Skip navigation.
Home

Need help to unpack RLPacker with antidebug protection

Hi, all

I join an anti-malware community here in my country (Brazil), which developes a job similar to the MIRT from old CastleCops forum, but dedicated to local threats only (trojans bankers).

I need some help to unpack a DLL packed with:

RLPack 1.20 with fake signature (ExeInfoPE) with LZMA engine.

I already tried RLdePacker 1.4, RL!Unpacker and some IDA scripts I've found but with no results.

I attached this DLL to explorer.exe and ran the debugger, I figured it calls ntdll_DbgBreakPoint, but I have no good skills running a debugger.

Can you point me to some direction how I can learn to unpack it?

Thanks in advance.

Maybe this could help

Maybe this could help you:
http://tuts4you.com/download.php?view.2686

Upload a copy of the trojan

Upload a copy of the trojan and give us the link.

Thanks for the help, guys.

Thanks for the help, guys. :)

@the_mfox: I saw that video tutorial, but it is hard to do! Is there some other easier way? I'm just a beginner. :)

@dannyquist: You can download the trojan from here:

http://vlogseufernando.com.br/videolives.mms?ailtoncorreiapv:07:08:34:4089462266825226522

I'm not sure if it is still online. I uploaded its related files to VT:

installer:
http://www.virustotal.com/file-scan/report.html?id=2c2868ec513639ae4c09db042df62782dc28cc751c32192c996379e37aee03fa-1317954626

DLL:
http://www.virustotal.com/file-scan/report.html?id=d5728c2a6b194fcebd3a67745cc01ab31a7f552440fd43c7c225f6ba5091b88a-1318111704

I very appreciate your help. :)

Here is the file: Sorry,

Here is the file:

Sorry, here it is:

http://www.offensivecomputing.net/?q=ocsearch&ocq=b12a258ce54e06ccd85c1ff8bdfa0d47