#1
|
|||
|
|||
Unpack, Packer or Compiler?
It's long time for me to think about how can we unpack/unprotect apps.
Normally, we unpack it with unpacker, debugger and so on. It means packer dependent. With packer update, we have to update our unpacker. What I think about is compiler-dependent unpacker. If we can develop a tool to unpacking apps packed by different packer/protector , only if compiled with the same compiler. An app is VC6++ compiled, it maybe packed with aspack, or upx, or protected with aspr and so on, we have a tool to unpack it because of it's vc6++ compiler, avoiding its packer. As a native win32 GUI program, it's compiler is mostly vc6++, delphi, bcb, vb, asm. I found compiler such as MFC, delphi, vb, has their unique structure in compiled EXE/dll file. It is combinded with function modules. 2 years ago, An OEP finding tool in woodmann forum used compiler-dependent technology. Dede, a delphi disassembler is the same tech, MFC structure recognition also OK. Altough, more and more protector use pre-dips tech, but I didn't found it dealing with the function module pointer ---- the skeleon of function modules. So I think it maybe workable to do compiler-dependent unpacker. |
#2
|
|||
|
|||
Ya i got your point... and there are lot of uncompiler unpacker etcs... in the world now...
|
#3
|
|||
|
|||
You can check SCU by Cristoph Gabler. I think he included the source for it. He wrote it for starters and expected someone to like the idea and continue the project but as far as i see, there was noone that done so. Good luck
|
#4
|
|||
|
|||
Xixiaolou i think it's not so easy as it seems. Because today packers using a lot of tricks like crypted/stolen OEP bytes, crypted sections, decrypting in memory on the fly, redirected/scrambled IAT and other shit, so i will be glad if there will working unpacker for one of these tricky packers. Coding universal one is almost impossible today. My opinion it was possible to code, when unpacking was about finding OEP (not obfuscated, crypted etc ..) and fixing IAT (not redirected/scrambled/destroyed), but not today.
|
#5
|
|||
|
|||
Well,I know what you mean.but it's very hard today.
There was such a unpacker named UPC can unpack nearly everything for apps generated by Borland's compiler under DOS. It works depend the facts that there will be a far jump to reach OEP of original app,and there is a patten for their initial code. under windows,more and more technique have been developed to obfuscate the edge between the shell and the nut.There is a little code that can camouflage any app into a "VC++ compiled" app... |
Thread Tools | |
Display Modes | |
|
|