Thread: Unknown packer trouble
View Single Post
  #1  
Old 02-17-2005, 21:46
hosiminh hosiminh is offline
Friend
  
Join Date: Aug 2004
Posts: 202
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
Unknown packer trouble
All my efforts to unpack this baby has failed.

PeID 0.93 says for file "FunnyCreatures.exe" : NeoLite vx.x

There is no need to run installer.
Unpack "fcreatures.exe" with Winrar (function "extract to" )

hxxp://astatix.advanta.org/download/fcreatures.exe (859 kb)

When Ollydbg stoped at Exception C000001E (INVALID LOCK SEQUENCE) (i have everything ticked under Debugging options -> exceptions ) , i put memory bp on access , and i landed here:

0044B8F2 . 66:C1C2 03 ROL DX,3 ; HERE
0044B8F6 . 53 PUSH EBX ; FunnyCre.00502183
0044B8F7 . 68 59529514 PUSH 14955259
0044B8FC . 5B POP EBX ; FunnyCre.00500401
0044B8FD . 81C3 E23D611A ADD EBX,1A613DE2
0044B903 .- E9 75D00B00 JMP FunnyCre.0050897D
0044B908 . 2BCE SUB ECX,ESI ; FunnyCre.00511B18

Checking my Log , showed that there is a lot of INT3 exceptions .

This unknown protector is checking for CC (bpx , bp) and hardware breakpoints .

I downloaded Neolite v2 , which seems to be the newest version of this packer ( hxxp://nmgmt.cs.nchu.edu.tw/nmTool/NEOLTE20.EXE ) , but this one is piss easy to unpack.
Last edited by hosiminh; 02-17-2005 at 21:48.
Reply With Quote