hi all very very nice work from rsi and r99 vey great man too
but i can not unpack by this tool uz it giv me debuge detected error and after file run it give me fil curabt after few sec plz hlp me thnx for all

| Сообщение посчитали полезным:

And where a file?

| Сообщение посчитали полезным:

www.4shared.com/dir/4363505/85921014/sharing.html

| Сообщение посчитали полезным:

www.4shared.com/file/27640470/bde9c040/packed.html

| Сообщение посчитали полезным:

www.4shared.com/file/27641750/35257bfe/packed.html

| Сообщение посчитали полезным:

Ramiz
test plz..htt_p://ifolder.ru/3908526

| Сообщение посчитали полезным:

Ramiz,

SarasSoft UFS DCTx 2.0.3.0 - Unpacked - Kioresk http://www.box.net/shared/q9cs78u9y6 (7-Zip, 1,9 MB)

Or just download sniperZ's file and replace «8B 3A 48 00» with «00 00 00 00» at address 24DE3C (64DE3C), because he forgot to clean pointer to GetModuleHandle.

| Сообщение посчитали полезным:

kioresk ?????:
because he forgot to clean pointer to GetModuleHandle.
I have forgotten about it.. thx..

| Сообщение посчитали полезным:

Ramiz

Well and my unpacked file: rapidshare.com/files/65945168/unpacked.rar.html ( log unpacking inside in archive )

| Сообщение посчитали полезным:

thnx and very nice work rsi beta 4 ;) but it is not working in olly execryptor ver it sayes debuger detacted ???
why ???? u can fix that ??
thnx for all sniperZ, kioresk

| Сообщение посчитали полезным:

Ramiz ?????:
but it is not working in olly execryptor
http://hellspawn.nm.ru/works/PhantOm.plugin.1.15.zip
http://exelab.ru/f/action=vthread&forum=1&topic=7529&page= 13

| Сообщение посчитали полезным:

Ramiz,

your file is protected with EXECryptor 2.3.9, so you can use patched OllyDbg (change OllyDbg with something else) with PhantOm plugin. Just play with PhantOm's options if there will be any errors like «Detected clock manipulation» (disable GetProcessTimes) and so on...

What error number is displayed in «[XYZ] Debugger detected…» message? Using that number you can understand why you debugger is detected.

And, by the way, what limitations has this program? It's interesting why last cryptor's section is larger that the whole code section.

| Сообщение посчитали полезным:

and some time it say to me file corrupted and some time trmnate without any error ???
why that ??

| Сообщение посчитали полезным:

kioresk the file u unpacked it man it sayes file currapted i do not know why but i can see the refrance on ur unpacked file but on unpacked file by rsi it is working but i can not see the refrance i hope u can help me on that ;)
thnx

| Сообщение посчитали полезным:

and the error code is 336

| Сообщение посчитали полезным:

this info by EDD.0.50

-[ NtQueryInformationProcess 1]
Status: Nothing!
-[ NtQueryInformationProcess 2]
Status: Nothing!
-[ OpenProcess]
Status: Nothing!
-[ BeingDebugged]
Status: Nothing!
-[ NtGlobalFlag]
Status: Nothing!
-[ ProcessHeaps ]
Status: Nothing! Flag [1]
Status: Nothing! Flag [2]
Status: Nothing! Flag [3]
-[ FileName ]
Status: Nothing!
-[ SetUnhandledExceptionFilter ]
Status: Nothing!
-[ Detect DRx ]
Status: DRx0 = 00000000
Status: DRx1 = 00000000
Status: DRx2 = 00000000
Status: DRx3 = 00000000
-[ Invalid Handle ]
Status: Nothing!
-[ GetTickCount ]
Status: Nothing!
-[ YieldExecution ]
Status: Nothing!
-[ GetVersion ]
Status: Windows XP 05.01.2600
-[ RDTSC ]
Status: Nothing!
Delta: $00010A68
-[ FindWindows ]
Status: Debugger detected!
-[ YieldExecution ]
Status: Nothing!

| Сообщение посчитали полезным:

Ramiz,

strange that i don't have "File corrupted" message. But you can replace «83 7D F8 FF» with «3B C0 90 90» («cmp [ebp-8], –1» with "cmp eax,eax; nop; nop») at address 7F7690 or 75CBAD in my dump and see if it works.

| Сообщение посчитали полезным:

terminat after change the 1st address . and when i change the 2nd adress File Courrupted
i use phantom plugen but i chek only "remove ep break " i hope u can help ;)

| Сообщение посчитали полезным:

the code 336 debuger detected what that mean ??? i want to know what is the pob ??

| Сообщение посчитали полезным:

Hmm, looks strange....

1. when you just run that file (not in debugger) you still see «File corrupted» message?

2. 336 error code belongs to trick with closing invalid handles (CloseHandle/NtClose), if i'm not wrong.

If the program is under debugger, than after calling CloseHandle with invalid handle (i.e. 12345), C0000008 exception is generated (STATUS_INVALID_HANDLE) and code execution goes to Found_Debugger area.

You need to raise «Custom exception handling» flag in PhantOm (and other flags too) to hide OllyDbg from EXECryptor, because there are a lot of other checks in it (half of EXECryptor's code is antidebug/antitrace).

| Сообщение посчитали полезным:

Ramiz ?????:
fter change the 1st address . and when i change the 2nd adress File Courrupted

This is Memory CRC in threads, patched [007C72BE] C1 E0 to EB FE

| Сообщение посчитали полезным:

Ramiz
test on this assembly..htt_p://team-x.ru/guru-exe/Tools/Debuggers/OllyDbg/OllyDbg%2 0v1.10%20Bronco.rar

| Сообщение посчитали полезным:

Ohh... now i've understood. Ramiz changed some code in unpacked file, memory CRC detects changes and displays «File corrupted» message.

Ramiz,

you should told about that, because i thought that you dind't touch anything and it's displaying error.

| Сообщение посчитали полезным:

RSI
kioresk
sniperZ

thnx for all but if there is mithod to patch crc in the unpacked file tell me

| Сообщение посчитали полезным:

Ramiz,

look at RSI's previous message:

«…patch bytes at 7C72BE from C1E0 to EBFE»

| Сообщение посчитали полезным:

Big thanks, RSI for the anti-bp method ;) Works like a charm in any soft I've tested (with a bit of tracing, since memory doesn't look the same in all its aspect - you know, PUSH addr; JMP eC_code; ret =))

| Сообщение посчитали полезным: