Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[unpackme] DotFix NiceProtect 3.6

HSN.C3r
HSN.C3r
in UnPackMe

Featured Replies

Posted

Hi.

A picture of "Protector options" is added to attached file.

Good Luck.

UnPackMe.rar

what do we do when we get to a sysenter?

7C90EB8D   |.  0F34					SYSENTER

Cool, i still can use my own script to find where the stolen OEP is located.

  • 3 weeks later...

Please, write tutorial.

Signature

[DotFix NiceProtect v3.6 -> * Sign by phpbb3]

signature = 60 BE ?? ?? 40 00 8D BE EB AF FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 61 50 51 74 05 83 C8 ?? EB 02 31 C0 F9 1B C9 EB

ep_only = false

Edited by ::: - phpbb3 - :::

    • Like 1

    Dumped

    unpackme_dump_.zip

    • 1 month later...

    I'm stuck with this packer... can someone illuminate us with a little tuto? :help

    Greetz

    • 4 weeks later...
    I'm stuck with this packer... can someone illuminate us with a little tuto? :help

    http://forum.tuts4you.com/index.php?showtopic=19091

    Use my 2 scripts to find the vm start and the stolen OEP. After this assemble the OEP somewhere (a code cave would be nice). Use UIF to fix the IAT and make a dump + add the IAT with ImpREC.

    The vm loop starts here:

    00462191			 55				   PUSH EBP

    Script output:

    Command  = MOV EAX,0044FA08
    --------------------Registers before 1st Call
    EAX Value - 0044FA08
    ESP Value - 0012FF5C
    EBP Value - 0012FF70
    --------------------
    CALL	 = PUSH UnPackMe.00406564
    Command  = MOV EAX,DWORD PTR DS:[450DEC]
    Command  = MOV EAX,DWORD PTR DS:[EAX]
    CALL	 = PUSH UnPackMe.0044E2F0
    Command  = MOV ECX,DWORD PTR DS:[450EC0]
    Command  = MOV EAX,DWORD PTR DS:[450DEC]
    Command  = MOV EAX,DWORD PTR DS:[EAX]
    Command  = MOV EDX,DWORD PTR DS:[44F7DC]
    CALL	 = PUSH UnPackMe.0044E308
    Command  = MOV EAX,DWORD PTR DS:[450DEC]
    Command  = MOV EAX,DWORD PTR DS:[EAX]
    CALL	 = PUSH UnPackMe.0044E388
    CALL	 = PUSH UnPackMe.00404108

    Fix it manually:

    PUSH EBP
    MOV EBP, ESP
    SUB ESP, -10
    MOV EAX,0044FA08
    CALL 00406564
    MOV EAX,DWORD PTR DS:[450DEC]
    MOV EAX,DWORD PTR DS:[EAX]
    CALL 0044E2F0
    MOV ECX,DWORD PTR DS:[450EC0]
    MOV EAX,DWORD PTR DS:[450DEC]
    MOV EAX,DWORD PTR DS:[EAX]
    MOV EDX,DWORD PTR DS:[44F7DC]
    CALL 0044E308
    MOV EAX,DWORD PTR DS:[450DEC]
    MOV EAX,DWORD PTR DS:[EAX]
    CALL 0044E388
    CALL 00404108

    You can guess the 1st 3 OEP commands (standard delphi oep) or search them before the VM loop...

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.