Unknown Packer
 

Hi There,

I've come across what seems to be an unknown packer, at first glance I thought that it was Asprotect some version, however PEid can't identify it ?

Any help on identifying the packer, and help on unpacking greatly apreciated :p

Here's the link to the software....

http://laundry-online.com/tmp/ProForm7.exe

I've managed to debug it using Ollydbg with the HideDebugger plugin, however, I don't even know where to begin to try and identify the packer....

Thanking One & All.....

D....

deephousederek
Sooner whole this Asprotect.Much code looks like Asprotect.
00A0E295 BA 70E5A000 MOV EDX,0A0E570 ; ASCII ".key"
00A0E29A 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00A0E29D E8 3EE9FFFF CALL 00A0CBE0
00A0E2A2 84C0 TEST AL,AL
00A0E2A4 74 17 JE SHORT 00A0E2BD
00A0E2A6 B9 80E5A000 MOV ECX,0A0E580 ; ASCII "regfile"
Such code often in Asprotect meets.

Here is unpacked file.Must work.

It seems to ASPack 2.11

ilyacr:

Instead of giving unpacked file it would be better to tell how to do it. otherwise will nobody learn anything. I see you played with IIDKing in sections. Could you please explain a little about this step ?


deephousederek:

Go to: Options -> Debugging options -> Exceptions , untick everything .

Load file and run target. You will stop at exception "Illegal instruction".
Press "shift+F9" to pass exception. Damn , now come another exception. Repeat with the previous step (shift+F9) untill you pass all exceptions. This is the last one (i you press shift+F9 once again , target run)

00A8053D 8DC0 LEA EAX,EAX ; Illegal use of register
00A8053F EB 01 JMP SHORT 00A80542

Now go to "Memory map" , Section : code and put "memory bp on access"

Pass the final exception and due memory bp you will land at OEP (at 005005D8) .

Thanks People....
 

Hi There,

Thanks ilyacr for the unpacked file, thanks to hosiminh for explaining how to do it 9-)

Just one extra little question however, howcome PEid doesn't identify it as ASPack v2.11 ? Has the author done something else to disguise the packer ?

Just wondering why PEid failed to identify the packer ? Is this a new version of ASPack ? Or has the author done something else to the executable to hide the packer details ?

I've done as you've said to find the OEP...

"Pass the final exception and due memory bp you will land at OEP (at 005005D8)"

I've landed here, and used OllyDump to dump the process, however the dumped file doesn't run, any ideas ?

Not too familar with Ollydump, so maybe there is some option I need to check in order to dump this correctly ?

Thanks....

D...

In attach video article on unpacking.See what did I,and you immediately all will become understandable.

It's packed with old AsProtect 1.1 .. :D

unpacked and cracked! winall working. enjoy :D

"sound very misterious", too :D and this is not request forum...

Only a joke... only... ;)

Regards.

Hi Crk,

Care to explain how you went about cracking Proform ? I spent a couple of hours attemtping to crack it by patching the check for 'Registered' in a number of locations, thought I had it, by patching 3-4 locations, it ended up crashing tho 8-(

I also spotted that it used the TTomEncryption module, however when I put breaks on it using OllyDB they were never it ?

The other thing I spotted was that it checked the registry for a number of items....

Thanks....

D....

P.S. How do I get my status upgraded to allow me to download the attachments, my understanding was that once I reached 3 I would be allowed to dl these ? :confused:

You understand the promotion steps by reading this thread:

http://www.exetools.com/forum/showthread.php?t=6206

And you "earn" promotion by following the rules. One of them which you have been ignoring, is that you can't come back every few minutes and start another post. That is what the edit button is for. I have combined several of your posts in this Thread into fewer posts. The other option I had was to delete it altogether, so you have been given a break.

Nearly all your posts were in this thread and they were all about you just asking for help on this one project. That is not a very good way to "earn" the right to download.

Regards,