Jump to content
Tuts 4 You

Unpacking

19 files

  1. Private EXE Protector 3.4.0 (Unpacking)

    Full unpacking and devirtualization of Private Exe Protector v3.3. Deals with oep/import/resource/antidump/.. protections and devirtualization.
    This is a good introduction to modern packers, as PEP implements things in a basic and easy to understand way.
    The tutorial includes dumps for every stage of the unpacking process so the reader can follow along. It also includes all scripts and section dumps used during the unpacking as well as the target.
    by deepzero, 2011

    412 downloads

    0 comments

    Submitted

  2. PeSpin x64 1.22 (Unpacking)

    Just another basic x64 unpacking video tutorial, proof of concept for x64_dbg and Scylla.

    211 downloads

    0 comments

    Submitted

  3. PeSpin x64 Pre-Alpha (Unpacking)

    A Shockwave Flash movie tutorial showing a method of unpacking PeSpin x64 Pre-Alpha whilst using CHimpREC to repair the IAT.

    96 downloads

    0 comments

    Submitted

  4. PeSpin x64 1.22 (All Protections)

    One day I wiped my HDD clean and installed Win7 64bit. Then I remembered that there was an x64 version of PESpin and that I always wanted to try it out, so I downloaded the latest version (1.22 as of today) and started to play with it. It was so much fun I thought about making a tutorial about unpacking it, so I sat down and did it 

    In this 20 minutes long video I talked about:
    the debug blocker the password protection IAT redirection restoring the Relocation Directory (on Win7 64bit ASLR is enabled by default, so why not?) the nanomites, to which I devoted about a third of the tutorial because I really liked them  Besides, I wanted to advertise x64_dbg 

    In the package: tutorial, notes/docs, script, tools, sources and unpackmes.

    Enjoy!

    280 downloads

    2 comments

    Submitted

  5. Themida + WinLicense 2.x (Unpacking)

    I want to release a new tutorial about the popular theme Themida - WinLicense. So I see there seems to be still some open questions mostly if my older unpack script does not work anymore and the unpacked files to, etc. So this time I decided to create a little video series on how to unpack and deal with a newer protected Themida target manually where my older public script does fail. A friend of mine did protect unpackme's for this and in the tutorial you will see all steps from A-Z to get this unpackme successfully manually unpacked but this is only one example how you can do it, of course. So the tutorial [videos + text tutorial] is very long and has a run-time of more than three hours and of course it will be necessary that you also read the text parts I made at the same time if possible but if you are already a advanced user then you will have it easier than a newbie. So I hope that you have enough patience to work through the whole tutorial.

    So the main attention I set on all things which happen after normal unpacking so the unpack process is the simplest part and all what comes after is the most interesting part and how to deal with all problems that happen. It's more or less like a live unpack session.

    I also wrote some small basic little helper scripts which you can also use for other targets to get valuable information if you need.

    Short summation:
    Unpacking Exception analysing VM analysing with UV plugin AntiDump's find & fixing & redirecting "after fix method" Testing on other OS My Special Thanks goes to Lostin who made this unpackme and others + OS's tests. (I want to send a thank you to Deathway again for creating this very handy and helpfully UV plugin). So this is all I have to say about the tutorial so far, just watch and read and then try it by yourself. Oh! and by the way I record ten videos and not only one. If something does not work or you have any problems with this tutorial, etc. then ask in the support topic only. Don't send me tons of PM's, OK! Thank you in advance.

    PS: Oh! and before someone has again something to complain because of my tutorial style [goes to quickly or is bad or whatever] then I just want to say, maybe you're right so normally I don't like to create and write tutorials. This is really not my thing so keep this in your mind.

    1,649 downloads

    1 comment

    Submitted

  6. Enigma Protector 1.90 - 3.xx Alternativ Unpacker v1.1

    Today I release an unpacker script for Enigma Protector. Maybe you know that I created another unpacker script for Enigma in the past which no-longer works for protected Enigma files greater than 3.70+ and this is the reason why I wrote a new script, Enigma Alternativ Unpacker 1.0.

    So what is new in this script? This script will unpack your Enigma protected files and dump the used outer virtual machine. This means you do not need to use the DV / Enigma plugin which is used in my other script. Of course the virtual machine will be still virtualized but your unpacked files will work. It is not the best solution but for the moment it is a good "alternativ" and a working solution.

    Features of the script:

    ( 1.) Unpacking of ENIGMA 1.90 - 3.130+
    ( 2.) RegSheme Bypass & HWID Changer
    ( 3.) Enigma CheckUp Killer
    ( 4.) VirtualMemory Dumper 1.90 - 3.x+ & SC Fixer M1
    ( 5.) UIF Tool Necessary Sometimes!
    ( 6.) Enigma Intern Export & VM Scan + Log
    ( 7.) Improved Import Emulation Fixer
    ( 8.) Supports Exe & Dll Files [dll at EP!]

    This new script again covers almost all the protection features of Enigma Protector like my other script but it has been improved and I have added some extra things that you will see when you get to use it.

    I have created four video tutorials for you where you can see what you have to do in some of the different situations you may experience. Be sure that you "watch the videos" before you use the script to prevent some unnecessary questions where you can already find the answers if you watch them and then read my added text files. I also made an UnpackMe set with six different protected files (watch videos how to unpack all of them).

    If something does not work for you or if you get any trouble or have any questions then just post a reply on the topic (linked above) to get an answer.

    1,864 downloads

    0 comments

    Updated

  7. Enigma Protector 1.51 (Unpacking)

    Requirement Software: OllyDBG, ImportREC, LordPE
    Level: Intermediate

    With all Protections:
    Control sum checkup File analyzer deception Original file size preservation Extra resource protection Advanced force import protection WinApi Redirection WinApi emulation A file attached to executable File Entrypoint obfuscation Virtual Machine

    182 downloads

    0 comments

    Submitted

  8. Enigma Protector 1.xx - 3.xx Vol.1 (Unpacking)

    Today I release - finally - the series of unpacking tutorials about manually unpacking The Enigma Protector. I will discuss all protections of Enigma which are fully detailed as possible.

    I have to say thanks to LCF-AT, she helped me a lot with this.
    Introduction ~ 9:28 Unpacking with patterns ~ 33:03 Finding patch-places without patterns ~ 19:56 Dealing with SDK API's & Custom Emulated API's ~ 28:23 Internal & External VM's (Using Plugin) ~ 5:40 Enigma's Registration Scheme ~ 15:37 EN-DE-Cryption ~ 33:21 Inline patching + Final Words ~ 11:56

    208 downloads

    0 comments

    Submitted

  9. Enigma Protector 4.10 (Unpacking)

    A video tutorial showing a method of unpacking Enigma Protector 4.10.

    622 downloads

    0 comments

    Submitted

  10. Enigma 1.5 (All Protections No Virtual Machine)

    A Shockwave Flash movie tutorial showing a method of unpacking The Enigma Protector 1.5 with all options enabled - except for Virtual Machine protection.

    108 downloads

    0 comments

    Submitted

  11. Enigma 1.6x (Find OEP + IAT Repair)

    Two Shockwave Flash movies showing how to find the OEP and rebuild the IAT of Enigma 1.6x protected files.

    114 downloads

    0 comments

    Submitted

  12. Enigma 1.12 (Unpacking)

    This is a tutorial on how to go about unpacking Enigma Protector 1.12 explaining how to bypass the anti-debugging tricks, stolen bytes and repairing the imports of Enigma's Import Elimination method.

    115 downloads

    0 comments

    Submitted

  13. Enigma 1.xx - 3.xx Virtual Machine Unpacker v1.0

    It is time to release my new unpack script after a long time and it's also a very large one with more than 7000 lines.

    The title already states it is an unpacker script for Enigma protected files. Again I tried to create a script which can handle almost any version and features and the handling of this script is again very easy for you. In the best case you only need to fix the dump.

