Can you unpack this chunk of code?


        public start
start        proc far
        mov    ax, es
        add    ax, 10h
        push    cs
        pop    ds
        assume ds:seg001
        mov    word_1A274, ax
        add    ax, word_1A27C
        mov    es, ax
        assume es:nothing
        mov    cx, word_1A276
        mov    di, cx
        dec    di
        mov    si, di
        std
        rep movsb
        push    ax
        mov    ax, 32h    ; '2'
        push    ax
        retf
start        endp ; sp-analysis failed

; ---------------------------------------------------------------------------
        mov    bx, es
        mov    ax, ds
        dec    ax
        mov    ds, ax
        assume ds:nothing
        mov    es, ax
        assume es:nothing
        mov    di, 0Fh
        mov    cx, 10h
        mov    al, 0FFh
        repe scasb
        inc    di
        mov    si, di
        mov    ax, bx
        dec    ax
        mov    es, ax
        assume es:nothing
        mov    di, 0Fh

loc_1A2C0:                ; CODE XREF: seg001:0094j
        mov    cl, 4
        mov    ax, si
        not    ax
        shr    ax, cl
        jz    short loc_1A2D3
        mov    dx, ds
        sub    dx, ax
        mov    ds, dx
        assume ds:nothing
        or    si, 0FFF0h

loc_1A2D3:                ; CODE XREF: seg001:0058j
        mov    ax, di
        not    ax
        shr    ax, cl
        jz    short loc_1A2E4
        mov    dx, es
        sub    dx, ax
        mov    es, dx
        assume es:nothing
        or    di, 0FFF0h

loc_1A2E4:                ; CODE XREF: seg001:0069j
        lodsb
        mov    dl, al
        dec    si
        lodsw
        mov    cx, ax
        inc    si
        mov    al, dl
        and    al, 0FEh
        cmp    al, 0B0h ; '∞'
        jnz    short loc_1A2FA
        lodsb
        rep stosb
        jmp    short loc_1A300
; ---------------------------------------------------------------------------
        nop

loc_1A2FA:                ; CODE XREF: seg001:0082j
        cmp    al, 0B2h ; '≤'
        jnz    short loc_1A369
        rep movsb

loc_1A300:                ; CODE XREF: seg001:0087j
        mov    al, dl
        test    al, 1
        jz    short loc_1A2C0
        mov    si, 125h
        push    cs
        pop    ds
        assume ds:seg001
        mov    bx, word_1A274
        cld
        xor    dx, dx

loc_1A312:                ; CODE XREF: seg001:00C4j
        lodsw
        mov    cx, ax
        jcxz    short loc_1A32A
        mov    ax, dx
        add    ax, bx
        mov    es, ax
        assume es:nothing

loc_1A31D:                ; CODE XREF: seg001:loc_1A328j
        lodsw
        mov    di, ax
        cmp    di, 0FFFFh
        jz    short loc_1A336
        add    es:[di], bx

loc_1A328:                ; CODE XREF: seg001:00D4j
        loop    loc_1A31D

loc_1A32A:                ; CODE XREF: seg001:00A5j
        cmp    dx, 0F000h
        jz    short loc_1A346
        add    dx, 1000h
        jmp    short loc_1A312
; ---------------------------------------------------------------------------

loc_1A336:                ; CODE XREF: seg001:00B3j
        mov    ax, es
        inc    ax
        mov    es, ax
        assume es:nothing
        sub    di, 10h
        add    es:[di], bx
        dec    ax
        mov    es, ax
        assume es:nothing
        jmp    short loc_1A328
; ---------------------------------------------------------------------------

loc_1A346:                ; CODE XREF: seg001:00BEj
        mov    ax, bx
        mov    di, word ptr byte_1A278
        mov    si, word ptr byte_1A278+2
        add    si, ax
        add    word ptr byte_1A270+2, ax
        sub    ax, 10h
        mov    ds, ax
        assume ds:nothing
        mov    es, ax
        mov    bx, 0
        cli
        mov    ss, si
        assume ss:nothing
        mov    sp, di
        sti
        jmp    dword ptr cs:[bx]
; ---------------------------------------------------------------------------

