#1
|
|||
|
|||
code is not ok
Hi All
I've been trying to unpack an application was packed with armadillo and everything went ok except one thing and this is what I did bp on CreateThread ctrl+f9 + f7 I should return to code and then look for call ecx or call edi And what really happened when I return to code I found this 00F01A61 8B DB 8B 00F01A62 4D DB 4D ; CHAR 'M' 00F01A63 08 DB 08 00F01A64 81 DB 81 00F01A65 E1 DB E1 00F01A66 FF DB FF 00F01A67 00 DB 00 00F01A68 00 DB 00 00F01A69 00 DB 00 00F01A6A 85 DB 85 00F01A6B C9 DB C9 00F01A6C 74 DB 74 ; CHAR 't' 00F01A6D 06 DB 06 00F01A6E FF DB FF 00F01A6F 15 DB 15 00F01A70 . A490F200 DD <&KERNEL32.FreeConsole> 00F01A74 C6 DB C6 00F01A75 85 DB 85 00F01A76 28 DB 28 ; CHAR '(' 00F01A77 FF DB FF 00F01A78 FF DB FF And tried to analyze it with ctrl+A but it was already analyzed When I remove analyze I got this 0F01A61 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 00F01A64 81E1 FF000000 AND ECX,0FF 00F01A6A 85C9 TEST ECX,ECX 00F01A6C 74 06 JE SHORT SuperUti.00F01A74 00F01A6E FF15 A490F200 CALL NEAR DWORD PTR DS:[<&KERNEL32.FreeConso>; kernel32.FreeConsole 00F01A74 C685 28FFFFFF 00 MOV BYTE PTR SS:[EBP-D8],0 00F01A7B C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0 00F01A82 8D95 E8F5FFFF LEA EDX,DWORD PTR SS:[EBP-A18] 00F01A88 8995 E4F5FFFF MOV DWORD PTR SS:[EBP-A1C],EDX 00F01A8E 60 PUSHAD 00F01A8F 33C0 XOR EAX,EAX 00F01A91 75 02 JNZ SHORT SuperUti.00F01A95 00F01A93 EB 15 JMP SHORT SuperUti.00F01AAA 00F01A95 EB 33 JMP SHORT SuperUti.00F01ACA 00F01A97 C075 18 7A SAL BYTE PTR SS:[EBP+18],7A ; Shift constant out of range 1..31 00F01A9B 0C 70 OR AL,70 00F01A9D 0E PUSH CS 00F01A9E EB 0D JMP SHORT SuperUti.00F01AAD 00F01AA0 E8 720E79F1 CALL F2692917 00F01AA5 FF15 00790974 CALL NEAR DWORD PTR DS:[74097900] 00F01AAB F0:EB 87 LOCK JMP SHORT SuperUti.00F01A35 ; LOCK prefix is not allowed I stacked don't know hot to continue.... any help will be appreciated |
#2
|
||||
|
||||
i remember i cracked an old version of Super Utilities, it had CopyMem II. it's not arma standard.
|
#3
|
|||
|
|||
o/t it brought a smile to my face, I seem to recall unpacking that too (reasonably sure its the same app), run it, quit and it deleted the unpacked version and copied a backup of the original from the windows folder into the install folder.
|
#4
|
||||
|
||||
hehe yeah now i remember that too.
either you can copy the file to windows dir and overwrite old one or patch the extra-check. also the shell-extension had a check. |
#5
|
|||
|
|||
Ok ....
Can Anybody summarize steps to unpack that ..... |
#6
|
|||
|
|||
MaRKuS-DJM or somebody..... can I have some tips>>>>
|
#7
|
|||
|
|||
What is unpackme name/version/link to DL/approx. size ?
Armadildo use code obfuscation... |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
x86 Code Virtualizer (Code Obfuscator) | Gladiyator | Source Code | 1 | 09-04-2020 16:51 |
VB6 N-CODE - Stop any servive and Start any APP-Release and Source Code | wilson bibe | General Discussion | 5 | 04-10-2013 00:23 |
Code to efficiently break on entering code section??? | yaa | General Discussion | 4 | 05-08-2005 05:29 |