Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-08-2005, 10:55
xixiaolou
 
Posts: n/a
Unpack, Packer or Compiler?

It's long time for me to think about how can we unpack/unprotect apps.
Normally, we unpack it with unpacker, debugger and so on. It means packer dependent. With packer update, we have to update our unpacker.
What I think about is compiler-dependent unpacker. If we can develop a tool to unpacking apps packed by different packer/protector , only if compiled with the same compiler. An app is VC6++ compiled, it maybe packed with aspack, or upx, or protected with aspr and so on, we have a tool to unpack it because of it's vc6++ compiler, avoiding its packer. As a native win32 GUI program, it's compiler is mostly vc6++, delphi, bcb, vb, asm. I found compiler such as MFC, delphi, vb, has their unique structure in compiled EXE/dll file. It is combinded with function modules.

2 years ago, An OEP finding tool in woodmann forum used compiler-dependent technology. Dede, a delphi disassembler is the same tech, MFC structure recognition also OK.

Altough, more and more protector use pre-dips tech, but I didn't found it dealing with the function module pointer ---- the skeleon of function modules. So I think it maybe workable to do compiler-dependent unpacker.
Reply With Quote
  #2  
Old 05-13-2005, 17:02
ET240
 
Posts: n/a
Ya i got your point... and there are lot of uncompiler unpacker etcs... in the world now...
Reply With Quote
  #3  
Old 05-15-2005, 05:40
nikola nikola is offline
Friend
 
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
You can check SCU by Cristoph Gabler. I think he included the source for it. He wrote it for starters and expected someone to like the idea and continue the project but as far as i see, there was noone that done so. Good luck
Reply With Quote
  #4  
Old 05-15-2005, 18:39
Vepergen
 
Posts: n/a
Xixiaolou i think it's not so easy as it seems. Because today packers using a lot of tricks like crypted/stolen OEP bytes, crypted sections, decrypting in memory on the fly, redirected/scrambled IAT and other shit, so i will be glad if there will working unpacker for one of these tricky packers. Coding universal one is almost impossible today. My opinion it was possible to code, when unpacking was about finding OEP (not obfuscated, crypted etc ..) and fixing IAT (not redirected/scrambled/destroyed), but not today.
Reply With Quote
  #5  
Old 05-18-2005, 08:34
firstrose
 
Posts: n/a
Well,I know what you mean.but it's very hard today.

There was such a unpacker named UPC can unpack nearly everything for apps generated by Borland's compiler under DOS.

It works depend the facts that there will be a far jump to reach OEP of original app,and there is a patten for their initial code.

under windows,more and more technique have been developed to obfuscate the edge between the shell and the nut.There is a little code that can camouflage any app into a "VC++ compiled" app...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 13:28.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )