Posted July 14, 200916 yr Hello Everyone Under SEH Team Proudly Presents SEH Protector 2.5.0 Unpack ME Enabled Options : [+] Debugger Detection [+] AntiDump Protection [+] Code Obfuscation [+] Anti Decompiler Protection [+] Memory Protection [+] Added Stolen Byte Tech. [+] Stolen Byte Tech improved. [!] Fixed Some bugs on Stub that helps crackers to Unpack it easily. Mirror : http://www.ziddu.com/download/5610988/SEHProtector2.5.0_UnpackME.rar.html Unpack this and write a tutorial BR , Under SEH Team Edited July 15, 200916 yr by GioTiN
July 14, 200916 yr Hello GioTiN,RS 10 times DL limit reached so just attach it here on board for all.Thanks
July 15, 200916 yr You can download it here:http://distro.ws/index.php?dir=Upload%2F&search=SEHProtector2.5.0&search_mode=f
July 15, 200916 yr Ah, can download it, and done.. Didn't see any stolen code/byte though.. Runs fine.. Can just hook near oep and dump.. It's perfectly intact.. Or just dump and wipe delphi initialization.. Well you need to realign the file to the virtual locations values but other than that.. http://willhostforfood.com/access.php?fileid=75072 Edited July 15, 200916 yr by quosego
July 15, 200916 yr Very good quosego A little tut would be very nice, since I had problems hooking the debuggee...:/
July 15, 200916 yr Author this link not open for me and my friendshttp://willhostforfood.com/access.php?fileid=75072we can't trust to any people that say Unpacked untill we see Unpacked fileBR , GioTiN - Under SEH Team
July 15, 200916 yr Mirror:http://rapidshare.com/files/256046151/1742459dumped_.rarIt is dumped, I checked myself...BRThe_SSJ
July 15, 200916 yr Here's a tutorial: Scroll... scroll... scroll... spot and BP jump to OEP F9 Dump Fix imports Congratulations, you have just unpacked UPX I don't know what you have changed or whether you have changed anything at all, I couldn't spot any obfuscation, stolen bytes or antidebug at all. Then again, I didnt bother looking for it in detail. Besides that, the app crashes somewhere both packed and unpacked...
July 15, 200916 yr It does not support DEP. It can be unpacked with generic unpackers like PEID's generic unpacker... Ted.
July 15, 200916 yr Scroll...scroll... scroll... spot and BP jump to OEP F9 Dump Fix imports Congratulations, you have just unpacked UPX smile.gif I don't know what you have changed or whether you have changed anything at all, I couldn't spot any obfuscation, stolen bytes or antidebug at all. Then again, I didnt bother looking for it in detail. Besides that, the app crashes somewhere both packed and unpacked... did you unpacked just Loader.exe ? it packed with UPX but you should unpack target process that was run at end. the first loader , run secode loader and second loader runs target , the goal is target.
July 15, 200916 yr Yeah, apparently he unpacked only UPX layer... (this is not meant as offense at all ) The real deal is to extract the executable displaying that simple messagebox (not the "Loading..." message) Greets The_SSJ
July 15, 200916 yr Problem is that on my machine the packed file is not running... I'm quite sure i can unpack it, if it will start.
July 15, 200916 yr Problem is that on my machine the packed file is not running... I'm quite sure i can unpack it, if it will start. if program crashed , wait and try again to run it. i don't know what is the problem ...
July 15, 200916 yr Doh, classic case of retardation I'll take another look in the evening. I also don't get a loading message. I thought there's something wrong with the mutexes because sometimes I can break at CreateProcess and sometimes I cant and it just exits.
July 15, 200916 yr sometimes I can break at CreateProcess and sometimes I cant and it just exits Maybe it's because of My AntiDebugs
July 15, 200916 yr Yeah, apparently he unpacked only UPX layer... (this is not meant as offense at all )The real deal is to extract the executable displaying that simple messagebox (not the "Loading..." message) I get a DEP error or other times a grey blank box. I stand corrected about the generic unpacking - its that same grey blank box afterwards if that helps to bug fix anything. Ted.
July 15, 200916 yr we can't trust to any people that say Unpacked untill we see Unpacked fileBR , GioTiN - Under SEH Team Well The_SSJ verified it and uploaded it to rapidshare.. Also you can rest assured that I have unpacked it, I think I have some credits if it comes to unpacking... It's not very hard, once it runs.. Tut is in the previous post.. Edited July 15, 200916 yr by quosego
July 15, 200916 yr thanks , it's seems that you didn't try to get target process by extracting step by step ( loader by loader ).because in this case we have 3 process , one is loader ( packed with UPX ) two is second loader and have stolen bytes and three is the target process.if you want to extract second loader with BP on WriteProcessMemory or ... you can do it , but the dumped file can't work , because it has some bytes stolen , in you'r way seems that you didn't this , but would you mind explain how you dump it , without trying to get second loader ?Thanks
July 15, 200916 yr The most important is to run the target, then it will be not hard. On my machines it doesn't work at all, but i see that the original exe is a simple delphi one.So i think the second loader should be bypassed since find oep of real exe is easy.
July 15, 200916 yr thanks , it's seems that you didn't try to get target process by extracting step by step ( loader by loader ).because in this case we have 3 process , one is loader ( packed with UPX ) two is second loader and have stolen bytes and three is the target process.if you want to extract second loader with BP on WriteProcessMemory or ... you can do it , but the dumped file can't work , because it has some bytes stolen , in you'r way seems that you didn't this , but would you mind explain how you dump it , without trying to get second loader ?ThanksNo I didn't do this, since I wanted speed not elegance, what's the use of tracing 2 loaders if I don't need to trace them (Speed wise that is.)... You can do it loader for loader I suppose, could be more fun.. So here's loader2 without stolen bytes (A jump table, and some jumps) .. (It loops on EBFE until corrected, originally.. ) Since loader2 doesn't have any obfu etc.. Dumping the final file from here is easy. You can also check this to see how loader1 handles loader2 since it's simliar. Loader2 (working):http://www.sendspace.com/file/fkrov7The first time I just use a raw dumper which simply dumps everything it can, and truncates everything else.. Lordpe's intellidump can do it as well.. Realign file, wipe initialization and voila. q. Edited July 15, 200916 yr by quosego
July 15, 200916 yr many thanks , but i have a little question , in jumps handling we have many obfuscated code , how you got Jump addresses ? because in loader two i removed some jumps that handled in parent process , this means you didn't have jmp address in loader2 , and all of addresses obfuscated and stored in first loader , would you mind explain how did you that ( retrieve jump addresses ) ? thanks again. Edited July 15, 200916 yr by Gladiator
Create an account or sign in to comment