Jumpin’ Jack
I ran into an unknown protector few days ago. The main protection in it is boredom: it jumps around and around for hundreds of time, and few times in between executing junk code. It does have some anti-debug and anti-analysis tricks, but the fact that I bypassed all the protections manually in under 15 mins tells a lot of the quality. I reckon it’s been done by some poor botherder somewhere who is now being ’sooooo l337′. Main tricks in the protector were:
- Few xor decrypts
- IsDebuggerPresent calls
- CheckRemoteDebuggerPresent calls
- FindWindow calls searching for OllyDbg
- The old CreateFileA trick on \\.\NTICE
- Several timing checks using rdtsc
OllyDbg first refused to debug the file, and when I took a look at the PE header it was quite obvious why :)
The number of directory entries was set to 2B4ADD80h , instead of the normal 10. After manually fixing the headers, the file was ready to receive some gentle love and care from OllyDbg.
If you run into any interesting samples regarding packers or malwares, you can send samples in a password protected zip to samples_at_teamfurry_dot_com
——————————–
Update 11.3.2007:
The packer in question is something called AlexProtector :)