xuhw Posted January 15, 2009 Posted January 15, 2009 This is VMProtect 1.??? Protection procedures.If you successful UnPack,Tell me methods or give a Tuto.ownload Address:http://www.namipan.com/d/puke.rar/0439de9e...de1369d276e0a00 "此进入http下载页面 "
LCF-AT Posted January 15, 2009 Posted January 15, 2009 Hello xuhw,there are not much to explain.There is also no redirection.Just set BP on GetModuleHandleA and trace over ret 4 and now you can rebuild the OEP bytes.PUSH EBPMOV EBP,ESPADD ESP,-10MOV EAX,4B66A4 // <--Look EBXCALL 00406E80JMP 005348D4Set BP on ret and run.00406E80 PUSH EBX // <-- Call 00406E8000406E81 MOV EBX,EAX00406E83 XOR EAX,EAX00406E85 MOV DWORD PTR DS:[4B70C4],EAX00406E8A PUSH 000406E8C CALL 00406DBC // GMHA00406E91 MOV DWORD PTR DS:[4BB668],EAX // <--EBX holds value of EAX before.Here you are.00406E96 MOV EAX,DWORD PTR DS:[4BB668]00406E9B MOV DWORD PTR DS:[4B70D0],EAX00406EA0 XOR EAX,EAX00406EA2 MOV DWORD PTR DS:[4B70D4],EAX00406EA7 XOR EAX,EAX00406EA9 MOV DWORD PTR DS:[4B70D8],EAX00406EAE CALL 00406E7400406EB3 MOV EDX,4B70CC00406EB8 MOV EAX,EBX00406EBA CALL 004049D400406EBF POP EBX00406EC0 RETN <------ hereTrace over and now you have the back jump address for the JMP above to rebuild your OEP.Thats all here.greetz
xuhw Posted January 15, 2009 Author Posted January 15, 2009 Thanks "LCF-AT "!But I do not quite understand.Please Your file give me ,I Contrast about it to learn!
Teddy Rogers Posted January 15, 2009 Posted January 15, 2009 The [unpackme] tag has been added to your topic title.Please remember to follow and adhere to the topic title format - thankyou![This is an automated reply]
xuhw Posted January 17, 2009 Author Posted January 17, 2009 "LCF-AT ",I used your methods, the success of UnPack file.Another,this is VMProtectV1.70.4 for "VB".
xuhw Posted January 17, 2009 Author Posted January 17, 2009 Another,this is VMProtectV1.70.4 for "VB".vmp_1.704.rar
LCF-AT Posted January 17, 2009 Posted January 17, 2009 Hi,the same here.No redirection.Just break on "ThunRTMain" and rebuild....004011A9 PUSH 4012C0 ; VB5!004011AE CALL 00401122 ; JMP to MSVBVM60.ThunRTMainThats all.greetz
xuhw Posted January 18, 2009 Author Posted January 18, 2009 Good "LCF-AT "!Another ,This is a "DELPHI 7.0" file by vmprotcet 1.704.Continue...DEMO.vmp1.704.rar
thisistest Posted January 18, 2009 Posted January 18, 2009 0012FFBC 00401132 返回到 vmp_1_70.00401132 来自 vmp_1_70.004059190012FFC0 004012C0 vmp_1_70.004012C0
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now