Jump to content
Tuts 4 You

[ Unpackme ] Dotfix Niceprotect 2.7

Matrix

By Matrix
in UnPackMe (.NET)

 Share

Recommended Posts

  • 3 weeks later...
Apakekdah

Apakekdah

Posted
Posted

i've found only few stolen bytes

PUSH EBP
MOV EBP,ESP
PUSH -1
PUSH 402508
PUSH 401CF6
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
SUB ESP,68
PUSH EBX
PUSH ESI
PUSH EDI
MOV DWORD PTR SS:[EBP-18],ESP
XOR EBX,EBX
MOV DWORD PTR SS:[EBP-4],EBX
PUSH 2
CALL NEAR DWORD PTR DS:[402198]POP ECXCALL NEAR DWORD PTR DS:[402190]
MOV ECX,DWORD PTR DS:[403174]
MOV DWORD PTR DS:[EAX],ECX
CALL NEAR DWORD PTR DS:[40218C]
MOV ECX,DWORD PTR DS:[403170]
MOV DWORD PTR DS:[EAX],ECX
MOV EAX,DWORD PTR DS:[402188]
XOR EAX, EAX
CMP DWORD PTR DS:[403090],EBX

it's realy hard to restore stolen bytes :(

Link to comment
Share on other sites
pavka

pavka

Posted
Posted

@Apakekdah

It is not necessary to use ImpRec:) It is superfluous work For IAT MSVC type it is not necessary to restore IAT, it is enough to expose correct values IAT RVA in dump

Link to comment
Share on other sites
pavka

pavka

Posted
Posted

@Apakekdah

Make dump on OEP and put IAT RVA ==25E0

004025E0 00002658 <-----IAT RVA

004025E4 00000000

004025E8 00000000

004025EC 00002830

004025F0 00002014

004025F4 000027C0

004025F8 00000000

004025D4 58 26 00 00 X&..

004025E4 00 00 00 00 00 00 00 00 30 28 00 00 14 20 00 00 ........0(.. ..

004025F4 C0 27 00 00 00 00 00 00 00 00 00 00 66 28 00 00 А'..........f(..

00402604 7C 21 00 00 44 26 00 00 00 00 00 00 00 00 00 00 |!..D&..........

00402614 6A 29 00 00 00 20 00 00 08 28 00 00 00 00 00 00 j)... ..(......

00402624 00 00 00 00 FE 29 00 00 C4 21 00 00 00 00 00 00 ....ю)..Д!......

00402634 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00402644 2C 29 00 00 38 29 00 00 44 29 00 00 58 29 00 00 ,)..8)..D)..X)..

00402654 00 00 00 00 63 16 00 80 52 0F 00 80 41 04 00 80 ....c.ЂR.ЂA.Ђ

00402664 D0 09 00 80 4F 14 00 80 5C 09 00 80 12 0D 00 80 Р..ЂO.Ђ\..Ђ..Ђ

00402674 B4 14 00 80 B6 14 00 80 A5 0A 00 80 EF 0F 00 80 ґ.Ђ

Link to comment
Share on other sites
  • 2 weeks later...
sdy100

sdy100

Posted
Posted (edited) 
00454C68 > $  55			PUSH EBP
00454C69   .  8BEC		  MOV EBP,ESP
00454C6B   .  83C4 F0	   ADD ESP,-10
00454C6E   .  B8 804A4500   MOV EAX,KeyGen_protected3.0.00454A80
00454C73   .  E8 6C18FBFF   CALL KeyGen_protected3.0.004064E4
00454C78   .  A1 D8604500   MOV EAX,DWORD PTR DS:[4560D8]
00454C7D   .  8B00		  MOV EAX,DWORD PTR DS:[EAX]
00454C7F   .  E8 4CD8FFFF   CALL KeyGen_protected3.0.004524D0
00454C84   .  8B0D BC614500 MOV ECX,DWORD PTR DS:[4561BC]			
00454C8A   .  A1 D8604500   MOV EAX,DWORD PTR DS:[4560D8]
00454C8F   .  8B00		  MOV EAX,DWORD PTR DS:[EAX]
00454C91   .  8B15 543B4500 MOV EDX,DWORD PTR DS:[453B54]			
00454C97   .  E8 4CD8FFFF   CALL KeyGen_protected3.0.004524E8
00454C9C   .  A1 D8604500   MOV EAX,DWORD PTR DS:[4560D8]
00454CA1   .  8B00		  MOV EAX,DWORD PTR DS:[EAX]
00454CA3   .  E8 C0D8FFFF   CALL KeyGen_protected3.0.00452568
00454CA8   .  E8 67F9FAFF   CALL KeyGen_protected3.0.00404614
00454CAD   .  8D40 00	   LEA EAX,DWORD PTR DS:[EAX]

unpacked2.rar

Edited by sdy100
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...