EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-27-2002, 10:08
shellkiller
 
Posts: n/a
Another BUG in LTR and how to Unpack iLUCRYPT correctly

There is another BUG in LTR.It was found when tracing iLUCRYPT v4.015.iLUCRYPT v4.015 uses an INVAILD opcode byte 0FFh to fuck some tracers.The trick is like this:
CS:XXXX FF DB FF
FFE2 JMP DX(DX will point YYYY)
CS:YYYY 662FC706????????ZZZZZZZZ
MOV DWORD PTR CS:[????????],ZZZZZZZZ
But LTR interprets it into:
CS:XXXX FFFF INVAILD
E266 LOOP ????
This will cause the tracing into an INVAILD loop,so you have to exit LTR.If you want to unpack a program packed by iLUCRYPT,I recommend you to use DG 0.05 instead.In 4.015 and 4.019,first,use DG XXXX.??? to load it,run it directly and see where exception 6 occurs.DG will exit there and tell you all the registers at that time.The load it using command line DG -e XXXX.??? ,press Ctrl+G to get the IP,then press F4 to reach there,when you occurs PUSH 200 POPF,there will be the end of iLCURYPT,then it will push the address into stack and then exit.(4.019,4.015 will jump to the address directly.)iLUCRYPT 4.016-4.018 can be unpacked by LTR directly.First you should run it directly,pressing ESC to switch to LTR frequently.If the event window shows that INT 5 occured ,then be careful.Trace until you reach the jump statement or push XXXX statement,then press F8,and you will reach the OEP.
Always Your Best Friend:ShellKiller
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Correctly Dumping Unpacked DLL's redbull General Discussion 7 07-07-2004 20:37


All times are GMT +8. The time now is 01:00.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX