Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Perplexing in determining packers (https://forum.exetools.com/showthread.php?t=13856)

PhreakAccident 11-08-2011 04:15
Perplexing in determining packers
 
Being rather new to unpacking, I find it a bit confusing. I'm trying my hand at unpacking CDMA Workshop 3.7.5 and find the following:

PEiD shows UPolyX 0.3 by delikon *

Another scanner shows Themida 2.x

I'm leaning towards Themida because I see, when tracing the code, the following decrypt routine. EP at EC8000 stepping through I find:

Code:
00EC8046    55              PUSH EBP
00EC8047    89E5            MOV EBP,ESP
00EC8049    50              PUSH EAX
00EC804A    53              PUSH EBX
00EC804B    51              PUSH ECX
00EC804C    56              PUSH ESI
00EC804D    8B75 08        MOV ESI,DWORD PTR SS:[EBP+8]
00EC8050    8B4D 0C        MOV ECX,DWORD PTR SS:[EBP+C]
00EC8053    C1E9 02        SHR ECX,2
00EC8056    8B45 10        MOV EAX,DWORD PTR SS:[EBP+10]
00EC8059    8B5D 14        MOV EBX,DWORD PTR SS:[EBP+14]
00EC805C    85C9            TEST ECX,ECX
00EC805E    74 0A          JE SHORT cdma_wor.00EC806A
00EC8060    3106            XOR DWORD PTR DS:[ESI],EAX
00EC8062    011E            ADD DWORD PTR DS:[ESI],EBX
00EC8064    83C6 04        ADD ESI,4
00EC8067    49              DEC ECX
00EC8068  ^ EB F2          JMP SHORT cdma_wor.00EC805C
Then a few pushes and a RETN that goes to 00AB8000, and if tracing in Olly it crashes.

That's why I would think it Themida and not UPolyX. But I'm still a noob and figuring things out by trial and error. Any thought as to why PEiD might give a wrong packer? Bad signature database?

I should have mentioned the decrypt routine is between 00EC805C and 00EC8068. Not sure if that's just decrypting the unpack code, or what. I'll report back as I find more out.

dbcch 11-14-2011 10:50
It could be either or neither, but that is obvious ;p. Both have substantial interests in continually updating their code and making their packers hard to identify by classical tools. Good luck in your further study. I would not exclude either based on differences in other samples they produce, as that would be one of the tricks they employ to confuse reversers.

PhreakAccident 11-15-2011 06:59
Much appreciated dbcch. I'm not going to give up. I downloaded the new demo for Themida and encoded an executable I'm familiar with. The result did not trace like my target. I should probably do a Google on the decrypted code. Maybe that will clue me in on why it crashes the debugger. As it is I'm still at a loss. Which is fun, all about the challenge, right?

JeRRy 11-15-2011 11:57
@PhreakAccident

Its 100% WinLicense.

PhreakAccident 11-22-2011 23:28
Quote:
Originally Posted by JeRRy (Post 75861)
@PhreakAccident

Its 100% WinLicense.
Thanks. I'll hit the target over the weekend and report back.

PhreakAccident 11-26-2011 15:43
It does look like a form of WinLicense. I used the demo of the latest one to protect the RegisterMe.exe file from Lena's tutorial. While the first part of the code at EP is different, the decrypt is identical.

Code:
005EB05C    85C9              TEST ECX,ECX
005EB05E    74 0A              JE SHORT Register.005EB06A
005EB060    3106              XOR DWORD PTR DS:[ESI],EAX
005EB062    011E              ADD DWORD PTR DS:[ESI],EBX
005EB064    83C6 04          ADD ESI,4
005EB067    49                  DEC ECX
005EB068  ^ EB F2            JMP SHORT Register.005EB05C
The decrypt routine starts at 005EB05C and the decrypted code sits starting at 0051A000. The routine is spot on. Now I just have to work on the manual unpack. Much thanks for the lead!

BoB 11-28-2011 02:55
The * in PEiD means the detection comes from the UserDB.TXT ..
The UPolyX sig is probably rubbish, check it in AddSig v2 :)

Have fun!
BoB

PhreakAccident 11-29-2011 07:27
Quote:
Originally Posted by BoB (Post 76078)
The * in PEiD means the detection comes from the UserDB.TXT ..
The UPolyX sig is probably rubbish, check it in AddSig v2 :)

Have fun!
BoB
I will at that Bob. Thank you for the pointer on the asterisk, good to know. I spotted the decrypt routine with Lena's tutorial help, so I'm going slow at this just so I can get it right. I don't want to be a script kiddie if I can help it!

Cheers!
Phreak


All times are GMT +8. The time now is 13:45.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX