|
|
#1
10-10-2005, 03:54
|
||||
|
||||
|
An Unknown Packer !
Few days ago, one of my friends gave me the download address of DiskInternals Unereaser 2.3 as an unpacking target.
Shit... OllyDbg never stops at OEP and alot of exceptions occurs. Its packer checks CRC, and... amazingly it detects Modified OllyDbg and closes it easily.  PeID says the exe file is packed by UPX. But it's obvious that it says wrong ! Sometimes ago, I found that SDProtector checks the ClassID of OllyDbg main window. I mean CPU ClassID. Here is the parts of ClassIDs which SDProtector searchs for them : ACPU ACPUASM ACPUDUMP ACPUSTACK ACPUINFO ACPUREG TCPU TCPUASM TCPUDUMP TCPUSTACK TCPUINFO TCPUREG So after patching OllyDbg to hide its caption and change its exe name, I've patched it to change ...CPU... to ...CCC... . This trick defeated SDProtector (I know the effective debugger detection of SD is based on ZwQueryInformationProcess ), but this time... I couldn't find the ClassIDs list of this unknown packer. Its Crack-Tools detection engine is active in runtime (like SD) and immediately detects OllyDbg when it's started. I think it detects other ClassIDs of OllyDbg, but which of them? Is there any suggestion? Here is the download link : hxxp://www.diskinternals.com/download/Uneraser_Setup.zip Best Regards. 
|
|
|
Threaded Mode