HSN.C3r Posted December 9, 2008 Posted December 9, 2008 (edited) Hi all. Protector option: Level: Maximum protection Virtual machine count: 1 Debugger detection: User mode + Kernel mode Write a tutorial ,If you unpacked it. Good Luck UnPackMe.rar Edited December 9, 2008 by HSN.C3r
LCF-AT Posted December 12, 2008 Posted December 12, 2008 Hello,try this.greetzUnPackMe_Unpacked.rar 1
HSN.C3r Posted December 12, 2008 Author Posted December 12, 2008 (edited) Good, It works ...But the anti-debug is still in the file.When I open it in ollydbg ,It closes ollydbg.How did you open it in ollydbg?Could you tell me about bypassing this antidebug ? Edited December 12, 2008 by HSN.C3r
quosego Posted December 12, 2008 Posted December 12, 2008 Nah no antidebug.. It's the export bug in olly.. quite lame.. Too long export crashes olly.. You can patch you olly for this or wipe exports. q.
HSN.C3r Posted December 12, 2008 Author Posted December 12, 2008 How can I fix ollydbg , explain more plz
LCF-AT Posted December 12, 2008 Posted December 12, 2008 Hello,you can run this unpackMe without problems in Olly if you patch the right places.So at the moment I don
av999 Posted December 15, 2008 Posted December 15, 2008 (edited) Generic Unpacker by deroko (GUD) of ARTeam made 90% for unpacking this target.1-st run of GUD - nothing useful2-nd run - dump+import3-th run (fixed: ebfe to stop GUD at string "Original EntryPoint at.....") - target stopped in first call and [esp]=adress for ret ---- it's enough for restoring oephttp://rapidshare.de/files/41144913/UnPacked.zip.html Edited December 15, 2008 by av999
HSN.C3r Posted December 16, 2008 Author Posted December 16, 2008 @ quosegoMany thanks for info.@ LCF-ATyou can run this unpackMe without problems in Olly if you patch the right places.So at the moment I don
zeger Posted December 19, 2008 Posted December 19, 2008 http://www.unpack.cn/viewthread.php?tid=30...;extra=page%3D1
c0lo Posted February 19, 2009 Posted February 19, 2009 I don't understandd, how repair iat in vmprotect dumped , can learn more ...
Sp1d3rZ Posted February 19, 2009 Posted February 19, 2009 I hope its help u. http://vip-file.com/download/3b8847955758/VMProtect-1.7-IAT-Repair.txt.html
c0lo Posted February 19, 2009 Posted February 19, 2009 Sorry, but can help me, in how fix IAT Me dumped file: http://www.ziddu.com/download/3570325/gzbo...dumped.rar.html vmp 1.7 iat repair run the script at oep vmp code base = va of .vmp0 Memory map, item 23 Address=0043C000 Size=00095000 (610304.) Owner=gzbotPRO 00400000 Section=.vmp0 Contains=code Type=Imag 01001002 Access=R Initial access=RWE vmp code end = va of .vmp1 Memory map, item 25 Address=004D2000 Size=000A8000 (688128.) Owner=gzbotPRO 00400000 Section=.vmp1 Contains=code,exports Type=Imag 01001002 Access=R Initial access=RWE So: vmp code base = 0043C000vmp code end = 004D2000 But I have problem, how can fix problem.... Thanks
LCF-AT Posted February 19, 2009 Posted February 19, 2009 Hi,so the script used * signs so thats the reason for the error messages.Just change it to some else like this.jne **** to jne sssfirst****: to first:je first**** to je first****: to sss:greetz
c0lo Posted February 19, 2009 Posted February 19, 2009 (edited) i don't understand this is script: jne ssssfirst: sti find eip,#c2#,1 cmp $RESULT,0 je first bphws eip, "x" inc isfirst jmp fix ssss: thanks Edited February 19, 2009 by c0lo
LCF-AT Posted February 19, 2009 Posted February 19, 2009 I said you have to change the lines which using this signs **** so Olly script can
c0lo Posted February 19, 2009 Posted February 19, 2009 (edited) Thanks, I'm noob and understand .. 1) Dumped file, using GUD. 2) Open File Ollydbg OEP 0040203A g>- E9 A5F50500 JMP gzbotPRO.004615E4 3) Run OdbgScript and load "VMProtect_1.7_IAT_Repair" Fix thanks to LCF-AT learn me 4) Enter Data Info: vmp code base = 0043C000vmp code end = 004D2000 5) And Run Script.... 6) And script finish in 0043C25A 9C PUSHFD 7) Now??? Edited February 19, 2009 by c0lo
LCF-AT Posted February 19, 2009 Posted February 19, 2009 Hi,the problem is that the script is not working 100% to fix all.I had also this problem on a other app so in this case you need to fix it by hand.Problem are some JMP
c0lo Posted February 20, 2009 Posted February 20, 2009 Thanks LCF-AT, me now send link in your inbox ..
Nooby Posted February 20, 2009 Posted February 20, 2009 (edited) i used f-word in the script labels, so the labels were replaced with * when you post it on the forum.if you wanna know further, http://rapidshare.com/files/200116074/1111.swfit's not that complex so I don't have the interest in doing it all over again with english comments.vmp_iat2.rar Edited February 20, 2009 by Nooby
_ak47_ Posted February 20, 2009 Posted February 20, 2009 hello guys anyone have a tutorial how unpack VmProtec translated to english???
c0lo Posted February 20, 2009 Posted February 20, 2009 (edited) hello guys anyone have a tutorial how unpack VmProtec translated to english???@_ak47_ Me onlyread tutorial in other language... buy in english not...Thanks nooby, I am try learn more, and understand... Edited February 20, 2009 by c0lo 1
FuJ!N Posted June 1, 2010 Posted June 1, 2010 hi all friend I have a problem with this Portector when I run this app (VMP 1.7.40 unpack me) normally without Olly Shown message "detect debugger" : --------------------------- A debugger has been found running in your system. Please, unload it from memory and restart your program. --------------------------- and I re-start my machine but show that error message:( and when running olly and with Requirement Plug-in or used "OllyDbg - YPOGEiOS " but this problem happened. thank you for attention
LCF-AT Posted June 1, 2010 Posted June 1, 2010 @ FarFarUse StrongOD-Hide PEB-KernelMode-NormalNow close Olly.Olllyxxxx.iniDriverName=something else heresave.This setting is enough for this UnpackMe.Close all debugger and run the target normaly with a mousclick.Now if it starts normaly then you can start your Olly and run this UnpackMe in your Olly.If you get still the detected message then close your Olly and wait some seconds.Now start Olly again and load your UnpackMe and run.Try this now.greetz
FuJ!N Posted June 2, 2010 Posted June 2, 2010 dear LCF-AT thank you very much for help me but whenever I run this app or some app packed by thMida or Winlicence , shown debugger detect message , i can run that normally thats app. when I re-start my system and never run any debugger happened this problem. I think my sys have a virus or trojan and that virus for protect himself patch memory one of core file (kernel) , it is just my mind . is it possible ? thank you for attention Best Regards for all friends
LCF-AT Posted June 2, 2010 Posted June 2, 2010 Hi FarFar,so if you still get detected then be sure that you nothing else has running which can detect.Do you know my system setup movie?Watch my VMP tutorial there you can see how to setup your Olly and how to remove some unknown hooks.Info: For hiding you can use just StrongOD and with the phantOm plugin let just enable the protect DRx option!Try again and tell your result.greetz
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now