[unpackme] SEH Protector 2.5.0 Unpack ME

[EvOlUtIoN]

most important thing in an unpacked file is that it must run without protection, so you can put also 35 different loaders, but if main file is easy to dump like this...your work was completely useless in my opinion.

[Gladiator]

most important thing in an unpacked file is that it must run without protection, so you can put also 35 different loaders, but if main file is easy to dump like this...your work was completely useless in my opinion.

yes , but i used stolen bytes to do some thing if loader2 extracted get crash, but i don't know how quosego fixed it

Edited July 15, 2009 by Gladiator

[The_SSJ - retired]

No I didn't do this, since I wanted speed not elegance, what's the use of tracing 2 loaders if I don't need to trace them (Speed wise that is.)... You can do it loader for loader I suppose, could be more fun.. So here's loader2 without stolen bytes (A jump table, and some jumps) ..

(It loops on EBFE until corrected, originally.. ) Since loader2 doesn't have any obfu etc.. Dumping the final file from here is easy. You can also check this to see how loader1 handles loader2 since it's simliar.

Loader2 (working):

http://www.sendspace.com/file/fkrov7

The first time I just use a raw dumper which simply dumps everything it can, and truncates everything else.. Lordpe's intellidump can do it as well.. Realign file, wipe initialization and voila.

q.

What r u? some kind of magician?

Well, I wasn't able to work with the 2nd loader, since armadillo technique is used and (as Gladiator pointed out) some jumps were written by parent process, so i didn't know what to do anymore...:/

When I did DebugActiveProcessStop I was able to run from OEP on, but as already said, the debugger/debuggee technique was too complicated for me...:/

/Edit: With second loader I was able to extract exe, too now...

but still this is no victory, since I wasn't able to work with Loader2 correctly...:/

Edited July 15, 2009 by The_SSJ

[LCF-AT]

Hello,

here is my file so can you test whether it also runs on your systems or not so I`m not sure so I have made a running Unpack + Delphi CleanUp.Just test the file.

Thanks

SEH_Protector_2.5.0_Unpack_ME_Unpacked.rar

[The_SSJ - retired]

Works. Did u proceed as quosego explained or did u use another tech?

[LCF-AT]

No I used a other method-

So you can also unpack this file if its running. So the app is not using a IAT redirection.Just let it run.

Dump / FULL / Raw

Search OEP & IAT start & size in this dump

Enter the new data in ImpRec {original file is still runnig / attach it}

Fix this raw dump

Now the unpacked file will not run so now you have to make a CleanUp in this file so you have to fill some addresses with 00000000 or you get crashed because the file is trying to use old memory addresses which are not there & also not needed.Just fill the right places with 00

[GioTiN]

@ LCF-AT , EvOlUtIoN , quosego :

thanks of all you and i know you are best

as soon , we back with new Unpack ME

BR ,

GioTiN - Under SEH Team

[EvOlUtIoN]

I hope i can run the new one correctly

[The_SSJ - retired]

I hope i can run the new one correctly

The answer to your problem why the unpackMe did not run is here:

"Questo perch

[EvOlUtIoN]

LoL

FOr years i thunk that italian so was equal to german one...i missed something

Waiting for other unpackes!!!

[Gladiator]

hi masters

i have a question about unpackMe , how do you see that ? Easy - Medium or Hard ?

Thanks.

Edited July 16, 2009 by Gladiator

[Gyver75]

hi masters

i have a question about unpackMe , how do you see that ? Easy - Medium or Hard ?

Thanks.

Probably level 5 of crackmes.de , as this crackme:

http://www.crackmes.de/users/benladan/firs...rackme/download

The obfuscation routine is quite similar and also RDTSC trick...

[Gladiator]

level 5 means Hard or medium ?

[quosego]

Medium definitely.. Nothing hardcore.. Though still pretty good.

[Teddy Rogers]

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]