HSN.C3r Posted December 12, 2008 Share Posted December 12, 2008 Hi.A picture of "Protector options" is added to attached file.Good Luck.UnPackMe.rar Link to comment Share on other sites More sharing options...
sdy100 Posted December 12, 2008 Share Posted December 12, 2008 unpackedUnpacked_Unpackme.rar Link to comment Share on other sites More sharing options...
aztecx Posted December 12, 2008 Share Posted December 12, 2008 what do we do when we get to a sysenter?7C90EB8D |. 0F34 SYSENTER Link to comment Share on other sites More sharing options...
Loki Posted December 12, 2008 Share Posted December 12, 2008 Use SoftICE Link to comment Share on other sites More sharing options...
Apakekdah Posted December 15, 2008 Share Posted December 15, 2008 Cool, i still can use my own script to find where the stolen OEP is located. Link to comment Share on other sites More sharing options...
BoRoV Posted January 4, 2009 Share Posted January 4, 2009 Please, write tutorial. Link to comment Share on other sites More sharing options...
::: - phpbb3 - ::: Posted January 4, 2009 Share Posted January 4, 2009 (edited) Signature[DotFix NiceProtect v3.6 -> * Sign by phpbb3]signature = 60 BE ?? ?? 40 00 8D BE EB AF FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 61 50 51 74 05 83 C8 ?? EB 02 31 C0 F9 1B C9 EBep_only = false Edited January 4, 2009 by ::: - phpbb3 - ::: 1 Link to comment Share on other sites More sharing options...
::: - phpbb3 - ::: Posted January 4, 2009 Share Posted January 4, 2009 Dumpedunpackme_dump_.zip Link to comment Share on other sites More sharing options...
WiNeOS Posted February 8, 2009 Share Posted February 8, 2009 I'm stuck with this packer... can someone illuminate us with a little tuto? Greetz Link to comment Share on other sites More sharing options...
Aguila Posted March 2, 2009 Share Posted March 2, 2009 I'm stuck with this packer... can someone illuminate us with a little tuto? http://forum.tuts4you.com/index.php?showtopic=19091 Use my 2 scripts to find the vm start and the stolen OEP. After this assemble the OEP somewhere (a code cave would be nice). Use UIF to fix the IAT and make a dump + add the IAT with ImpREC. The vm loop starts here: 00462191 55 PUSH EBP Script output: Command = MOV EAX,0044FA08--------------------Registers before 1st CallEAX Value - 0044FA08ESP Value - 0012FF5CEBP Value - 0012FF70--------------------CALL = PUSH UnPackMe.00406564Command = MOV EAX,DWORD PTR DS:[450DEC]Command = MOV EAX,DWORD PTR DS:[EAX]CALL = PUSH UnPackMe.0044E2F0Command = MOV ECX,DWORD PTR DS:[450EC0]Command = MOV EAX,DWORD PTR DS:[450DEC]Command = MOV EAX,DWORD PTR DS:[EAX]Command = MOV EDX,DWORD PTR DS:[44F7DC]CALL = PUSH UnPackMe.0044E308Command = MOV EAX,DWORD PTR DS:[450DEC]Command = MOV EAX,DWORD PTR DS:[EAX]CALL = PUSH UnPackMe.0044E388CALL = PUSH UnPackMe.00404108 Fix it manually: PUSH EBPMOV EBP, ESPSUB ESP, -10MOV EAX,0044FA08CALL 00406564MOV EAX,DWORD PTR DS:[450DEC]MOV EAX,DWORD PTR DS:[EAX]CALL 0044E2F0MOV ECX,DWORD PTR DS:[450EC0]MOV EAX,DWORD PTR DS:[450DEC]MOV EAX,DWORD PTR DS:[EAX]MOV EDX,DWORD PTR DS:[44F7DC]CALL 0044E308MOV EAX,DWORD PTR DS:[450DEC]MOV EAX,DWORD PTR DS:[EAX]CALL 0044E388CALL 00404108 You can guess the 1st 3 OEP commands (standard delphi oep) or search them before the VM loop... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now