#1
|
|||
|
|||
Perplexing in determining packers
Being rather new to unpacking, I find it a bit confusing. I'm trying my hand at unpacking CDMA Workshop 3.7.5 and find the following:
PEiD shows UPolyX 0.3 by delikon * Another scanner shows Themida 2.x I'm leaning towards Themida because I see, when tracing the code, the following decrypt routine. EP at EC8000 stepping through I find: Code:
00EC8046 55 PUSH EBP 00EC8047 89E5 MOV EBP,ESP 00EC8049 50 PUSH EAX 00EC804A 53 PUSH EBX 00EC804B 51 PUSH ECX 00EC804C 56 PUSH ESI 00EC804D 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 00EC8050 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 00EC8053 C1E9 02 SHR ECX,2 00EC8056 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] 00EC8059 8B5D 14 MOV EBX,DWORD PTR SS:[EBP+14] 00EC805C 85C9 TEST ECX,ECX 00EC805E 74 0A JE SHORT cdma_wor.00EC806A 00EC8060 3106 XOR DWORD PTR DS:[ESI],EAX 00EC8062 011E ADD DWORD PTR DS:[ESI],EBX 00EC8064 83C6 04 ADD ESI,4 00EC8067 49 DEC ECX 00EC8068 ^ EB F2 JMP SHORT cdma_wor.00EC805C That's why I would think it Themida and not UPolyX. But I'm still a noob and figuring things out by trial and error. Any thought as to why PEiD might give a wrong packer? Bad signature database? I should have mentioned the decrypt routine is between 00EC805C and 00EC8068. Not sure if that's just decrypting the unpack code, or what. I'll report back as I find more out. |
#2
|
|||
|
|||
It could be either or neither, but that is obvious ;p. Both have substantial interests in continually updating their code and making their packers hard to identify by classical tools. Good luck in your further study. I would not exclude either based on differences in other samples they produce, as that would be one of the tricks they employ to confuse reversers.
|
#3
|
|||
|
|||
Much appreciated dbcch. I'm not going to give up. I downloaded the new demo for Themida and encoded an executable I'm familiar with. The result did not trace like my target. I should probably do a Google on the decrypted code. Maybe that will clue me in on why it crashes the debugger. As it is I'm still at a loss. Which is fun, all about the challenge, right?
|
#4
|
||||
|
||||
@PhreakAccident
Its 100% WinLicense. |
#5
|
|||
|
|||
Thanks. I'll hit the target over the weekend and report back.
|
#6
|
|||
|
|||
It does look like a form of WinLicense. I used the demo of the latest one to protect the RegisterMe.exe file from Lena's tutorial. While the first part of the code at EP is different, the decrypt is identical.
Code:
005EB05C 85C9 TEST ECX,ECX 005EB05E 74 0A JE SHORT Register.005EB06A 005EB060 3106 XOR DWORD PTR DS:[ESI],EAX 005EB062 011E ADD DWORD PTR DS:[ESI],EBX 005EB064 83C6 04 ADD ESI,4 005EB067 49 DEC ECX 005EB068 ^ EB F2 JMP SHORT Register.005EB05C |
#7
|
||||
|
||||
The * in PEiD means the detection comes from the UserDB.TXT ..
The UPolyX sig is probably rubbish, check it in AddSig v2 Have fun! BoB |
#8
|
|||
|
|||
Quote:
Cheers! Phreak |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
MAC OSX Packers | omidgl | General Discussion | 1 | 06-21-2011 05:39 |
determining packer version on packed exe | rix | General Discussion | 10 | 10-15-2003 18:59 |
Packers | SLIM SLIM | General Discussion | 9 | 12-02-2002 23:54 |