Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Help to uncover executable's pack type.

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
kot1990
Expert Cheater
Reputation: 1

Joined: 06 Sep 2009
Posts: 131
Location: Greece
PostPosted: Wed Nov 16, 2011 11:59 am    Post subject: Help to uncover executable's pack type. Reply with quote
Sorry for doubleposting, cause the question is similar to the previous one and noone answered. I will be more centain this time and post some more info.

1. The executable's sections are not standard. The sections are
.00000001
.00000002
.00000003
.00000004
.00000005
.00000006
.00000007
and the resource section.

There's not .text section nor .data section.
The entry point is also not the standard 0x00400000.

The import table is not available. I found the loadlibrary calls. They are like

Code:

push     addressOfDll
call       loadlibrary
push     addressOfDll
call       loadlibrary
............


The whole asm code is cryptic.
It is not even encrypted and is 100% runnable.
Unlike most normal executables that after every instruction, the next byte is the beggining of the following instruction, there is an irrelevant byte, that breaks the normal alignment of the dissasembly, and the debugger cannot recognize the real beggining of the instruction to show correctly. The correct beggining byte of the instruction is defined by the previous instruction wich is just a jump to it, but not always. Sometimes several conditional jumps are used, and one of them is used to jump to the correct beggining of the instruction.

EDIT:
at some point there is some kind of loop instruction. Cheat engine shows "stopsb". This one loops and clears all the previous executed code and fills it with nops. 90 90 90 bla blah.... but that doesn't really matter cause I break before that happens.

I just want to know what type of executable is this or what method has been applied to it, and how can I remove this obfuscation and make a clearer executable.

I don't think that the creators implemented their own type, so this should be a known one, that's why I am asking.
Back to top
View user's profile Send private message
GrandPa
Advanced Cheater
Reputation: 3

Joined: 09 Jul 2010
Posts: 87
Location: Italy
PostPosted: Sat Dec 17, 2011 5:40 pm    Post subject: Reply with quote
I met something similar a few time ago.
In my case the executable was heavily protected too (Olly can load, but can't attach it. CE can attach, but can't load it - wrong settings from my side, perhaps).
I solve my problems using an indirect approach.

I prefer not add anything more, because I still have to finish my analysis and that program is in my to-do-list.
I know my reply is not a real help, and I apologize for it. I'm afraid they are using some sort of protection and they are testing their completed parts, before selling their packer/protector (in my opinion, packers are useful, but I hate protectors, I should accept their use in very limited cases).

PS. For moderators: if my reply broke the rules in any ways, please remove it asap.
_________________
CHEATING is a must,
nowadays, if you like
P L A Y I N G
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites