Posted December 12, 200816 yr Hi.A picture of "Protector options" is added to attached file.Good Luck.UnPackMe.rar
January 4, 200916 yr Signature[DotFix NiceProtect v3.6 -> * Sign by phpbb3]signature = 60 BE ?? ?? 40 00 8D BE EB AF FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 61 50 51 74 05 83 C8 ?? EB 02 31 C0 F9 1B C9 EBep_only = false Edited January 4, 200916 yr by ::: - phpbb3 - :::
February 8, 200916 yr I'm stuck with this packer... can someone illuminate us with a little tuto? Greetz
March 2, 200916 yr I'm stuck with this packer... can someone illuminate us with a little tuto? http://forum.tuts4you.com/index.php?showtopic=19091 Use my 2 scripts to find the vm start and the stolen OEP. After this assemble the OEP somewhere (a code cave would be nice). Use UIF to fix the IAT and make a dump + add the IAT with ImpREC. The vm loop starts here: 00462191 55 PUSH EBP Script output: Command = MOV EAX,0044FA08--------------------Registers before 1st CallEAX Value - 0044FA08ESP Value - 0012FF5CEBP Value - 0012FF70--------------------CALL = PUSH UnPackMe.00406564Command = MOV EAX,DWORD PTR DS:[450DEC]Command = MOV EAX,DWORD PTR DS:[EAX]CALL = PUSH UnPackMe.0044E2F0Command = MOV ECX,DWORD PTR DS:[450EC0]Command = MOV EAX,DWORD PTR DS:[450DEC]Command = MOV EAX,DWORD PTR DS:[EAX]Command = MOV EDX,DWORD PTR DS:[44F7DC]CALL = PUSH UnPackMe.0044E308Command = MOV EAX,DWORD PTR DS:[450DEC]Command = MOV EAX,DWORD PTR DS:[EAX]CALL = PUSH UnPackMe.0044E388CALL = PUSH UnPackMe.00404108 Fix it manually: PUSH EBPMOV EBP, ESPSUB ESP, -10MOV EAX,0044FA08CALL 00406564MOV EAX,DWORD PTR DS:[450DEC]MOV EAX,DWORD PTR DS:[EAX]CALL 0044E2F0MOV ECX,DWORD PTR DS:[450EC0]MOV EAX,DWORD PTR DS:[450DEC]MOV EAX,DWORD PTR DS:[EAX]MOV EDX,DWORD PTR DS:[44F7DC]CALL 0044E308MOV EAX,DWORD PTR DS:[450DEC]MOV EAX,DWORD PTR DS:[EAX]CALL 0044E388CALL 00404108 You can guess the 1st 3 OEP commands (standard delphi oep) or search them before the VM loop...
Create an account or sign in to comment