Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   code is not ok (https://forum.exetools.com/showthread.php?t=8574)

abccc 12-05-2005 01:54
code is not ok
 
Hi All

I've been trying to unpack an application was packed with armadillo and everything went ok except one thing and this is what I did

bp on CreateThread ctrl+f9 + f7 I should return to code and then look for call ecx or call edi

And what really happened when I return to code I found this

00F01A61 8B DB 8B
00F01A62 4D DB 4D ; CHAR 'M'
00F01A63 08 DB 08
00F01A64 81 DB 81
00F01A65 E1 DB E1
00F01A66 FF DB FF
00F01A67 00 DB 00
00F01A68 00 DB 00
00F01A69 00 DB 00
00F01A6A 85 DB 85
00F01A6B C9 DB C9
00F01A6C 74 DB 74 ; CHAR 't'
00F01A6D 06 DB 06
00F01A6E FF DB FF
00F01A6F 15 DB 15
00F01A70 . A490F200 DD <&KERNEL32.FreeConsole>
00F01A74 C6 DB C6
00F01A75 85 DB 85
00F01A76 28 DB 28 ; CHAR '('
00F01A77 FF DB FF
00F01A78 FF DB FF


And tried to analyze it with ctrl+A but it was already analyzed


When I remove analyze I got this

0F01A61 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00F01A64 81E1 FF000000 AND ECX,0FF
00F01A6A 85C9 TEST ECX,ECX
00F01A6C 74 06 JE SHORT SuperUti.00F01A74
00F01A6E FF15 A490F200 CALL NEAR DWORD PTR DS:[<&KERNEL32.FreeConso>; kernel32.FreeConsole
00F01A74 C685 28FFFFFF 00 MOV BYTE PTR SS:[EBP-D8],0
00F01A7B C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0
00F01A82 8D95 E8F5FFFF LEA EDX,DWORD PTR SS:[EBP-A18]
00F01A88 8995 E4F5FFFF MOV DWORD PTR SS:[EBP-A1C],EDX
00F01A8E 60 PUSHAD
00F01A8F 33C0 XOR EAX,EAX
00F01A91 75 02 JNZ SHORT SuperUti.00F01A95
00F01A93 EB 15 JMP SHORT SuperUti.00F01AAA
00F01A95 EB 33 JMP SHORT SuperUti.00F01ACA
00F01A97 C075 18 7A SAL BYTE PTR SS:[EBP+18],7A ; Shift constant out of range 1..31
00F01A9B 0C 70 OR AL,70
00F01A9D 0E PUSH CS
00F01A9E EB 0D JMP SHORT SuperUti.00F01AAD
00F01AA0 E8 720E79F1 CALL F2692917
00F01AA5 FF15 00790974 CALL NEAR DWORD PTR DS:[74097900]
00F01AAB F0:EB 87 LOCK JMP SHORT SuperUti.00F01A35 ; LOCK prefix is not allowed


I stacked don't know hot to continue....

any help will be appreciated

MaRKuS-DJM 12-05-2005 04:03
i remember i cracked an old version of Super Utilities, it had CopyMem II. it's not arma standard.

Jay 12-05-2005 04:54
o/t it brought a smile to my face, I seem to recall unpacking that too (reasonably sure its the same app), run it, quit and it deleted the unpacked version and copied a backup of the original from the windows folder into the install folder.

MaRKuS-DJM 12-05-2005 06:30
hehe yeah now i remember that too.
either you can copy the file to windows dir and overwrite old one or patch the extra-check. also the shell-extension had a check.

abccc 12-05-2005 23:04
Ok ....

Can Anybody summarize steps to unpack that ..... :confused:

abccc 12-08-2005 20:59
MaRKuS-DJM or somebody..... can I have some tips>>>> :)

hosiminh 12-08-2005 21:47
What is unpackme name/version/link to DL/approx. size ?
Armadildo use code obfuscation...


All times are GMT +8. The time now is 18:16.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX