Jump to content
Tuts 4 You

[unpackme] SEH Protector 2.5.0 Unpack ME


GioTiN

Recommended Posts

Hello Everyone

Under SEH Team Proudly Presents

SEH Protector 2.5.0 Unpack ME

Enabled Options :

[+] Debugger Detection

[+] AntiDump Protection

[+] Code Obfuscation

[+] Anti Decompiler Protection

[+] Memory Protection

[+] Added Stolen Byte Tech.

[+] Stolen Byte Tech improved.

[!] Fixed Some bugs on Stub that helps crackers to Unpack it easily.

Mirror :

http://www.ziddu.com/download/5610988/SEHProtector2.5.0_UnpackME.rar.html

Unpack this and write a tutorial ;)

BR ,

Under SEH Team

Edited by GioTiN
Link to comment

Ah, can download it, and done.. :) Didn't see any stolen code/byte though.. Runs fine..

Can just hook near oep and dump.. It's perfectly intact.. Or just dump and wipe delphi initialization..

Well you need to realign the file to the virtual locations values but other than that..

http://willhostforfood.com/access.php?fileid=75072

Edited by quosego
Link to comment

this link not open for me and my friends

http://willhostforfood.com/access.php?fileid=75072

we can't trust to any people that say Unpacked untill we see Unpacked file

BR ,

GioTiN - Under SEH Team

Link to comment
The_SSJ - retired

Mirror:

http://rapidshare.com/files/256046151/1742459dumped_.rar

It is dumped, I checked myself...

BR

The_SSJ

Link to comment

Here's a tutorial:

Scroll...

scroll...

scroll...

spot and BP jump to OEP

F9

Dump

Fix imports

Congratulations, you have just unpacked UPX :)

I don't know what you have changed or whether you have changed anything at all, I couldn't spot any obfuscation, stolen bytes or antidebug at all. Then again, I didnt bother looking for it in detail.

Besides that, the app crashes somewhere both packed and unpacked...

Link to comment
Teddy Rogers

It does not support DEP. It can be unpacked with generic unpackers like PEID's generic unpacker... :rolleyes:

Ted.

Link to comment
Scroll...

scroll...

scroll...

spot and BP jump to OEP

F9

Dump

Fix imports

Congratulations, you have just unpacked UPX smile.gif

I don't know what you have changed or whether you have changed anything at all, I couldn't spot any obfuscation, stolen bytes or antidebug at all. Then again, I didnt bother looking for it in detail.

Besides that, the app crashes somewhere both packed and unpacked...

did you unpacked just Loader.exe ?

it packed with UPX but you should unpack target process that was run at end.

the first loader , run secode loader and second loader runs target , the goal is target. :)

Link to comment
The_SSJ - retired

Yeah, apparently he unpacked only UPX layer... :D (this is not meant as offense at all ;) )

The real deal is to extract the executable displaying that simple messagebox (not the "Loading..." message)

Greets

The_SSJ

Link to comment
Problem is that on my machine the packed file is not running... I'm quite sure i can unpack it, if it will start.

if program crashed , wait and try again to run it.

i don't know what is the problem ... :unsure:

Link to comment

Doh, classic case of retardation :lol:

I'll take another look in the evening.

I also don't get a loading message. I thought there's something wrong with the mutexes because sometimes I can break at CreateProcess and sometimes I cant and it just exits.

Link to comment
Teddy Rogers
Yeah, apparently he unpacked only UPX layer... :D (this is not meant as offense at all ;) )

The real deal is to extract the executable displaying that simple messagebox (not the "Loading..." message)

I get a DEP error or other times a grey blank box.

I stand corrected about the generic unpacking - its that same grey blank box afterwards if that helps to bug fix anything.

Ted.

Link to comment
we can't trust to any people that say Unpacked untill we see Unpacked file

BR ,

GioTiN - Under SEH Team

Well The_SSJ verified it and uploaded it to rapidshare.. Also you can rest assured that I have unpacked it, I think I have some credits if it comes to unpacking... ;) It's not very hard, once it runs..

Tut is in the previous post..

Edited by quosego
Link to comment

thanks , it's seems that you didn't try to get target process by extracting step by step ( loader by loader ).

because in this case we have 3 process , one is loader ( packed with UPX ) two is second loader and have stolen bytes and three is the target process.

if you want to extract second loader with BP on WriteProcessMemory or ... you can do it , but the dumped file can't work , because it has some bytes stolen , in you'r way seems that you didn't this , but would you mind explain how you dump it , without trying to get second loader ?

Thanks

Link to comment

The most important is to run the target, then it will be not hard. On my machines it doesn't work at all, but i see that the original exe is a simple delphi one.

So i think the second loader should be bypassed since find oep of real exe is easy.

Link to comment
thanks , it's seems that you didn't try to get target process by extracting step by step ( loader by loader ).

because in this case we have 3 process , one is loader ( packed with UPX ) two is second loader and have stolen bytes and three is the target process.

if you want to extract second loader with BP on WriteProcessMemory or ... you can do it , but the dumped file can't work , because it has some bytes stolen , in you'r way seems that you didn't this , but would you mind explain how you dump it , without trying to get second loader ?

Thanks

No I didn't do this, since I wanted speed not elegance, what's the use of tracing 2 loaders if I don't need to trace them (Speed wise that is.)... You can do it loader for loader I suppose, could be more fun.. So here's loader2 without stolen bytes (A jump table, and some jumps) ..

(It loops on EBFE until corrected, originally.. ) Since loader2 doesn't have any obfu etc.. Dumping the final file from here is easy. You can also check this to see how loader1 handles loader2 since it's simliar.

Loader2 (working):

http://www.sendspace.com/file/fkrov7

The first time I just use a raw dumper which simply dumps everything it can, and truncates everything else.. Lordpe's intellidump can do it as well.. Realign file, wipe initialization and voila.

q.

Edited by quosego
Link to comment

many thanks , but i have a little question , in jumps handling we have many obfuscated code , how you got Jump addresses ?

because in loader two i removed some jumps that handled in parent process , this means you didn't have jmp address in loader2 , and all of addresses obfuscated and stored in first loader , would you mind explain how did you that ( retrieve jump addresses ) ?

thanks again. :)

Edited by Gladiator
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...