Jump to content
Tuts 4 You

[unpackme] Private Exe Protector 2.40.rar


pavka

Recommended Posts

  • 2 weeks later...

That big section trick is one of the most annoying tricks I have seen. Not hard to beat, but you pretty much have to deal with it unless you have a computer to handle a 820 mb dump, or whatever it would be. :D

Link to comment
Share on other sites

@What

It is not obligatory to do dump all section

True, but my computer is not great so I have to do it because I will get some bad lag or a process burner when I load it into a debugger without doing it.

Link to comment
Share on other sites

It seems to hook some API's as well

Possible hook found in KERNEL32.dll.FindResourceA Rva:0001DCBB 
File:
mov edi,edi
push ebp
mov ebp,esp
push byte 0
push dword [ebp+C]
push dword [ebp+10]
push dword [ebp+8]
call 761ADBDDMemory:
jmp 306E0000
...Possible hook found in KERNEL32.dll.FindResourceExA Rva:0001DBDD
File:
push byte 20
push dword 761ADC78
call 761A1280
xor edi,edi
mov [ebp-20],edi
mov [ebp-30],edi
mov [ebp-2C],edi
mov [ebp-4],ediMemory:
jmp 306F0000
...
Possible hook found in KERNEL32.dll.FindResourceExW Rva:0001C6E1
File:
push byte 20
push dword 761AC778
call 761A1280
xor edi,edi
mov [ebp-20],edi
mov [ebp-30],edi
mov [ebp-2C],edi
mov [ebp-4],ediMemory:
jmp 30700000
...
Possible hook found in KERNEL32.dll.FindResourceW Rva:0001F01E
File:
mov edi,edi
push ebp
mov ebp,esp
push byte 0
push dword [ebp+C]
push dword [ebp+10]
push dword [ebp+8]
call 761AC6E1Memory:
jmp 30710000
...Possible hook found in KERNEL32.dll.LoadResource Rva:0001C26C
File:
push byte 10
push dword 761AC280
call 761A1280
jmp 761CB7B9
nop
nop
nop Memory:
jmp 30720000
...Possible hook found in KERNEL32.dll.SizeofResource Rva:0001E3EC
File:
push byte 10
push dword 761AE400
call 761A1280
jmp 761CB80A
nop
nop
nop Memory:
jmp 30730000
...

Example:

306E0000	pushf 
306E0001 mov [esp],eax
306E0004 mov eax,[esp+8]
306E000B cmp eax,400000
306E0011 jnz 306E001E
306E0017 pop eax
306E0018 push dword 2DE952E8
306E001D ret
306E001E cmp eax,0
306E0024 jnz 306E0031
306E002A pop eax
306E002B push dword 2DE952E8
306E0030 ret
306E0031 pop eax
306E0032 mov edi,edi
306E0034 push ebp
306E0035 mov ebp,esp
306E0037 pushf
306E0038 mov dword [esp],761ADCC0
306E003F ret
...
Link to comment
Share on other sites

Guess that's used for the stolen resources protection.

This one's pretty annoying, found one tutorial that actually dealt with, it was Russian though :-(

Link to comment
Share on other sites

  • 3 weeks later...
  • 2 weeks later...

Hm, I "studied" the new v2.55 and with HideOD and the standard olly fixes (I think human wrote a topic about that?!) it runs fine in my Olly.

Already found start of OEP I think but complete unpacking seems to be way too hard for me.

greetz

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...