[unpackme] Larp V2.0 Ultra

[lena151]

Attached is an unpackme from my own protector, Ultra version.

Though lARP v2.0 Ultra supports compression, I haven't done so for this UnpackMe.

I added quite a lot of features in comparison with Lite, Standard and Pro versions. It might have become harder to unpack but that's why I coded in a messagebox + exit (warning for debugging or VM), which should be an excellent point of attack. The real stuff doesn't have this messagebox nor exit though (See previous versions).

Unpack and tell me about its flaws.

I want to explicitly thank my buddy jstorme for providing me with ideas, testing on x64 and to always have kept pushing me over the edge. I would not have continued this as far as I did without you my friend. Thanks.

lena151.

lARP_2.0_ULTRA_Unpackme.rar

[thaton]

XP-sp2

The application failed to initialize properly (0xc000012d). Click on OK to terminate the application.

[lena151]

I'm on XP-SP2 too and all is fine here ...

If your machine has only limited resources, then try this one. See attachment.

Please LMK if anyone else still experiences problems

lena151.

Edited April 27, 2008 by lena151

[tony]

XP-sp2

The application failed to initialize properly (0xc000012d). Click on OK to terminate the application.

[quosego]

Works like a charm here.. IAT redirection looks new.. And more stolen code.. Defenitely a pain to dump...

Nice one Thnx,

quosego

PS:

0040511C . 68 68134100 PUSH 00411368 ; ASCII "blub"

A fishy instruction indeed..

Edited April 27, 2008 by quosego

[lena151]

@tony: how many RAM do you have on your box?

lena151.

[ahmadmansoor]

This just For how want to play with this doll :happy: this a trick for defeat

SnD section ( not SnD Team :whistling: , hehehe i am joking )

open the target with PETools and edit the V.Size of the SnD

section and make it 8000 ....Then save changes and run the

target and it will run as a charmen Swiss ...

note : without doing this u will not this things :

- in Task Manager >> Performance >> PF usage

the target will consume a large PF (page file) .

and other program will run very slowly ....I don't know is this a

weakness Point in this protector or not ?? , I think Lena can

answer about that

- when u open it with olly ...olly will hang

- if u want to dump it , the size of the dump is over 300 MB ( I

think) Lol

Ur best friend Ahmadmansoor

Edited April 27, 2008 by ahmadmansoor

[quosego]

That one was the least of my worries..

It doesn't even like my hooked dlls.. Kicks them out and runs like a charm.. (which is not positive..)

However I've now been able to inject an modded Heapcreate api which breaks nicely at near oep..

Saves me the trouble of figuring out what kind of nasty checks lena has put into it.. (Though this took me a few hours too)

Api's redirs are very nice, though very traceable... Now I need to find an easy way to trace it without coding some elaborate tracer.. If i could only attach olly properly, then I could let them feel the wrath of my ollyscript..

quosego

[ahmadmansoor]

That one was the least of my worries..

It doesn't even like my hooked dlls.. Kicks them out and runs like a charm.. (which is not positive..)

However I've now been able to inject an modded Heapcreate api which breaks nicely at near oep..

Saves me the trouble of figuring out what kind of nasty checks lena has put into it.. (Though this took me a few hours too)

Api's redirs are very nice, though very traceable... Now I need to find an easy way to trace it without coding some elaborate tracer.. If i could only attach olly properly, then I could let them feel the wrath of my ollyscript..

quosego

Ooooo ....I can see a pro :cool: work here ....nice .

but is there anyway to share me what u have ...( inject an modded Heapcreate api which breaks nicely at near oep) my problem is in OEP I think

Thanks in adv

[Sonny27]

I suggest you to wait until quosego got this baby unpacked himself. Then he can for sure help you

greetz

[ahmadmansoor]

I suggest you to wait until quosego got this baby unpacked himself. Then he can for sure help you

greetz

hehehe my friend ...I think if he share me what he have and I will do the same ....mabye we will reach to Good point I think ......

in previous post for the same subject (Larp) ...some people has succeeded in unpack the target ....but the problem was ! nobody share what he did or how he unpack it ,i don't know why??? ( as if it's Nuclear bomb)

and not that so, i have asked some of how unpack the target ....and u will surprise from the answer >> he says:sorry my friend i have promise Lena to not give any info about unpack the target .....(lena ask them to not share the inf ???!!!!! or .....)

what the hell? :mad:

what the problem to learn something new ....

dumn

ur best friend Ahmadmansoor

[Loki]

The reason nothing is being publically shared for now is that this is used to protect a lot of our releases in order to stop lame rippers.

If the unpacking method was public knowledge, it would defeat the purpose.

quosego managed it before (as I think did jstorme, syk071c and possibly sunbeam... he certainly did some good work on it) but it has now been updated significantly.

[quosego]

And Again... SnD rulez..

The first to make a working dump of this baby..

Though this is an preliminary dump, the stuff that's left is easy.. Trace api's etc..relocating oep is not much fun... Deriving an virgin dump from this dump will be easy.. Ah well use it to study api redirs etc.. As these are still intact (just redirected them to a better place).. Might virgin it soon.. However I've unpacked enough for today..

quosego

EDit: Mustn't forget to include comctl.. (note to self: when seeing an IAT scroll up!!!)

DoneSnDq.rar

Edited April 28, 2008 by quosego

[Loki]

[lena151]

dump crashes here.

Did you sleep last night?

lena151.

Edited April 28, 2008 by lena151

[quosego]

Sorry forgot an small part of the IAT... It's updated...

Rushed it abit.. Wouldn't want anybody to beat me..

Did you sleep last night?

Yeah I did actually I just started again this morning and had some fresh ideas.. Which mainly included not using olly.. :biggrin:

quosego

Edited April 28, 2008 by quosego

[ahmadmansoor]

Nice work quosego it work very fine here ( win XP sp2) .....u r pro

Many thanks for u Loki :cool: for this explanation .... I think it is ur right to protect ur releases ....

i will not say any more word

Edited April 28, 2008 by ahmadmansoor

[lena151]

Yep! That's it. Now it runs fine.

However I've now been able to inject an modded Heapcreate api which breaks nicely at near oep..

Thanks for the info. Will be updated in next version

Thanks for your work.

lena151.

[quosego]

Damn should've never told you that..

Next Time I'll use GetVersion.. And no one will know...

quosego

[Sonny27]

Is this UnPackMe written in C++ ?

Thought lena was an ASM lady...

Or how do you get to OEP in an Assembler program through GetVersion?

greetz

[quosego]

It's C++

0040ADBE					  |.  68 8CF24000		  PUSH 0040F28C						;  ASCII "Microsoft Visual C++ Runtime Library"

quosego

[Sonny27]

Fine then, didn

[quosego]

Here's the final dump...

Pretty much virgin.. Though I've left some stolen jmps in there because they're highly suspicious, as I sincerely doubt they even existed in the original program to begin with.. Ah well all stolen pushes/calls and actual jmps have been fixed..

SND/oep and stolen code sections are wiped..

Have fun,

quosego

Finalvirgin.rar

[Loki]

Impressive stuff mate, nice work

[HVC]

Damn should've never told you that..

Next Time I'll use GetVersion.. And no one will know...

Here's the final dump...

Pretty much virgin.. Though I've left some stolen jmps in there because they're highly suspicious, as I sincerely doubt they even existed in the original program to begin with.. Ah well all stolen pushes/calls and actual jmps have been fixed..

Skillful & with a great sense of humor - lethal combination!