Jump to content
Tuts 4 You

[unpackme] Larp V2.0 Ultra


lena151

Recommended Posts

Attached is an unpackme from my own protector, Ultra version.

Though lARP v2.0 Ultra supports compression, I haven't done so for this UnpackMe.

I added quite a lot of features in comparison with Lite, Standard and Pro versions. It might have become harder to unpack but that's why I coded in a messagebox + exit (warning for debugging or VM), which should be an excellent point of attack. The real stuff doesn't have this messagebox nor exit though ;) (See previous versions).

Unpack and tell me about its flaws.

I want to explicitly thank my buddy jstorme for providing me with ideas, testing on x64 and to always have kept pushing me over the edge. I would not have continued this as far as I did without you my friend. Thanks.

lena151.

lARP_2.0_ULTRA_Unpackme.rar

Link to comment
Share on other sites

I'm on XP-SP2 too and all is fine here ...

If your machine has only limited resources, then try this one. See attachment.

Please LMK if anyone else still experiences problems ;)

lena151.

Edited by lena151
Link to comment
Share on other sites

Works like a charm here.. IAT redirection looks new.. ;) And more stolen code.. ;) Defenitely a pain to dump...

Nice one Thnx,

quosego

PS:

0040511C . 68 68134100 PUSH 00411368 ; ASCII "blub"

;) A fishy instruction indeed..

Edited by quosego
Link to comment
Share on other sites

ahmadmansoor

This just For how want to play with this doll :happy: this a trick for defeat

SnD section ( not SnD Team :whistling: , hehehe i am joking :bomb: )

open the target with PETools and edit the V.Size of the SnD

section and make it 8000 ....Then save changes and run the

target and it will run as a charmen Swiss ...

note : without doing this u will not this things :

- in Task Manager >> Performance >> PF usage

the target will consume a large PF (page file) .

and other program will run very slowly ....I don't know is this a

weakness Point in this protector or not ?? , I think Lena can

answer about that

- when u open it with olly ...olly will hang

- if u want to dump it , the size of the dump is over 300 MB ( I

think) Lol

Ur best friend Ahmadmansoor

Edited by ahmadmansoor
Link to comment
Share on other sites

That one was the least of my worries.. ;)

It doesn't even like my hooked dlls.. Kicks them out and runs like a charm.. (which is not positive..) ;)

However I've now been able to inject an modded Heapcreate api which breaks nicely at near oep.. :miner:

Saves me the trouble of figuring out what kind of nasty checks lena has put into it.. (Though this took me a few hours too)

Api's redirs are very nice, though very traceable... Now I need to find an easy way to trace it without coding some elaborate tracer.. If i could only attach olly properly, then I could let them feel the wrath of my ollyscript..

quosego

Link to comment
Share on other sites

ahmadmansoor
That one was the least of my worries.. ;)

It doesn't even like my hooked dlls.. Kicks them out and runs like a charm.. (which is not positive..) ;)

However I've now been able to inject an modded Heapcreate api which breaks nicely at near oep.. :miner:

Saves me the trouble of figuring out what kind of nasty checks lena has put into it.. (Though this took me a few hours too)

Api's redirs are very nice, though very traceable... Now I need to find an easy way to trace it without coding some elaborate tracer.. If i could only attach olly properly, then I could let them feel the wrath of my ollyscript..

quosego

Ooooo ....I can see a pro :cool: work here ....nice .

but is there anyway to share me what u have :confused: ...( inject an modded Heapcreate api which breaks nicely at near oep) my problem is in OEP I think :huh:

Thanks in adv

Link to comment
Share on other sites

ahmadmansoor
I suggest you to wait until quosego got this baby unpacked himself. Then he can for sure help you :)

greetz

hehehe my friend ...I think if he share me what he have and I will do the same ....mabye we will reach to Good point I think ;) ......

in previous post for the same subject (Larp) ...some people has succeeded in unpack the target ....but the problem was ! nobody share what he did or how he unpack it ,i don't know why??? :dunno: ( as if it's Nuclear bomb)

and not that so, i have asked some of how unpack the target ....and u will surprise from the answer >> he says:sorry my friend i have promise Lena to not give any info about unpack the target :blink: .....(lena ask them to not share the inf ???!!!!! or .....)

what the hell? :mad:

what the problem to learn something new ....

dumn :down:

ur best friend Ahmadmansoor

Link to comment
Share on other sites

The reason nothing is being publically shared for now is that this is used to protect a lot of our releases in order to stop lame rippers.

If the unpacking method was public knowledge, it would defeat the purpose.

quosego managed it before (as I think did jstorme, syk071c and possibly sunbeam... he certainly did some good work on it) but it has now been updated significantly.

Link to comment
Share on other sites

And Again... SnD rulez.. ;)

The first to make a working dump of this baby.. ;)

Though this is an preliminary dump, the stuff that's left is easy.. Trace api's etc..relocating oep is not much fun... Deriving an virgin dump from this dump will be easy.. Ah well use it to study api redirs etc.. As these are still intact (just redirected them to a better place).. Might virgin it soon.. However I've unpacked enough for today..

quosego

EDit: Mustn't forget to include comctl.. (note to self: when seeing an IAT scroll up!!!)

DoneSnDq.rar

Edited by quosego
Link to comment
Share on other sites

dump crashes here.

Did you sleep last night? :lol::lol:

lena151.

Edited by lena151
Link to comment
Share on other sites

Sorry forgot an small part of the IAT... ;) It's updated...

Rushed it abit.. ;) Wouldn't want anybody to beat me.. ;)

Did you sleep last night?

Yeah I did :) actually I just started again this morning and had some fresh ideas.. ;) Which mainly included not using olly.. :biggrin:

quosego

Edited by quosego
Link to comment
Share on other sites

ahmadmansoor

Nice work quosego it work very fine here ( win XP sp2) .....u r pro

Many thanks for u Loki :cool: for this explanation .... I think it is ur right to protect ur releases ....

i will not say any more word :confused:

Edited by ahmadmansoor
Link to comment
Share on other sites

Yep! That's it. Now it runs fine.

However I've now been able to inject an modded Heapcreate api which breaks nicely at near oep..

Thanks for the info. Will be updated in next version ;)

Thanks for your work.

lena151.

Link to comment
Share on other sites

Is this UnPackMe written in C++ ?

Thought lena was an ASM lady...

Or how do you get to OEP in an Assembler program through GetVersion?

greetz

Link to comment
Share on other sites

Here's the final dump...

Pretty much virgin.. Though I've left some stolen jmps in there because they're highly suspicious, as I sincerely doubt they even existed in the original program to begin with.. Ah well all stolen pushes/calls and actual jmps have been fixed..

SND/oep and stolen code sections are wiped..

Have fun,

quosego

Finalvirgin.rar

Link to comment
Share on other sites

Damn should've never told you that.. ;)

Next Time I'll use GetVersion.. :):ninja: And no one will know... :D

:worthy::worthy::worthy::worthy::worthy:

Here's the final dump...

Pretty much virgin.. Though I've left some stolen jmps in there because they're highly suspicious, as I sincerely doubt they even existed in the original program to begin with.. Ah well all stolen pushes/calls and actual jmps have been fixed..

:worthy::worthy::worthy::worthy::worthy:

Skillful & with a great sense of humor - lethal combination! :ph34r:

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...