Hi, this is not the best first post but a starting.

The target is http://rapidshare.com/files/81773947/bot.rar.html http://rapidshare.com/files/81773947/bot.rar.html

originaly it's packed with themida. it got unpacked+inlined and packed again with execryptor as long as i can trust peid and stuff. props go out to thejhorse for filling this releas up with some nasty stuff and the real props go out to sunbeam for removing all that nasty stuff and cracking it propably+releasing it to all.

this bot is detected but i want to give a try to make it undetected. The problem is that i'm not that good unpacking that hardcore stuff :/ maybe someone got the time and is willing to do this for me. the other problem is that this bot is not going to be updatet anymore :/

so the goal is to provide me a a clean as possible file+runable so that i can go on to try get it undetected.

thx in advance
wali

| Сообщение посчитали полезным:

waliska
deleted by uploader..

| Сообщение посчитали полезным:

hmmm one moment i just up it again....i just bookmarked that damn delete link -_-

5 min...

done...


http://rapidshare.com/files/81773947/bot.rar.html http://rapidshare.com/files/81773947/bot.rar.html



updated also in the first post

| Сообщение посчитали полезным:

GameGuard blacklists certain characteristics of a threat. Even if you get it 100% unpacked, you'd need to test long and hard before getting a good result. I'd advise you find the author and ask for the source. It's faster this way.. I've stripped the freaking backdoor (was sending votes to some dude's msn back-links) and killed the limited amount of run periods. Other than that, you can't do more. EXECryptor is just for show, to see how many will attempt to go at it ;)

| Сообщение посчитали полезным:

ah thx sunbeam for replying.

I don't think that bOYd would release his source for 10.4.


and what do you mean with characteristics of a threat, Signature, Call API, Checksum, PE Header?
the things i wanted to try was to cut off some stuff, crypt or pack with something different the way like you try to hide something for an AV. But i still think that even this won't work because after starting the bot you got 2 threads one with all your patches and and second one with the "original" file.

maybe you got some other tips what i can try to do with it (beside asking for the source) to get it undetected.


thx wali


ps: are you going to continue your DBP tut?

| Сообщение посчитали полезным:

I need some files to continue the tutorial. Such as a valid license DBP kinda works like Armadillo with hardware ID, where, in order to unpack it, you need at least one valid user/key Regarding aimboyd, keep in mind any "threats" (programs) do get decoded in memory at a certain point. GameGuard hooks tons of stuff in kernel mode, thus I doubt there's any means to get un-noticed. I would recommend though the use of crypt markers (see PESpin), which at first, when app runs would not return any results in GG's scan. Later on, when used, might get detected..

| Сообщение посчитали полезным:

valid license for DBP i think? maybe rain from gzn could help you out. but at this moment i don't understand because u probably unpacked it already or am i wrong?


regarding aimboyd, can i use pespin for this althoug its already packed?

| Сообщение посчитали полезным:

hm k tried it but not able to do this with a packed file, as i thought.

would you provide an unpacked file?

| Сообщение посчитали полезным:

Find it posted anywhere, strip Armadillo off it, patch a JE right at the beginning (near OEP) and you will have a "clean" one It was posted in other spots where people complained it worked for only 2 or 3 runs. The Delphi layer serves as a server emulator. I've unpacked DBP, but that doesn't mean it's cracked and runs

| Сообщение посчитали полезным:

SunBeam writes:
Find it posted anywhere, strip Armadillo off it, patch a JE right at the beginning (near OEP) and you will have a "clean" one It was posted in other spots where people complained it worked for only 2 or 3 runs. The Delphi layer serves as a server emulator.

hmpf sry can't follow this for aimboyd or DBP?



SunBeam writes:
I've unpacked DBP, but that doesn't mean it's cracked and runs

I know :P

| Сообщение посчитали полезным:

*bumb*

still actual and the need this file unpacked

| Сообщение посчитали полезным:

waliska,

Unpacked module:

— aimb0Yd 8.0 - Unpacked - Kioresk.7z http://www.box.net/shared/p3knkejkgo (7-Zip, 7,1 MB)

| Сообщение посчитали полезным:

You could've gotten the original Armadilloed one.. Good luck with VM (if any)..

| Сообщение посчитали полезным: