|
 |
 |
Can't figure out those files are packed
|
 |
 |
 |
 |
| Author |
Message |
screwt-k
Newbie
Joined: 30 Apr 2009
Posts: 5
|
 |
|
Hi there, i'm trying to unpack those files:
| Your download link: |
| Code: |
| http://91.121.105.150/l2walker.rar |
|
But PEid can't find out wich tool has been use to pack it. :s :s
How can i find it?
thx. |
|
|
 Date Posted:Thu Apr 30, 2009 6:05 pmThanks: 0Thanked 0 Times In 0 Posts
|
| Author |
Message |
Office Jesus
Special Member
Joined: 22 Nov 2008
Posts: 110
Location: Cubicle at Heaven, Inc.
|
| |
|
Code and hide your links. 
Anyways, here are the Quick Unpack results:
| Code: |
Quick self analyze... unknown
PESniffer EP Scan: ASProtect v1.23 RC1
PEiD scanning... ASProtect v1.33 - 2.1 Registered -> Alexey Solodovnikov * |
I hope this helps you some. |
_________________
|
|
Date Posted:Thu Apr 30, 2009 10:00 pmThanks: 6Thanked 26 Times In 16 Posts
|
| Author |
Message |
cozofdeath
Special Member
Joined: 09 Dec 2007
Posts: 379
Location: Classified
|
| |
|
| I believe it's v2.1 or higher. You can find this out for yourself by downloading some of the newer pe scanners like protect id, rdg, exeinfo, or fastscanner. VolX's scripts can unpack it fine. |
_________________
|
|
Date Posted:Fri May 01, 2009 12:03 amThanks: 23Thanked 130 Times In 66 Posts
|
| Author |
Message |
pseudonym
Special Member
Joined: 20 Feb 2008
Posts: 101
|
| |
|
| last time I saw l2walker, couple of months back there was also l2walker.dll I think protected with vmprotect. |
|
|
Date Posted:Fri May 01, 2009 12:11 amThanks: 9Thanked 3 Times In 3 Posts
|
| Author |
Message |
screwt-k
Newbie
Joined: 30 Apr 2009
Posts: 5
|
| |
|
All rights guys,thanks to you, i've benn able to unpack the .exe with this tool:
| Your download link: |
| Code: |
| http://www.woodmann.com/collaborative/tools/index.php/GUnPacker |
|
here is the olly text string search result, as you can see, there is many errors about adress violations :s :s
| Your download link: |
| Code: |
| http://pastebay.com/12972 |
|
But that's not realy helpfull. I have to unpack the dll now.
Unfortunatly the tool i found can't unpack it.
Thanks again. |
|
|
Date Posted:Fri May 01, 2009 8:41 amThanks: 0Thanked 0 Times In 0 Posts
|
| Author |
Message |
cozofdeath
Special Member
Joined: 09 Dec 2007
Posts: 379
Location: Classified
|
| |
|
| Yeah I believe that's a generic unpacker. Just open the file in Olly and run the script I said above. It will work. It is specifically for asprotect. |
_________________
|
|
Date Posted:Fri May 01, 2009 10:08 amThanks: 23Thanked 130 Times In 66 Posts
|
| Author |
Message |
screwt-k
Newbie
Joined: 30 Apr 2009
Posts: 5
|
| |
|
The script runs well on the exe but a pop up shows up when i run on the dll:
| Your download link: |
| Code: |
| this is pobably not packed with asprotect |
|
|
|
|
Date Posted:Fri May 01, 2009 10:21 amThanks: 0Thanked 0 Times In 0 Posts
|
| Author |
Message |
x86master
Newbie
Joined: 01 May 2009
Posts: 1
|
| |
|
| What about Themida ? I heard about it, but it's not sure anyway... |
|
|
Date Posted:Fri May 01, 2009 12:20 pmThanks: 0Thanked 0 Times In 0 Posts
|
| Author |
Message |
screwt-k
Newbie
Joined: 30 Apr 2009
Posts: 5
|
| |
|
i found which tool have been used to pack the dll:
| Your download link: |
|
VMProtect v.1.6x (demo) 2003-2008 PolyTech - www.vmprotect.ru
|
with:
| Your download link: |
|
exeinfo
|
but is there a way to unp4ck it? |
|
|
Date Posted:Mon May 04, 2009 6:38 amThanks: 0Thanked 0 Times In 0 Posts
|
| Author |
Message |
LCF-AT
Special Member
Joined: 17 Jan 2008
Posts: 205
Location: Chateau-Saint-Martin
|
| |
|
Hi,
yes there is a way how you can unpack this dll but it`s not so easy like the other VM protected app´s.This dll works a bit like RLPack´s VM code.
| Your download link: |
| Code: |
1007231D PUSH 0C <-- OEP of dll
1007231F PUSH 100F4FB8
10072324 CALL 10072FFC
10072329 XOR EAX,EAX
1007232B INC EAX
1007232C MOV DWORD PTR SS:[EBP-1C],EAX
1007232F MOV ESI,DWORD PTR SS:[EBP+C]
10072332 XOR EDI,EDI
10072334 CMP ESI,EDI |
|
You can get all APIs and move addresses from the 101A7000 section always at the last ret xx in [ESP].
| Your download link: |
| Code: |
100721BF PUSH EDI <-- wrong
100721C0 CALL 105DAB8F
100721C5 TEST EAX,EAX
105A4962 MOV WORD PTR SS:[ESP+C],0F
105A4969 XCHG DWORD PTR SS:[ESP+38],EDI
105A496D PUSH ESI
105A496E PUSH DWORD PTR SS:[ESP+3C] <-- API
105A4972 RETN 40
Stack
0012F8F8 77E5C657 kernel32.GetVersionExA
Fixed
100721BF CALL DWORD PTR DS:[address] ; kernel32.GetVersionExA
100721C5 TEST EAX,EAX |
|
Problem is that for every VM call & API will used a own routine so that you have to trace by every such call.Thats a lot and thats a problem.So then if you have enough time then you can try to fix all by hand or script etc.
PS: It´s no UnpackMe,just as info for you so I have seen you have post it as UnpackMe on a other board.You should remove it there or you will removed there.Just as info for screwt.
greetz |
|
|
Date Posted:Mon May 04, 2009 4:45 pmThanks: 0Thanked 44 Times In 29 Posts
|
| Author |
Message |
screwt-k
Newbie
Joined: 30 Apr 2009
Posts: 5
|
| |
|
hi, do you want me to remove the topic on the other forum?
Ok, i m going deeper in this,
now i can see a module called "L2Walk_1" every function is in clear text but how can i create a clear dll from that.
Thx again. |
|
|
Date Posted:Tue May 05, 2009 6:42 amThanks: 0Thanked 0 Times In 0 Posts
|
Astalavista Forum Index :: Unpacking :: Can't figure out those files are packed
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
