[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[exelist] GTR and TRAP 1.21
Mr. Garbler, why do you send crypters that can be unpacked (so easily)?
------------------------------------------------------------------------
Free Web-based e-mail groups -- http://www.eGroups.com
How to unpack TRAP 1.21 MainProg with GTR 1.CO latest beta
==========================================================
(This is meant to be a little tutorial on how to use GTR. If
you are interested in an other crypter to be unpacked mail
to hendrix_@...)
Hit these keys: What they are for:
------------------------------------------------ - - - -
I) Load GTR, set it up and load a program:
GTR /go load GTR. It is resident now and watches everything.
[ESC] GTR pops up ANY TIME when you press ESCape
Have a look at the info-window!
[O] Go to the [O]ptions-menu
[-] Change the "sensitivity" when trying to detect
an unpacked program. Change it to [su0003]
[B] Toggle the [B]reakpoint (turn it on) the default
setting is CS:0100 - TRAP-main is a COM-file,
so we have to break at CS:0100
[X] e[X]it the options-menu
[C] [C]ontinue (go back to DOS)
PL TRAP.EXE ProgramLoad means load the program and begin
tracing it. GTR will execute the program step by step
Unpacked? Have a look at the current CS-segment. Compare it
to the PSP-segment (you find these values in the
upper left box). The CS=PSP+something . Well, this is
not the original segment, but its another protection-
layer.
[C] Continue unpacking
Unpacked? Its still CS=PSP+something and still not what we want...
[C] Continue unpacking
Unpacked? Oh, yeah! It is CS=PSP! The program dump on the left
looks anything but unpacked, but lets save this!
II) Save an unpacked program
[S] [S]ave mem: the memory-dumper is activated. It runs
in DOS-mode, meaning we have to go back to DOS..
[C] Continue and let the dumper do its work
Helper quit The dumper has finished. We are back at the old
Unpacked? program (TRAP.EXE which turned out to be a COM:)
You will find the dump as OUT.COM on your disk.
III) Do silly things like watching TRAP decrypt itself
You see now the unprotected version of TRAP. But lets
watch TRAP decrypt itself:
[O] Go Options
[T] Toggle Tracer: you have to hit a key for each step
[D] Toggle Disass: we want to see whats the current op
[X] eXit options
[C] Continue
[anykey] a keypress will cause GTR to execute the next
instruction
[STRG] / [CTRL] This will cause the tracer to "run" while the key
is held down
IV) Set breakpoints to "step over" the decryption-loop
We dont want to hold down the key the whole time
so lets set a breakpoint!
[ESC] ESCape stops the tracer
[O] yeah, you know now, the options-menu
[A] breakpointAddress: it is shown in yellow. enter
"010F"+[enter].
[-] Set the sensitivity to su0000, so it will stop
at the WITHOUT check for an unpacked program
[D] Disass off...
[T] Tracer off...
[X] eXit options
[C] Continue
[F10] / [F11] scroll the memory-dump around
... Continue / Quit to DOS (means kill the task) / eXit GTR ...
You have the dump of TRAP on your disk as OUT.COM. Execute OUT.com, it works.
Now take your favorite debugger, and let it decrypt and edit it, then reverse
the decryption and have your own version of TRAP.
Hope you liked it,
Hendrix / UCF
PS: What was new to TRAP? I dont know, you dont know, nobody knows, probably
just the same version as TRAP 1.21?
------------------------------------------------------------------------
Free Web-based e-mail groups -- http://www.eGroups.com