Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page SVKP, Armadillo or SDProtector
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #8  
Old 12-10-2004, 07:32
nikita@work
 
Posts: n/a
Quote:
Originally Posted by Jay
throw us a quick tut together then will you.
It will be really short.
Go to the end of packed stream and look for code like this
Code:
pop edx
pushad
mov ebx, PackedStreamSize
mov esi, offset PackedStream
lea   edi, RawDataOffset
Just rip decompress function (or use lzo1x from Oberhummer's UCL) and postfilter (only if relocs present). To decrypt imports you will need RC4 key from protector runtime context. And near the key there are original OEP address, ImageBase, IAT address, etc.

P.S. There is an original PE header at the end of unpacked stream . So as I told before it looks like UPX-based product ;)
Last edited by nikita@work; 12-10-2004 at 07:44.
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with old SDProtector Newbie_Cracker General Discussion 8 01-28-2008 07:16
Unpacking SdProtector Pro bLaCk-eye General Discussion 2 08-12-2004 22:10


All times are GMT +8. The time now is 20:14.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )