Jump to content
Tuts 4 You

[unpackme] DotFix NiceProtect 3.6


HSN.C3r

Recommended Posts

  • 3 weeks later...
::: - phpbb3 - :::

Signature

[DotFix NiceProtect v3.6 -> * Sign by phpbb3]

signature = 60 BE ?? ?? 40 00 8D BE EB AF FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 61 50 51 74 05 83 C8 ?? EB 02 31 C0 F9 1B C9 EB

ep_only = false

Edited by ::: - phpbb3 - :::
  • Like 1
Link to comment
Share on other sites

  • 1 month later...
  • 4 weeks later...
I'm stuck with this packer... can someone illuminate us with a little tuto? :help

http://forum.tuts4you.com/index.php?showtopic=19091

Use my 2 scripts to find the vm start and the stolen OEP. After this assemble the OEP somewhere (a code cave would be nice). Use UIF to fix the IAT and make a dump + add the IAT with ImpREC.

The vm loop starts here:

00462191			 55				   PUSH EBP

Script output:

Command  = MOV EAX,0044FA08
--------------------Registers before 1st Call
EAX Value - 0044FA08
ESP Value - 0012FF5C
EBP Value - 0012FF70
--------------------
CALL = PUSH UnPackMe.00406564
Command = MOV EAX,DWORD PTR DS:[450DEC]
Command = MOV EAX,DWORD PTR DS:[EAX]
CALL = PUSH UnPackMe.0044E2F0
Command = MOV ECX,DWORD PTR DS:[450EC0]
Command = MOV EAX,DWORD PTR DS:[450DEC]
Command = MOV EAX,DWORD PTR DS:[EAX]
Command = MOV EDX,DWORD PTR DS:[44F7DC]
CALL = PUSH UnPackMe.0044E308
Command = MOV EAX,DWORD PTR DS:[450DEC]
Command = MOV EAX,DWORD PTR DS:[EAX]
CALL = PUSH UnPackMe.0044E388
CALL = PUSH UnPackMe.00404108

Fix it manually:

PUSH EBP
MOV EBP, ESP
SUB ESP, -10
MOV EAX,0044FA08
CALL 00406564
MOV EAX,DWORD PTR DS:[450DEC]
MOV EAX,DWORD PTR DS:[EAX]
CALL 0044E2F0
MOV ECX,DWORD PTR DS:[450EC0]
MOV EAX,DWORD PTR DS:[450DEC]
MOV EAX,DWORD PTR DS:[EAX]
MOV EDX,DWORD PTR DS:[44F7DC]
CALL 0044E308
MOV EAX,DWORD PTR DS:[450DEC]
MOV EAX,DWORD PTR DS:[EAX]
CALL 0044E388
CALL 00404108

You can guess the 1st 3 OEP commands (standard delphi oep) or search them before the VM loop...

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...