Flag: Tornado!
Hurricane!
|
|
| PEX |
bart |
Compressor |
quig |
June 15 2005 |
|
| PE Header |
no |
yes |
blank * 4 |
N/A
|
|
very cool packer, head to toe opcode asm tricks and lots of different ones.
zip contains idb of all major portions as well as membumps of allocated and
patched regions of memory. disassemble them yourself too for practice
took like 6hrs to get all the way through
|
|
(this block patched back in main memory at EP+1)
00409001 FF15 81934000 CALL VirtualFree
00409007 E8 01000000 CALL 0040900D
0040900C E9 db E9
0040900D 83C4 04 ADD ESP,4
00409010 2BC0 SUB EAX,EAX
00409012 64:8F00 POP DWORD PTR FS:[EAX]
00409015 83C4 0C ADD ESP,0C
00409018 E8 01000000 CALL 0040901E
0040901D C7 db C7
0040901E 58 POP EAX
0040901F 61 POPAD
00409020 E8 15000000 CALL 0040903A ;goto ret address+1
00409025 E8 db E8
00409026 E8 0F000000 CALL 0040903A ;goto ret address+1
0040902B 9A db 9A
0040902C E8 09000000 CALL 0040903A ;goto ret address+1
00409031 E9 db E9
00409032 68 47104000 PUSH 401047 ---------OEP-1 (fake ret address)
00409037 EB 01 JMP SHORT 0040903A
00409039 C7 db C7
0040903A 58 POP EAX 1st=409025, 2nd=40902B, 3rd=409031, 4th=401047
0040903B 40 INC EAX
0040903C 50 PUSH EAX
0040903D C3 RETN |
|
|
00409000 > E9 F5000000 JMP 004090FA
00409005 0D 0AC4C4C4 OR EAX,C4C4C40A
0040900A C4C4 LES EAX,ESP
0040900C C4C4 LES EAX,ESP
0040900E C4C4 LES EAX,ESP |
|
|
// PeX 0.99 OEP Finder
// by FEUERRADER [AHTeam]
// http://ahteam.org
/*
IMPORTANT NOTE: before using this script, CHECK following option -
Menu -> Options -> Debugging options -> Exceptions -> INT3 breaks
Script willnot work if u do not do that!!!!
*/
var s
eob Break
eoe exp1
mov s, eip
add s, 01
bphws s, "x"
run
exp1:
esto
Break:
eob Break2
bphwc s
findop eip, #EB01#
bphws $RESULT, "x"
run
Break2:
bphwc $RESULT
sto
sto
sto
sto
sto
cmt eip, "OEP"
ret
|
|
|
|
|
There are 31,320 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}