[unpackme] SEH Protector 2.5.0 Unpack ME

[GioTiN]

Hello Everyone

Under SEH Team Proudly Presents

SEH Protector 2.5.0 Unpack ME

Enabled Options :

[+] Debugger Detection

[+] AntiDump Protection

[+] Code Obfuscation

[+] Anti Decompiler Protection

[+] Memory Protection

[+] Added Stolen Byte Tech.

[+] Stolen Byte Tech improved.

[!] Fixed Some bugs on Stub that helps crackers to Unpack it easily.

Mirror :

http://www.ziddu.com/download/5610988/SEHProtector2.5.0_UnpackME.rar.html

Unpack this and write a tutorial

BR ,

Under SEH Team

Edited July 15, 2009 by GioTiN

[LCF-AT]

Hello GioTiN,

RS 10 times DL limit reached so just attach it here on board for all.

Thanks

[GioTiN]

Hello LCF-AT (my friend )

post #1 Edited

BR ,

GioTiN - Under SEH Team

[Xes]

You can download it here:

http://distro.ws/index.php?dir=Upload%2F&search=SEHProtector2.5.0&search_mode=f

[quosego]

Ah, can download it, and done.. Didn't see any stolen code/byte though.. Runs fine..

Can just hook near oep and dump.. It's perfectly intact.. Or just dump and wipe delphi initialization..

Well you need to realign the file to the virtual locations values but other than that..

http://willhostforfood.com/access.php?fileid=75072

Edited July 15, 2009 by quosego

[ahmadmansoor]

for me not work at all ..XP SP2 ... vista sp1

[GioTiN]

for me not work at all ..XP SP2 ... vista sp1

work very good in XP Sp2

Bye

[The_SSJ - retired]

Very good quosego

A little tut would be very nice, since I had problems hooking the debuggee...:/

[GioTiN]

this link not open for me and my friends

http://willhostforfood.com/access.php?fileid=75072

we can't trust to any people that say Unpacked untill we see Unpacked file

BR ,

GioTiN - Under SEH Team

[The_SSJ - retired]

Mirror:

http://rapidshare.com/files/256046151/1742459dumped_.rar

It is dumped, I checked myself...

BR

The_SSJ

[Killboy]

Here's a tutorial:

Scroll...

scroll...

scroll...

spot and BP jump to OEP

F9

Dump

Fix imports

Congratulations, you have just unpacked UPX

I don't know what you have changed or whether you have changed anything at all, I couldn't spot any obfuscation, stolen bytes or antidebug at all. Then again, I didnt bother looking for it in detail.

Besides that, the app crashes somewhere both packed and unpacked...

[Teddy Rogers]

It does not support DEP. It can be unpacked with generic unpackers like PEID's generic unpacker...

Ted.

[Gladiator]

Scroll...

scroll...

scroll...

spot and BP jump to OEP

F9

Dump

Fix imports

Congratulations, you have just unpacked UPX smile.gif

I don't know what you have changed or whether you have changed anything at all, I couldn't spot any obfuscation, stolen bytes or antidebug at all. Then again, I didnt bother looking for it in detail.

Besides that, the app crashes somewhere both packed and unpacked...

did you unpacked just Loader.exe ?

it packed with UPX but you should unpack target process that was run at end.

the first loader , run secode loader and second loader runs target , the goal is target.

[The_SSJ - retired]

Yeah, apparently he unpacked only UPX layer... (this is not meant as offense at all )

The real deal is to extract the executable displaying that simple messagebox (not the "Loading..." message)

Greets

The_SSJ

[EvOlUtIoN]

Problem is that on my machine the packed file is not running... I'm quite sure i can unpack it, if it will start.

[Gladiator]

Problem is that on my machine the packed file is not running... I'm quite sure i can unpack it, if it will start.

if program crashed , wait and try again to run it.

i don't know what is the problem ...

[Killboy]

Doh, classic case of retardation

I'll take another look in the evening.

I also don't get a loading message. I thought there's something wrong with the mutexes because sometimes I can break at CreateProcess and sometimes I cant and it just exits.

[Gladiator]

sometimes I can break at CreateProcess and sometimes I cant and it just exits

Maybe it's because of My AntiDebugs

[Teddy Rogers]

Yeah, apparently he unpacked only UPX layer... (this is not meant as offense at all )

The real deal is to extract the executable displaying that simple messagebox (not the "Loading..." message)

I get a DEP error or other times a grey blank box.

I stand corrected about the generic unpacking - its that same grey blank box afterwards if that helps to bug fix anything.

Ted.

[EvOlUtIoN]

Wait, i try on another machine, i hope there it will work.

[quosego]

we can't trust to any people that say Unpacked untill we see Unpacked file

BR ,

GioTiN - Under SEH Team

Well The_SSJ verified it and uploaded it to rapidshare.. Also you can rest assured that I have unpacked it, I think I have some credits if it comes to unpacking... It's not very hard, once it runs..

Tut is in the previous post..

Edited July 15, 2009 by quosego

[Gladiator]

thanks , it's seems that you didn't try to get target process by extracting step by step ( loader by loader ).

because in this case we have 3 process , one is loader ( packed with UPX ) two is second loader and have stolen bytes and three is the target process.

if you want to extract second loader with BP on WriteProcessMemory or ... you can do it , but the dumped file can't work , because it has some bytes stolen , in you'r way seems that you didn't this , but would you mind explain how you dump it , without trying to get second loader ?

Thanks

[EvOlUtIoN]

The most important is to run the target, then it will be not hard. On my machines it doesn't work at all, but i see that the original exe is a simple delphi one.

So i think the second loader should be bypassed since find oep of real exe is easy.

[quosego]

thanks , it's seems that you didn't try to get target process by extracting step by step ( loader by loader ).

because in this case we have 3 process , one is loader ( packed with UPX ) two is second loader and have stolen bytes and three is the target process.

if you want to extract second loader with BP on WriteProcessMemory or ... you can do it , but the dumped file can't work , because it has some bytes stolen , in you'r way seems that you didn't this , but would you mind explain how you dump it , without trying to get second loader ?

Thanks

No I didn't do this, since I wanted speed not elegance, what's the use of tracing 2 loaders if I don't need to trace them (Speed wise that is.)... You can do it loader for loader I suppose, could be more fun.. So here's loader2 without stolen bytes (A jump table, and some jumps) ..

(It loops on EBFE until corrected, originally.. ) Since loader2 doesn't have any obfu etc.. Dumping the final file from here is easy. You can also check this to see how loader1 handles loader2 since it's simliar.

Loader2 (working):

http://www.sendspace.com/file/fkrov7

The first time I just use a raw dumper which simply dumps everything it can, and truncates everything else.. Lordpe's intellidump can do it as well.. Realign file, wipe initialization and voila.

q.

Edited July 15, 2009 by quosego

[Gladiator]

many thanks , but i have a little question , in jumps handling we have many obfuscated code , how you got Jump addresses ?

because in loader two i removed some jumps that handled in parent process , this means you didn't have jmp address in loader2 , and all of addresses obfuscated and stored in first loader , would you mind explain how did you that ( retrieve jump addresses ) ?

thanks again.

Edited July 15, 2009 by Gladiator