58               POP EAX
0040901F   61               POPAD
00409020   E8 15000000      CALL 0040903A ;goto ret address+1   
00409025   E8               db E8
00409026   E8 0F000000      CALL 0040903A ;goto ret address+1   
0040902B   9A               db 9A
0040902C   E8 09000000      CALL 0040903A ;goto ret address+1                             
00409031   E9               db E9
00409032   68 47104000      PUSH 401047 ---------OEP-1 (fake ret address)
00409037   EB 01            JMP SHORT 0040903A  
00409039   C7               db C7
0040903A   58               POP EAX   1st=409025, 2nd=40902B, 3rd=409031, 4th=401047
0040903B   40               INC EAX
0040903C   50               PUSH EAX
0040903D   C3               RETN
Entry Point Signature
00409000 > E9 F5000000      JMP 004090FA                          
00409005   0D 0AC4C4C4      OR EAX,C4C4C40A
0040900A   C4C4             LES EAX,ESP                            
0040900C   C4C4             LES EAX,ESP                               
0040900E   C4C4             LES EAX,ESP                               
Known Unpackers
// PeX 0.99 OEP Finder
// by FEUERRADER [AHTeam]
// http://ahteam.org

/*
    IMPORTANT NOTE: before using this script, CHECK following option -
     Menu -> Options -> Debugging options -> Exceptions -> INT3 breaks   
    Script willnot work if u do not do that!!!!
*/

var s

eob Break 
eoe exp1
mov s, eip
add s, 01
bphws s, "x"
run

exp1:
esto

Break:
eob Break2 
bphwc s
findop eip, #EB01#
bphws $RESULT, "x"
run

Break2:
bphwc $RESULT
sto
sto
sto
sto
sto
cmt eip, "OEP"
ret

There are 30,780 total registered users.


Recently Created Topics
How to decompile a f...
Sep/16
How to trap mouse cl...
Sep/03
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27
enabling menu in a s...
Jun/18
How to get the Image...
Jun/17
OllyDBG Process Term...
Apr/28
Reversing opcode
Apr/24
Question about debbu...
Apr/16


Recent Forum Posts
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin
Pydbg load() issue
phreak


Recent Blog Entries
oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

gareebnavas
Jan/21
Android Malware Analysis

oleavr
Dec/21
frida.github.io: scriptable...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

newlulu on:
Jun/10
Advanced debugging techniques

newlulu on:
Jun/10
2 anti-trace mechanisms spe...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit