Issue on Unpack

Question

Issue on Unpack

Testcase4 opened this issue 4 years ago · 6 comments

Hi,

I find one issue in PackRoutines-Stub.cpp: retrieveKey. This function is not giving correct output (retrievedSig).
Could you please provide explanation for this ?
I am trying to understand how packers works.

Answer 1 · 2020-08-17T05:30:03.000Z

Hi,

I find one issue in PackRoutines-Stub.cpp: retrieveKey. This function is not giving correct output (retrievedSig).
Could you please provide explanation for this ?
I am trying to understand how packers works.

Hi Testcase4
Thank you for your issue

What command line arguments you use for packing ?
What's the encryption key size and complexity ?

Can you please share command line input and the output you get from unpacking?, Or it just terminates the program without any output ?!

Answer 2 · 2020-08-17T06:15:38.000Z

Command Line Arguments

Payload location : E:\Assignment\Evader-master\Evader-master\PackerBuild\bin\Win32\Debug\payload ( sample.exe- open notepad.exe)
Resultant output : E:\Assignment\Evader-master\Evader-master\PackerBuild\bin\Win32\Debug\output.exe
Build Unpack stub and added : E:\Assignment\Evader-master\Evader-master\Packer\UnpackStub.exe

Command Line Argument :
E:\Assignment\Evader-master\Evader-master\PackerBuild\bin\Win32\Debug\payload E:\Assignment\Evader-master\Evader-master\PackerBuild\bin\Win32\Debug\output.exe 1 65 90

Encryption Key Size is 1
Choose payload execution method : 0
I have also shared email with you. Kindly check and let me know.

Answer 3 · 2020-08-17T07:07:37.000Z

Command Line Arguments

Payload location : E:\Assignment\Evader-master\Evader-master\PackerBuild\bin\Win32\Debug\payload ( sample.exe- open notepad.exe)

Resultant output : E:\Assignment\Evader-master\Evader-master\PackerBuild\bin\Win32\Debug\output.exe

Build Unpack stub and added : E:\Assignment\Evader-master\Evader-master\Packer\UnpackStub.exe

Command Line Argument :
E:\Assignment\Evader-master\Evader-master\PackerBuild\bin\Win32\Debug\payload E:\Assignment\Evader-master\Evader-master\PackerBuild\bin\Win32\Debug\output.exe 1 65 90

Encryption Key Size is 1
Choose payload execution method : 0
I have also shared email with you. Kindly check and let me know.

Execution method 0 is for RUN-PE
This technique (RUN-PE) is not working for 64-bit processes at this time I should fix it in the future
If your payload is 64-bit that's the reason :)

Answer 4 · 2020-08-17T07:23:53.000Z

Hi Koorosh.

Payload is 32 bit.(x86) . I am compiling everything in x86 - release mode. One small change I added in RUNPE.cpp
char CurrentFilePath[1024]= "C:\Windows\System32\notepad.exe" ;

I got below error:

"The application was unable to start correctly ( 0xc0000142).
Click Ok to close this application."

Answer 5 · 2020-08-17T08:57:10.000Z

Hi Koorosh.

Payload is 32 bit.(x86) . I am compiling everything in x86 - release mode. One small change I added in RUNPE.cpp
char CurrentFilePath[1024]= "C:\Windows\System32\notepad.exe" ;

I got below error:

"The application was unable to start correctly ( 0xc0000142).
Click Ok to close this application."

This error happens randomly, I should check that out.
But if it happens always maybe there is a problem with the payload.
Send the changes you've made in RunPE.cpp to my email please.

Answer 6 · 2020-08-17T09:11:57.000Z

Hi Koorosh,

Please check your mailbox.