Flag: Tornado! Hurricane!


Packer Name Packer Author Classification Analysis By Last Updated
FSG 1.33 dulek Compressor quig June 15 2005
Allocation Anti-Debug Anti-Disassembly Section Name Sample
PE Header (sect 1) yes yes [blank] N/A
Notes
IAT built at runtime, all DLLs explicitly loaded with calls to LoadLibrary().

Stub is basically straight line logic with some built in functions that it calls out to them returns back to mainline stub.

JE to OEP stands out because of its address range see above block..it is close to end of stub.

offsets should line up in sample

Transfer Command
JE in middle of loop

00405FAA   79 05            JNS SHORT length2.00405FB1
00405FAC   46               INC ESI
00405FAD   AD               LODS DWORD PTR DS:[ESI]
00405FAE   50               PUSH EAX
00405FAF   EB 09            JMP SHORT length2.00405FBA
00405FB1   FE0E             DEC BYTE PTR DS:[ESI]
00405FB3  -0F84 B3B2FFFF    JE length2.0040126C     -----OEP-------
00405FB9   56               PUSH ESI
00405FBA   55               PUSH EBP
00405FBB   FF53 04          CALL DWORD PTR DS:[EBX+4]
00405FBE   AB               STOS DWORD PTR ES:[EDI]
00405FBF  ^EB E0            JMP SHORT length2.00405FA1
00405FC1   33C9             XOR ECX,ECX
00405FC3   41               INC ECX
00405FC4   FF13             CALL DWORD PTR DS:[EBX]
00405FC6   13C9             ADC ECX,ECX
00405FC8   FF13             CALL DWORD PTR DS:[EBX]
00405FCA  ^72 F8            JB SHORT length2.00405FC4
00405FCC   C3               RETN
00405FCD   02D2             ADD DL,DL
00405FCF   75 05            JNZ SHORT length2.00405FD6
00405FD1   8A16             MOV DL,BYTE PTR DS:[ESI]
00405FD3   46               INC ESI
00405FD4   12D2             ADC DL,DL
00405FD6   C3               RETN
00405FD7   FF5F 00          CALL FAR FWORD PTR DS:[EDI]       
00405FDA   0000             ADD BYTE PTR DS:[EAX],AL
00405FDC   0000             ADD BYTE PTR DS:[EAX],AL
00405FDE   0000             ADD BYTE PTR DS:[EAX],AL
00405FE0   0000             ADD BYTE PTR DS:[EAX],AL
00405FE2   005401 00        ADD BYTE PTR DS:[ECX+EAX],DL
00405FE6   00FF             ADD BH,BH
00405FE8   5F               POP EDI
00405FE9   0000             ADD BYTE PTR DS:[EAX],AL
00405FEB   0000             ADD BYTE PTR DS:[EAX],AL
00405FED   0000             ADD BYTE PTR DS:[EAX],AL
00405FEF   0000             ADD BYTE PTR DS:[EAX],AL
00405FF1   0000             ADD BYTE PTR DS:[EAX],AL
00405FF3   0000             ADD BYTE PTR DS:[EAX],AL
00405FF5   0000             ADD BYTE PTR DS:[EAX],AL
00405FF7   0000             ADD BYTE PTR DS:[EAX],AL
00405FF9   0000             ADD BYTE PTR DS:[EAX],AL
00405FFB   0000             ADD BYTE PTR DS:[EAX],AL
Entry Point Signature
BE [4Bytes]      MOV ESI,Address
AD               LODS DWORD PTR DS:[ESI]
93               XCHG EAX,EBX
AD               LODS DWORD PTR DS:[ESI]
97               XCHG EAX,EDI
AD               LODS DWORD PTR DS:[ESI]
56               PUSH ESI
96               XCHG EAX,ESI
B2 80            MOV DL,80
Known Unpackers
/*
//////////////////////////////////////////////////
	FSG 1.33 OEP Finder v0.2
	Author:	loveboom
	Email : bmd2chen@tom.com
	OS    : Win2kADV sp2,OllyDbg 1.1b,OllyScript v0.62
	Date  : 2004-4-2
	Config: N/A
	Note  :If you have one or more question 
		email me please,thank you!
//////////////////////////////////////////////////
*/

var addr
var addr1

gpa \"LoadLibraryA\",\"kernel32.dll\"
bp $RESULT
run

lbl1:
  bc $RESULT
  rtu
  gpa \"GetProcAddress\",\"kernel32.dll\"
  bp $RESULT
  eob lbl2
  run

lbl2:
  bc $RESULT
  eob lbl3
  rtu

lbl3:
  mov addr,eip
  sub addr,B
  bp addr
  eob lbl4
  run

lbl4:
  sto
  mov addr1,eip
  sub addr1,6
  cmp addr1,addr
  jne lblend

loop:
  run
  jmp lbl4

lblend:
  bc addr
  cmt eip,\"OEP Found,please dumped it!\"
  msg \"Script by loveboom[DFCG],Thank you for using my Script!\"
  ret

There are 30,782 total registered users.


Recently Created Topics
How can I write olly...
Oct/05
Career: Malware Reve...
Sep/30
How to produce separ...
Sep/20
How to decompile a f...
Sep/16
How to trap mouse cl...
Sep/03
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27
enabling menu in a s...
Jun/18
How to get the Image...
Jun/17


Recent Forum Posts
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin


Recent Blog Entries
oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

More ...


Recent Blog Comments
djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit