#1
|
|||
|
|||
Another BUG in LTR and how to Unpack iLUCRYPT correctly
There is another BUG in LTR.It was found when tracing iLUCRYPT v4.015.iLUCRYPT v4.015 uses an INVAILD opcode byte 0FFh to fuck some tracers.The trick is like this:
CS:XXXX FF DB FF FFE2 JMP DX(DX will point YYYY) CS:YYYY 662FC706????????ZZZZZZZZ MOV DWORD PTR CS:[????????],ZZZZZZZZ But LTR interprets it into: CS:XXXX FFFF INVAILD E266 LOOP ???? This will cause the tracing into an INVAILD loop,so you have to exit LTR.If you want to unpack a program packed by iLUCRYPT,I recommend you to use DG 0.05 instead.In 4.015 and 4.019,first,use DG XXXX.??? to load it,run it directly and see where exception 6 occurs.DG will exit there and tell you all the registers at that time.The load it using command line DG -e XXXX.??? ,press Ctrl+G to get the IP,then press F4 to reach there,when you occurs PUSH 200 POPF,there will be the end of iLCURYPT,then it will push the address into stack and then exit.(4.019,4.015 will jump to the address directly.)iLUCRYPT 4.016-4.018 can be unpacked by LTR directly.First you should run it directly,pressing ESC to switch to LTR frequently.If the event window shows that INT 5 occured ,then be careful.Trace until you reach the jump statement or push XXXX statement,then press F8,and you will reach the OEP. Always Your Best Friend:ShellKiller |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Correctly Dumping Unpacked DLL's | redbull | General Discussion | 7 | 07-07-2004 20:37 |