    Note: The script uses four different DLL files which you will find in the tools folder so don't forget to enter your paths + save script before you use it the first time. Don't exchange the DLL's with other DLL versions!. Just read the text files or watch the first video and you should throw an eye into Olly LOG window to get some info about your file, etc.
    Enigma 1.x - 3.x Virtual Machine Unpacker v1.0 **************************************************** ( 1.) Unpacking of ENIGMA 1.x - 3.x ( 2.) Overlay Scan & Dump ( 3.) Enigma Version & Extra Data Scan ( 4.) Attached File Dumper ( 5.) Dumping of Clean & Fixed ENIGMA DLL_Loader ( 6.) Read - Log - Labeling of DLL_Loader Exports ( 7.) RegSheme Bypass for Old & New Versions ( 8.) HWID Changer for Old & New Versions ( 9.) Extra File Dumper - VBox ( 10.) VirtualMemory Fixer 1.96 - 3.7+ ( 11.) Stolen Code Fixer ( 12.) VM OEP Scan & Move & Adjustment ( 13.) Advanced Code Redirector ( 14.) IAT Scanner ( 15.) Visual Basic API Fixer ( 16.) Visual Basic Dll Function Logger ( 17.) ENIGMA DLL_Loader SDK API Fixer ( 18.) Extra File SDK API Fixer ( 19.) TLS CB FIXER ( 20.) TLS Pointer Scan & Fixer ( 21.) PE Header Size Increase ( 22.) Main File Dumper ( 23.) GetStartupInfo Patcher ( 24.) Special Anti Patcher ( 25.) Supports Exe & Dll Files ( 26.) Supports Very Easy User Handling **************************************************** I tested this script with a lot of different files to get them successfully unpacked and all in all I am satisfied so far. Of course I created some example videos where you can see how to unpack Enigma files and have written some text files with information about the important stuff. Just read the files before you want to use the script.

    If something does not work for you or if you get any trouble or have any questions then just post a reply on the support topic to get an answer. Let me know if you find any normal Enigma protected files which can't handle the script.

    PS: Before you ask about an Enigma unpack trouble be SURE that you did read all info files & script infos inside the script!

    333 downloads

    0 comments

    Submitted

  14. NsPack 3.4 - 3.7 (Debugging and Unpacking )

    This document provides instructions on how to unpack NsPack 3.4 and 3.7 using the OllyDbg debugger. The OllyScripts used in this process are included in the appendixes. The custom plug-ins that are used to automate the procedure are provided with the source code. This paper also includes instructions on how to fully restore the import table so the file can be restored to its original state and executed. This is continued further with instructions on how to convert the machine code (assembly language) into a higher level language (in this paper we will use C) so that an analyst can better understand the workings and purpose of the packer.

    Unfortunately, many commercial antivirus vendors have not adequately analyzed the NsPack binary and compression routine. This has led to the unfortunate situation where major anti-malware vendors are misclassifying NsPack (and other PE Packers) as Trojans (figure 3.1). In section 6 we will show through both static analysis and dynamic execution that NsPack is not a Trojan but a simple PE compression utility.

    NsPack remains one of the most common PE Packers with high rates of reported use and discovery. Oberheide, Bailey, & Jahanian (2009) used the Arbor Network’s Arbor Malware Library (AML) to analyze the distribution of PE Packers. The results are displayed in figure 3.2. In these tables we see that NsPack is in the top 10 list for PE Packers used on malware samples stored in the AML database.

    While this paper focuses on NsPack, the general principles are designed to enable the reader to learn how to apply the process to other PE Packers. NsPack 3.x is a simple compressor. It does not support Anti-Debug or Anti-Disassembly features. It used configurable section names (defaulting to .nsp). In this document we will walk through both the NsPack 3.4 and 3.7 versions.

    126 downloads

    0 comments

    Submitted

  15. ASProtect 1.31 (Fixing the IAT)

    Tutorial explaining the methods involved in rebuilding the IAT of an ASProtect packed and protected target.

    89 downloads

    0 comments

    Submitted

  16. ASProtect 2.11 SKE (Fixing IAT Through Code Injection)

    An example of fixing ASPR 2.11 SKE IAT with code injection.

    70 downloads

    0 comments

    Submitted

  17. ASProtect 2.11 SKE (IAT Rebuilding)

    In this article I'm going to explane the IT's protection: Emulate standard system function, on a TASM\MASM software.

    60 downloads

    0 comments

    Submitted

  18. ASProtect 2.xx (IAT Rebuilding).rar

    The new ASPR has come into scene and some new tricks (based in old onces) have been seen in that packer.The most sophisticated one is IAT destruction and how aspr resolves the IAT addresses in the exe.

    67 downloads

    0 comments

    Submitted

  19. Lenas UnPackMe #8 Unpacking

    A Shockwave Flash movie showing how to unpack Lena's unpackme #8.

    128 downloads

    0 comments

    Updated


×
×
  • Create New...