Discussion on [Release] GlobalDekaron Unpacked Executables within the Dekaron Exploits, Hacks, Bots, Tools & Macros forum part of the Dekaron category.
For those who are using Nebulars ReXIGNation, target the packed dekaron.exe . I'm having problems using the unpacked one with ReXIGNation too but the packed one works perfectly. Don't get me wrong, the unpacked dekaron.exe works fine but just not with ReXIGNation.
As I specified in the first post, the No-XIGN 1.2 works just for some people. For most it doesn't (doesn't even work for me). I will fix it later if I get any crazy ideas on how to do it. For now, use the ReXIGNation that Nebular posted. It's working prefectly, as usual .
And for the dekaron.exe unpacking. The LOOPDNE part was just an instrction the debugger assumed it to be. The packer uses obfuscated code (~ random code here and there to distract). The part that is always present is:
Code:
JMP EAX
RETN
Due to the obfuscated bytes before that part you may not see the code as described above. You have to search for:
Code:
FFE0C3 (opcodes) - Search with Ctrl+B in OllyDbg, input only the numbers on the left
The dekaron.exe was updated again. I'm going to post the unpacked dekaron.exe once I get it unpacked properly. They did update on the custom packer/protector they're using. The API redirection is slightly harder and the packer seems to check for INT3 breakpoints on some parts of the code, or then they've just disabled the SEH exceptions.