loc_1A369:                ; CODE XREF: seg001:008Cj
        mov    ah, 40h    ; '@'
        mov    bx, 2
        mov    cx, 16h
        mov    dx, cs
        mov    ds, dx
        assume ds:seg001
        mov    dx, 10Fh
        int    21h        ; DOS -    2+ - WRITE TO FILE WITH    HANDLE
                    ; BX = file handle, CX = number    of bytes to write, DS:DX -> buffer
        mov    ax, 4CFFh
        int    21h        ; DOS -    2+ - QUIT WITH EXIT CODE (EXIT)
                    ; AL = exit code
; ---------------------------------------------------------------------------
        db  50h    ; P
        db  61h    ; a
        db  63h    ; c
        db  6Bh    ; k
        db  65h    ; e
        db  64h    ; d
        db  20h
        db  66h    ; f
        db  69h    ; i
        db  6Ch    ; l
        db  65h    ; e
        db  20h
        db  69h    ; i
        db  73h    ; s
        db  20h
        db  63h    ; c
        db  6Fh    ; o
        db  72h    ; r
        db  72h    ; r
        db  75h    ; u
        db  70h    ; p
        db  74h    ; t
        db    0
        db 0Bh dup(0), 34h, 0, 4, 8Bh, 14h, 8Bh, 24h, 8Bh, 34h
        db 8Bh,    44h, 8Bh, 54h, 8Bh, 64h, 8Bh, 74h, 8Bh,    84h, 8Bh
        db 94h,    8Bh, 0A4h, 8Bh,    0B4h, 8Bh, 0C4h, 8Bh, 0D4h, 8Bh
        db 0E4h, 8Bh, 0F4h, 8Bh, 4, 8Ch, 14h, 8Ch, 24h,    8Ch, 34h
        db 8Ch,    44h, 8Ch, 54h, 8Ch, 64h, 8Ch, 74h, 8Ch,    84h, 8Ch
        db 94h,    8Ch, 0A4h, 8Ch,    0B4h, 8Ch, 0C4h, 8Ch, 0D4h, 8Ch
        db 0E4h, 8Ch, 0F4h, 8Ch, 4, 8Dh, 14h, 8Dh, 24h,    8Dh, 34h
        db 8Dh,    44h, 8Dh, 54h, 8Dh, 64h, 8Dh, 74h, 8Dh,    84h, 8Dh
        db 94h,    8Dh, 0A4h, 8Dh,    0B4h, 8Dh, 0C4h, 8Dh, 0D4h, 8Dh
        db 0E4h, 8Dh, 0F4h, 8Dh, 56h, 0F9h, 4Dh, 0FFh, 0C4h, 0FFh
        db 0C9h, 0FFh, 0B1h, 0,    0F9h, 0, 0FEh, 0, 58h, 1, 11h
        db 5, 16h, 5, 48h, 5, 4Dh, 5, 5Dh, 5, 77h, 5, 7Ch, 5, 7Ch
        db 6, 81h, 6, 4Fh, 7, 54h, 7, 8Ah, 7, 0C5h, 8, 38h, 9
        db 3Dh,    9, 15h,    0Ah, 8Eh, 0Ch, 93h, 0Ch, 0C9h, 0Ch, 0C3h
        db 10h,    0, 12h,    2Ch, 12h, 8Ch, 13h, 5Bh, 1Ah, 4Eh, 1Bh
        db 1Dh,    1Ch, 35h, 1Ch, 3Ah, 1Ch, 0A3h, 1Ch, 0A8h, 1Ch
        db 15h,    1Dh, 59h, 1Dh, 9Bh, 1Dh, 0E2h, 2 dup(1Dh), 1Eh
        db 61h,    1Eh, 0A4h, 1Eh,    0E8h, 1Eh, 0EAh, 21h, 2Ch, 22h
        db 6Dh,    25h, 17h, 26h, 5Eh, 26h, 0E6h, 27h, 0A2h, 29h
        db 0A8h, 29h, 0ABh, 29h, 0B0h, 29h, 0BCh, 29h, 0F1h, 29h
        db 19h,    2Ah, 1Fh, 2Ah, 22h, 2Ah, 27h, 2Ah, 37h,    2Ah, 6Ch
        db 2Ah,    94h, 2Ah, 9Ah, 2Ah, 9Dh, 2Ah, 0A2h, 2Ah, 0A5h
        db 2Ah,    0AAh, 2Ah, 0CCh, 2Ah, 0D2h, 2Ah, 0D5h, 2Ah, 0DAh
        db 2Ah,    0EFh, 2Ah, 7, 2Bh, 1Fh,    2Bh, 25h, 2Bh, 28h, 2Bh
        db 2Dh,    2Bh, 30h, 2Bh, 35h, 2Bh, 58h, 2Bh, 5Eh,    2Bh, 61h
        db 2Bh,    66h, 2Bh, 69h, 2Bh, 6Eh, 2Bh, 91h, 2Bh,    97h, 2Bh
        db 9Ah,    2Bh, 9Fh, 2Bh, 0A2h, 2Bh, 0A7h,    2Bh, 0CAh, 2Bh
        db 0D0h, 2Bh, 0D3h, 2Bh, 0D8h, 2Bh, 0DBh, 2Bh, 0E0h, 2Bh
        db 3, 2Ch, 9, 2Ch, 0Ch,    2Ch, 11h, 2Ch, 38h, 2Ch, 61h, 2Ch
        db 67h,    2Ch, 6Ah, 2Ch, 6Fh, 2Ch, 96h, 2Ch, 0BFh, 2Ch, 0C5h
        db 2Ch,    0C8h, 2Ch, 0CDh, 2Ch, 0F4h, 2Ch, 11h, 2Dh, 16h
        db 2Dh,    45h, 2Dh, 0B3h,    2Fh, 0B9h, 2Fh,    0BCh, 2Fh, 0C1h
        db 2Fh,    0C4h, 2Fh, 0FDh, 2Fh, 3, 30h, 6, 30h, 0Bh, 30h
        db 35h,    30h, 64h, 30h, 93h, 30h, 0C2h, 30h, 0CBh, 30h
        db 8Ah,    31h, 0C6h, 31h,    21h, 32h, 0A7h,    32h, 3Fh, 35h
        db 0EFh, 35h, 6Eh, 36h,    5Eh, 37h, 41h, 38h, 7Ah, 38h, 92h
        db 38h,    7Ch, 3Bh, 0FDh,    3Ch, 36h, 3Dh, 71h, 3Dh, 0A4h
        db 3Dh,    9Fh, 40h, 0D8h,    40h, 10h, 41h, 43h, 41h, 5Eh, 42h
        db 97h,    42h, 0CFh, 42h,    2, 43h,    33h, 5Ah, 79h, 5Ah, 62h
        db 75h,    77h, 8Fh, 0B1h,    8Fh, 0C1h, 90h,    6, 91h,    0Bh, 91h
        db 2Fh,    91h, 5Bh, 91h, 8Ah, 91h, 0A7h, 93h, 7Fh, 9Ch, 0C1h
        db 9Ch,    74h, 9Dh, 98h, 9Dh, 0BAh, 9Dh, 0F8h, 9Eh, 0FDh
        db 9Eh,    67h, 9Fh, 69h, 9Fh, 0B2h, 9Fh, 0D0h, 9Fh, 29h
        db 0A0h, 37h, 0A0h, 32h, 0A1h, 10h dup(0)
        db 6FF01h dup(?)
seg001        ends

unpack my anus

>>1
Also, why does IDA always show this "sp-analysis failed" even on obvious jumps?

>>3
i.e. in

move ax, anus
push ax
retf
the anus isnt being analyzed

OP what the fuck are you doing

>>5
already did. I just launched exe in dosbox and dumped it's already unpacked copy.

I would, but it won't run on my Loongson.

>>7
Thanks for this enlightening contribution, faggot.
Even Mac users stopped bragging about their beloved little toys years ago. I think we got it now.

>>8
That's because Macs stopped being something to brag about when they started using Intel.

>>7
dosbox runs great on mine.

>>8 you got badly owned by >>9

>>8
Mac users still have the best font rendering around. Linux neckbeards have the worst.

>>12
Learn to configure fontconfig. It's a bit of a pain in the anus (XML, no tools) but you can get a decent result.
By the way, even Mac OS X text rendering is shit since it's not gamma-correct. And gamma-correct only looks good with white-on-black text if the resolution is too low.

Wow. Haven't seen that in a long time.

It's Microsoft EXEPACK. A little Google would've told you and given you a lot more info than anyone would bother to reproduce here.

>>3,4
Use IDA for any length of time beyond the initial "wow, cool!" impression and you'll hit little stupid niggles like this. Its analysis engine was designed with compiler output in mind and doesn't seem to do much more than basic static jumps. Indirect jump analysis is probably a hardcoded scan instead of execution simulation. SMC and tricks with the stack will confuse it greatly.

Maybe this made sense in the 90s when RAM was expensive and CPUs slow, but machines now have enough processing power to do much better. As far as I know the analyser in the latest versions is still single-threaded (they decided to make the debugger multi-threaded, when what really matters is the analysis engine) so getting more cores isn't going to make it analyse faster even though it could, by tracing multiple code paths in parallel.

All of this, along with things like a lack of undo function and being proprietary, meant we abandoned it long ago for our own system. It's client-server, and currently runs on an 8-node cluster but easily scalable to many more. The back-end database is a real database, and it stores architecture definitions and a lot more other info so it can be easily updated and queried. Wanting to find a specific set of instructions/sequences is as easy as a line of SQL. Limitless undo is supported. (http://www.hexblog.com/?p=415 -- why doesn't IDA move to a real database? Requiring something like MySQL or Oracle isn't a great idea, but even just embedding e.g. SQLite would make the product a lot more flexible and easy to use.)

tl;dr: Not satisfied with existing offerings? Make your own and grow it to fit your needs. Ours grew from something much less featureful than IDA but more targeted, to a vastly flexible platform on which to base future work. It used to be a plain desktop application of a few hundred KB, but now it's become an infrastructure.

>>8,9
In the early 90s, I predicted that would happen. Too bad they're not exactly compatible with the standard PC.

>>14
Thanks. But I found the easiest way to unpack an exe is to just run it. Also IDA doesnt support assigning SEGs offsets, for raw binaries, so one have to manually create a fake EXE file with mappings.

>>14
Too bad they're not exactly compatible with the standard PC.
I know. It sucks not being able to install a 5.25" floppy drive and 9600 baud ISA modem in my MacBook Air.

>>15
If you really trust the file, then that would be fine.

>>16
I believe the chipsets they use these days still have an LPC bus so you could do that with a bit of soldering and an LPC-ISA bridge, and the SuperIO will likely have an (unused) FDC. I was more referring to things like lack of BIOS, and more fundamentally, a standard keyboard/mouse controller. The majority of the hardware in Macs now (CPU, chipset and integrated peripherals, RAM) is identical to PCs, the firmware and software is where the big differences show up.

>>17
If you really trust the file, then that would be fine.
I doubt a file from 1995 can really crash a modern PC.

>>18
it might. Use a virtual machine for your architecture, debugger, memory viewer, thingy ma bob.

>>18
It might look like it's from '95, but malware writers are quite cunning. E.g. see http://fuuka.warosu.org/jp/thread/S9113696

>>19
Wise advice, but VMs also have their own issues, which is why there is so much effort put into static analysis.

can i unpack urs chode

3fegrhsuiejao wsdf dubs

3FEGRHSUIEJAO MY ANUS

>>20
http://fuuka.warosu.org/jp/thread/S9113696
I'm sure this fucker is Jewish. At least in Russia most hackers (and fraudster in general) are Jewish. So when you again hear news about "Russian hackers", you should know these criminals have nothing to do with ethnic Russians.

A well known one is http://en.wikipedia.org/wiki/Vardan_Kushnir

he spammed whole Russian internet with his massive botnet, so much annoying everyone that Russians just killed him.

>>24
go away

>>24
stay here
post more

>>25
Shalom!

>>27
Gonna be the test to ultimate fitness

>>28
It seems Russia isn't the one with with the Jewish cyber-criminals problem. Let's take Kevin Mitnick as a typical example.

http://www.theverge.com/culture/2011/10/20/2502574/ghost-in-the-wires-by-kevin-mitnick
Mitnick’s stepfather was an active member of the radical Jewish Defense League. When Mitnick was eight or ten his stepfather would take him out into the desert near Los Angeles and let him watch while they fired automatic weapons at posters of Hitler.

I.e. Mitnick was educated as a professional Zionist.

and here is another famous hacker...
http://en.wikipedia.org/wiki/Kevin_Poulsen

guess his ethnicity!

I want to fire automatic weapons at >>20,29.

And >>30 too

>>31>>32
Shalom!

>>33
Way to fail faggot.

>>14
Another huge bug/drawback in IDA: it doesn't handle Mach-O relocation entries at all. We only figured this out after spending half a day on Friday with a very confused client.

>>33
self hating jew detected

>>36
I think jews are smarter than this and would put in more effort when posting.