EvOlUtIoN Posted July 15, 2009 Share Posted July 15, 2009 most important thing in an unpacked file is that it must run without protection, so you can put also 35 different loaders, but if main file is easy to dump like this...your work was completely useless in my opinion. Link to comment Share on other sites More sharing options...
Gladiator Posted July 15, 2009 Share Posted July 15, 2009 (edited) most important thing in an unpacked file is that it must run without protection, so you can put also 35 different loaders, but if main file is easy to dump like this...your work was completely useless in my opinion. yes , but i used stolen bytes to do some thing if loader2 extracted get crash, but i don't know how quosego fixed it Edited July 15, 2009 by Gladiator Link to comment Share on other sites More sharing options...
The_SSJ - retired Posted July 15, 2009 Share Posted July 15, 2009 (edited) No I didn't do this, since I wanted speed not elegance, what's the use of tracing 2 loaders if I don't need to trace them (Speed wise that is.)... You can do it loader for loader I suppose, could be more fun.. So here's loader2 without stolen bytes (A jump table, and some jumps) .. (It loops on EBFE until corrected, originally.. ) Since loader2 doesn't have any obfu etc.. Dumping the final file from here is easy. You can also check this to see how loader1 handles loader2 since it's simliar. Loader2 (working): http://www.sendspace.com/file/fkrov7 The first time I just use a raw dumper which simply dumps everything it can, and truncates everything else.. Lordpe's intellidump can do it as well.. Realign file, wipe initialization and voila. q. What r u? some kind of magician? Well, I wasn't able to work with the 2nd loader, since armadillo technique is used and (as Gladiator pointed out) some jumps were written by parent process, so i didn't know what to do anymore...:/ When I did DebugActiveProcessStop I was able to run from OEP on, but as already said, the debugger/debuggee technique was too complicated for me...:/ /Edit: With second loader I was able to extract exe, too now... but still this is no victory, since I wasn't able to work with Loader2 correctly...:/ Edited July 15, 2009 by The_SSJ Link to comment Share on other sites More sharing options...
LCF-AT Posted July 15, 2009 Share Posted July 15, 2009 Hello,here is my file so can you test whether it also runs on your systems or not so I`m not sure so I have made a running Unpack + Delphi CleanUp.Just test the file.ThanksSEH_Protector_2.5.0_Unpack_ME_Unpacked.rar Link to comment Share on other sites More sharing options...
The_SSJ - retired Posted July 15, 2009 Share Posted July 15, 2009 Works. Did u proceed as quosego explained or did u use another tech? Link to comment Share on other sites More sharing options...
LCF-AT Posted July 16, 2009 Share Posted July 16, 2009 No I used a other method- So you can also unpack this file if its running. So the app is not using a IAT redirection.Just let it run. Dump / FULL / Raw Search OEP & IAT start & size in this dump Enter the new data in ImpRec {original file is still runnig / attach it} Fix this raw dump Now the unpacked file will not run so now you have to make a CleanUp in this file so you have to fill some addresses with 00000000 or you get crashed because the file is trying to use old memory addresses which are not there & also not needed.Just fill the right places with 00 Link to comment Share on other sites More sharing options...
GioTiN Posted July 16, 2009 Author Share Posted July 16, 2009 @ LCF-AT , EvOlUtIoN , quosego : thanks of all you and i know you are best as soon , we back with new Unpack ME BR , GioTiN - Under SEH Team Link to comment Share on other sites More sharing options...
EvOlUtIoN Posted July 16, 2009 Share Posted July 16, 2009 I hope i can run the new one correctly Link to comment Share on other sites More sharing options...
The_SSJ - retired Posted July 16, 2009 Share Posted July 16, 2009 I hope i can run the new one correctly The answer to your problem why the unpackMe did not run is here: "Questo perch Link to comment Share on other sites More sharing options...
EvOlUtIoN Posted July 16, 2009 Share Posted July 16, 2009 LoL FOr years i thunk that italian so was equal to german one...i missed something Waiting for other unpackes!!! Link to comment Share on other sites More sharing options...
Gladiator Posted July 16, 2009 Share Posted July 16, 2009 (edited) hi masters i have a question about unpackMe , how do you see that ? Easy - Medium or Hard ? Thanks. Edited July 16, 2009 by Gladiator Link to comment Share on other sites More sharing options...
Gyver75 Posted July 18, 2009 Share Posted July 18, 2009 hi mastersi have a question about unpackMe , how do you see that ? Easy - Medium or Hard ? Thanks. Probably level 5 of crackmes.de , as this crackme: http://www.crackmes.de/users/benladan/firs...rackme/download The obfuscation routine is quite similar and also RDTSC trick... Link to comment Share on other sites More sharing options...
Gladiator Posted July 18, 2009 Share Posted July 18, 2009 level 5 means Hard or medium ? Link to comment Share on other sites More sharing options...
quosego Posted July 18, 2009 Share Posted July 18, 2009 Medium definitely.. Nothing hardcore.. Though still pretty good. Link to comment Share on other sites More sharing options...
Teddy Rogers Posted July 19, 2009 Share Posted July 19, 2009 The [unpackme] tag has been added to your topic title.Please remember to follow and adhere to the topic title format - thankyou![This is an automated reply] Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now