Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-08-2011, 04:15
PhreakAccident
 
Posts: n/a
Perplexing in determining packers

Being rather new to unpacking, I find it a bit confusing. I'm trying my hand at unpacking CDMA Workshop 3.7.5 and find the following:

PEiD shows UPolyX 0.3 by delikon *

Another scanner shows Themida 2.x

I'm leaning towards Themida because I see, when tracing the code, the following decrypt routine. EP at EC8000 stepping through I find:

Code:
00EC8046    55              PUSH EBP
00EC8047    89E5            MOV EBP,ESP
00EC8049    50              PUSH EAX
00EC804A    53              PUSH EBX
00EC804B    51              PUSH ECX
00EC804C    56              PUSH ESI
00EC804D    8B75 08         MOV ESI,DWORD PTR SS:[EBP+8]
00EC8050    8B4D 0C         MOV ECX,DWORD PTR SS:[EBP+C]
00EC8053    C1E9 02         SHR ECX,2
00EC8056    8B45 10         MOV EAX,DWORD PTR SS:[EBP+10]
00EC8059    8B5D 14         MOV EBX,DWORD PTR SS:[EBP+14]
00EC805C    85C9            TEST ECX,ECX
00EC805E    74 0A           JE SHORT cdma_wor.00EC806A
00EC8060    3106            XOR DWORD PTR DS:[ESI],EAX
00EC8062    011E            ADD DWORD PTR DS:[ESI],EBX
00EC8064    83C6 04         ADD ESI,4
00EC8067    49              DEC ECX
00EC8068  ^ EB F2           JMP SHORT cdma_wor.00EC805C
Then a few pushes and a RETN that goes to 00AB8000, and if tracing in Olly it crashes.

That's why I would think it Themida and not UPolyX. But I'm still a noob and figuring things out by trial and error. Any thought as to why PEiD might give a wrong packer? Bad signature database?

I should have mentioned the decrypt routine is between 00EC805C and 00EC8068. Not sure if that's just decrypting the unpack code, or what. I'll report back as I find more out.
Reply With Quote
  #2  
Old 11-14-2011, 10:50
dbcch
 
Posts: n/a
It could be either or neither, but that is obvious ;p. Both have substantial interests in continually updating their code and making their packers hard to identify by classical tools. Good luck in your further study. I would not exclude either based on differences in other samples they produce, as that would be one of the tricks they employ to confuse reversers.
Reply With Quote
  #3  
Old 11-15-2011, 06:59
PhreakAccident
 
Posts: n/a
Much appreciated dbcch. I'm not going to give up. I downloaded the new demo for Themida and encoded an executable I'm familiar with. The result did not trace like my target. I should probably do a Google on the decrypted code. Maybe that will clue me in on why it crashes the debugger. As it is I'm still at a loss. Which is fun, all about the challenge, right?
Reply With Quote
  #4  
Old 11-15-2011, 11:57
JeRRy's Avatar
JeRRy JeRRy is offline
VIP
 
Join Date: Oct 2010
Posts: 121
Rept. Given: 89
Rept. Rcvd 205 Times in 72 Posts
Thanks Given: 14
Thanks Rcvd at 26 Times in 12 Posts
JeRRy Reputation: 200-299 JeRRy Reputation: 200-299 JeRRy Reputation: 200-299
@PhreakAccident

Its 100% WinLicense.
Reply With Quote
  #5  
Old 11-22-2011, 23:28
PhreakAccident
 
Posts: n/a
Quote:
Originally Posted by JeRRy View Post
@PhreakAccident

Its 100% WinLicense.
Thanks. I'll hit the target over the weekend and report back.
Reply With Quote
  #6  
Old 11-26-2011, 15:43
PhreakAccident
 
Posts: n/a
It does look like a form of WinLicense. I used the demo of the latest one to protect the RegisterMe.exe file from Lena's tutorial. While the first part of the code at EP is different, the decrypt is identical.

Code:
005EB05C     85C9               TEST ECX,ECX
005EB05E     74 0A              JE SHORT Register.005EB06A
005EB060     3106               XOR DWORD PTR DS:[ESI],EAX
005EB062     011E               ADD DWORD PTR DS:[ESI],EBX
005EB064     83C6 04           ADD ESI,4
005EB067     49                  DEC ECX
005EB068   ^ EB F2             JMP SHORT Register.005EB05C
The decrypt routine starts at 005EB05C and the decrypted code sits starting at 0051A000. The routine is spot on. Now I just have to work on the manual unpack. Much thanks for the lead!
Reply With Quote
  #7  
Old 11-28-2011, 02:55
BoB's Avatar
BoB BoB is offline
Lo*eXeTools*rd
 
Join Date: Jun 2009
Location: England
Posts: 85
Rept. Given: 88
Rept. Rcvd 56 Times in 24 Posts
Thanks Given: 2
Thanks Rcvd at 2 Times in 2 Posts
BoB Reputation: 56
The * in PEiD means the detection comes from the UserDB.TXT ..
The UPolyX sig is probably rubbish, check it in AddSig v2

Have fun!
BoB
Reply With Quote
  #8  
Old 11-29-2011, 07:27
PhreakAccident
 
Posts: n/a
Quote:
Originally Posted by BoB View Post
The * in PEiD means the detection comes from the UserDB.TXT ..
The UPolyX sig is probably rubbish, check it in AddSig v2

Have fun!
BoB
I will at that Bob. Thank you for the pointer on the asterisk, good to know. I spotted the decrypt routine with Lena's tutorial help, so I'm going slow at this just so I can get it right. I don't want to be a script kiddie if I can help it!

Cheers!
Phreak
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MAC OSX Packers omidgl General Discussion 1 06-21-2011 05:39
determining packer version on packed exe rix General Discussion 10 10-15-2003 18:59
Packers SLIM SLIM General Discussion 9 12-02-2002 23:54


All times are GMT +8. The time now is 16:48.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )