Jump to content
Tuts 4 You

[unpackme] Private Exe Protector 2.40.rar

pavka

By pavka
in UnPackMe

 Share

Recommended Posts

Apakekdah

Apakekdah

Posted
Posted

it's very hard... to me :D

  • 2 weeks later...
What

What

Posted
Posted

That big section trick is one of the most annoying tricks I have seen. Not hard to beat, but you pretty much have to deal with it unless you have a computer to handle a 820 mb dump, or whatever it would be. :D

pavka

pavka

Posted
  • Author
Posted

@What

It is not obligatory to do dump all section

What

What

Posted
Posted
@What

It is not obligatory to do dump all section

True, but my computer is not great so I have to do it because I will get some bad lag or a process burner when I load it into a debugger without doing it.

revert

revert

Posted
Posted

It seems to hook some API's as well

Possible hook found in KERNEL32.dll.FindResourceA Rva:0001DCBB 
File:
mov edi,edi
push ebp
mov ebp,esp
push byte 0
push dword [ebp+C]
push dword [ebp+10]
push dword [ebp+8]
call 761ADBDDMemory:
jmp 306E0000
...Possible hook found in KERNEL32.dll.FindResourceExA Rva:0001DBDD 
File:
push byte 20
push dword 761ADC78
call 761A1280
xor edi,edi
mov [ebp-20],edi
mov [ebp-30],edi
mov [ebp-2C],edi
mov [ebp-4],ediMemory:
jmp 306F0000
...
Possible hook found in KERNEL32.dll.FindResourceExW Rva:0001C6E1 
File:
push byte 20
push dword 761AC778
call 761A1280
xor edi,edi
mov [ebp-20],edi
mov [ebp-30],edi
mov [ebp-2C],edi
mov [ebp-4],ediMemory:
jmp 30700000
...
Possible hook found in KERNEL32.dll.FindResourceW Rva:0001F01E 
File:
mov edi,edi
push ebp
mov ebp,esp
push byte 0
push dword [ebp+C]
push dword [ebp+10]
push dword [ebp+8]
call 761AC6E1Memory:
jmp 30710000
...Possible hook found in KERNEL32.dll.LoadResource Rva:0001C26C 
File:
push byte 10
push dword 761AC280
call 761A1280
jmp 761CB7B9
nop 
nop 
nop Memory:
jmp 30720000
...Possible hook found in KERNEL32.dll.SizeofResource Rva:0001E3EC 
File:
push byte 10
push dword 761AE400
call 761A1280
jmp 761CB80A
nop 
nop 
nop Memory:
jmp 30730000
...

Example:

306E0000	pushf 
306E0001	mov [esp],eax
306E0004	mov eax,[esp+8]
306E000B	cmp eax,400000
306E0011	jnz 306E001E
306E0017	pop eax
306E0018	push dword 2DE952E8
306E001D	ret 
306E001E	cmp eax,0
306E0024	jnz 306E0031
306E002A	pop eax
306E002B	push dword 2DE952E8
306E0030	ret 
306E0031	pop eax
306E0032	mov edi,edi
306E0034	push ebp
306E0035	mov ebp,esp
306E0037	pushf 
306E0038	mov dword [esp],761ADCC0
306E003F	ret 
...
Killboy

Killboy

Posted
Posted

Guess that's used for the stolen resources protection.

This one's pretty annoying, found one tutorial that actually dealt with, it was Russian though :-(

revert

revert

Posted
Posted

Thank you pavka.

I'll run them through systran and study them.

Teddy Rogers

Teddy Rogers

Posted
Posted

It looks like a really good paper, it would be nice if someone could translate it in to English...

Comicses.7z

Ted.

  • 3 weeks later...
  • 2 weeks later...
Apakekdah

Apakekdah

Posted
Posted
packed Pep 2.50 all option enabled
this is much harder... my olly close... when try to run it :(
Sonny27

Sonny27

Posted
Posted

Hm, I "studied" the new v2.55 and with HideOD and the standard olly fixes (I think human wrote a topic about that?!) it runs fine in my Olly.

Already found start of OEP I think but complete unpacking seems to be way too hard for me.

greetz

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...