Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[unpackme] SEH Protector 2.5.0 Unpack ME

GioTiN
GioTiN
in UnPackMe

Featured Replies

Posted

Hello Everyone

Under SEH Team Proudly Presents

SEH Protector 2.5.0 Unpack ME

Enabled Options :

[+] Debugger Detection

[+] AntiDump Protection

[+] Code Obfuscation

[+] Anti Decompiler Protection

[+] Memory Protection

[+] Added Stolen Byte Tech.

[+] Stolen Byte Tech improved.

[!] Fixed Some bugs on Stub that helps crackers to Unpack it easily.

Mirror :

http://www.ziddu.com/download/5610988/SEHProtector2.5.0_UnpackME.rar.html

Unpack this and write a tutorial ;)

BR ,

Under SEH Team

Edited by GioTiN

Hello GioTiN,

RS 10 times DL limit reached so just attach it here on board for all.

Thanks

  • Author

Hello LCF-AT (my friend :D )

post #1 Edited ;)

BR ,

GioTiN - Under SEH Team

You can download it here:

http://distro.ws/index.php?dir=Upload%2F&search=SEHProtector2.5.0&search_mode=f

Ah, can download it, and done.. :) Didn't see any stolen code/byte though.. Runs fine..

Can just hook near oep and dump.. It's perfectly intact.. Or just dump and wipe delphi initialization..

Well you need to realign the file to the virtual locations values but other than that..

http://willhostforfood.com/access.php?fileid=75072

Edited by quosego

for me not work at all ..XP SP2 ... vista sp1

  • Author
for me not work at all ..XP SP2 ... vista sp1

work very good in XP Sp2 ;)

Bye :D

Very good quosego :)

A little tut would be very nice, since I had problems hooking the debuggee...:/

  • Author

this link not open for me and my friends

http://willhostforfood.com/access.php?fileid=75072

we can't trust to any people that say Unpacked untill we see Unpacked file

BR ,

GioTiN - Under SEH Team

Mirror:

http://rapidshare.com/files/256046151/1742459dumped_.rar

It is dumped, I checked myself...

BR

The_SSJ

Here's a tutorial:

Scroll...

scroll...

scroll...

spot and BP jump to OEP

F9

Dump

Fix imports

Congratulations, you have just unpacked UPX :)

I don't know what you have changed or whether you have changed anything at all, I couldn't spot any obfuscation, stolen bytes or antidebug at all. Then again, I didnt bother looking for it in detail.

Besides that, the app crashes somewhere both packed and unpacked...

It does not support DEP. It can be unpacked with generic unpackers like PEID's generic unpacker... :rolleyes:

Ted.

Scroll...

scroll...

scroll...

spot and BP jump to OEP

F9

Dump

Fix imports

Congratulations, you have just unpacked UPX smile.gif

I don't know what you have changed or whether you have changed anything at all, I couldn't spot any obfuscation, stolen bytes or antidebug at all. Then again, I didnt bother looking for it in detail.

Besides that, the app crashes somewhere both packed and unpacked...

did you unpacked just Loader.exe ?

it packed with UPX but you should unpack target process that was run at end.

the first loader , run secode loader and second loader runs target , the goal is target. :)

Yeah, apparently he unpacked only UPX layer... :D (this is not meant as offense at all ;) )

The real deal is to extract the executable displaying that simple messagebox (not the "Loading..." message)

Greets

The_SSJ

Problem is that on my machine the packed file is not running... I'm quite sure i can unpack it, if it will start.

Problem is that on my machine the packed file is not running... I'm quite sure i can unpack it, if it will start.

if program crashed , wait and try again to run it.

i don't know what is the problem ... :unsure:

Doh, classic case of retardation :lol:

I'll take another look in the evening.

I also don't get a loading message. I thought there's something wrong with the mutexes because sometimes I can break at CreateProcess and sometimes I cant and it just exits.

sometimes I can break at CreateProcess and sometimes I cant and it just exits

Maybe it's because of My AntiDebugs :)

Yeah, apparently he unpacked only UPX layer... :D (this is not meant as offense at all ;) )

The real deal is to extract the executable displaying that simple messagebox (not the "Loading..." message)

I get a DEP error or other times a grey blank box.

I stand corrected about the generic unpacking - its that same grey blank box afterwards if that helps to bug fix anything.

Ted.

Wait, i try on another machine, i hope there it will work.

we can't trust to any people that say Unpacked untill we see Unpacked file

BR ,

GioTiN - Under SEH Team

Well The_SSJ verified it and uploaded it to rapidshare.. Also you can rest assured that I have unpacked it, I think I have some credits if it comes to unpacking... ;) It's not very hard, once it runs..

Tut is in the previous post..

Edited by quosego

thanks , it's seems that you didn't try to get target process by extracting step by step ( loader by loader ).

because in this case we have 3 process , one is loader ( packed with UPX ) two is second loader and have stolen bytes and three is the target process.

if you want to extract second loader with BP on WriteProcessMemory or ... you can do it , but the dumped file can't work , because it has some bytes stolen , in you'r way seems that you didn't this , but would you mind explain how you dump it , without trying to get second loader ?

Thanks

The most important is to run the target, then it will be not hard. On my machines it doesn't work at all, but i see that the original exe is a simple delphi one.

So i think the second loader should be bypassed since find oep of real exe is easy.

thanks , it's seems that you didn't try to get target process by extracting step by step ( loader by loader ).

because in this case we have 3 process , one is loader ( packed with UPX ) two is second loader and have stolen bytes and three is the target process.

if you want to extract second loader with BP on WriteProcessMemory or ... you can do it , but the dumped file can't work , because it has some bytes stolen , in you'r way seems that you didn't this , but would you mind explain how you dump it , without trying to get second loader ?

Thanks

No I didn't do this, since I wanted speed not elegance, what's the use of tracing 2 loaders if I don't need to trace them (Speed wise that is.)... You can do it loader for loader I suppose, could be more fun.. So here's loader2 without stolen bytes (A jump table, and some jumps) ..

(It loops on EBFE until corrected, originally.. ) Since loader2 doesn't have any obfu etc.. Dumping the final file from here is easy. You can also check this to see how loader1 handles loader2 since it's simliar.

Loader2 (working):

http://www.sendspace.com/file/fkrov7

The first time I just use a raw dumper which simply dumps everything it can, and truncates everything else.. Lordpe's intellidump can do it as well.. Realign file, wipe initialization and voila.

q.

Edited by quosego

many thanks , but i have a little question , in jumps handling we have many obfuscated code , how you got Jump addresses ?

because in loader two i removed some jumps that handled in parent process , this means you didn't have jmp address in loader2 , and all of addresses obfuscated and stored in first loader , would you mind explain how did you that ( retrieve jump addresses ) ?

thanks again. :)

Edited by Gladiator

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.