[unpackme] SEH Protector 3.0 UnpackME

August 11, 2009

Under SEH Team Proudly Presents !

SEH Protector 3.0 UnpackME

Options Are Enabled in this version :

[+] Debugger Detection

[+] Code Encryption

[+] Code Obfuscation

[+] AntiDump Protection

[+] Anti Decompiler

[+] Memory Protection

[+] Self CRC Protection

Just Unpack file and write a tutorial

Mirror :

http://dc129.4shared.com/download/124350332/fce5e655/SEH_Protector_UnpackME_30.rar

Regards , Under SEH Team

SEH Protector UnpackME 3.0.rar

August 11, 2009

I keep getting BSOD's, so I can't even start the app without having to reboot my machine then...

You should keep an eye on compatibility...^^

August 11, 2009

Damn... Same thing happened to me. Gio, Had a BSOD too on Win XP SP3. Please do test this thoroughly!. Thanks.

August 11, 2009

By the way, r u working with drivers / ring0 instructions to cause these BSOD's??

August 11, 2009

not ring0 used i using of WinXP Sp2 and i have n't any problem . target run very good becuase in this version we used of less Junk codes

Bye

August 11, 2009

well obviously this isn't the "better" version since already you have two BSOD's and apparently on SP3 / Vista. If it doesn't work with the latest OS's then whats the point of developing this protector?. Just saying.

August 11, 2009

works fine for me , if you run it on debugger you will got crsh

August 11, 2009

I started the app WITHOUT Olly on my Win XP SP2...still BSOD...

if you really implement something like that as protection mechanism, this is not really the best way to protect an app...

August 11, 2009

same here. olly wasn't open. nothing remotely relavent to RE was open. I even tried in on a clean PC and that too suffered from a BSOD!.

August 11, 2009

I've lost my interest. ^^

Hope someone else will take this challenge on...

Edited August 11, 2009 by The_SSJ

August 11, 2009

for me works good but 4 sec need to patience for run unpack me .

this protection is very very omnipotence.

August 11, 2009

i have test it in WinXP SP2 and SP3 and Vista ( All versions )

may be its caused by Anti Virus , please Disable your AV before runing Unpackme.

August 11, 2009

Did so, too...I never have AV turned on when reversing...

that's a pity - I really wanted to analyze your master work, Gladiator...

But I'm convinced it is really good

Edited August 11, 2009 by The_SSJ

August 11, 2009

@The_SSJ:

thanks , but i really confused , i don't know what is the problem , i think protector detect some anti debugger services or some thing like it ....

in this version i used 10 anti debug methods.

August 11, 2009

and about other masters ?

Edited August 11, 2009 by Gladiator

August 11, 2009

Maybe some of them is too much...

No problem mate - maybe it is country specific, couldn't it be??

August 11, 2009

me too I tried without AV in the background. still BSOD im afraid.

@Gladiator: You may have to consider when protecting something, the majority of users will have an AV installed and if that screws with the protector code then there is no point protecting it if the AV detects as a virus.

August 11, 2009

Agree. Even if coded just for fun...

August 11, 2009

it is a test of protector , its run to be a good and standard protector in the future , now the goal is best protection against dumping and Unpacking .

and about language and country limitation i had test it on a machine with windows XP + Full English language and without Persian support , works fine !

August 11, 2009

No BSOD here, works fine but very easy to unpack.

~5 mins

Will now see what makes it tick..

dumped.rar

Edited August 11, 2009 by quosego

August 11, 2009

No BSOD here, works fine but very easy to unpack.

~5 mins

Will now see what makes it tick..

yeah ! i checked it , work perfect , thanQ quosego

Bye

August 11, 2009

Okay pretty good idea of how it works now,

Retn the below routine to be able to dump the app properly without using fancy stuff.

Lordpe won't complain.

It is executed as a remote thread in the secondary process, making sure lordpe goes bonkers using standard options.

Should be clear what it does..


001FFF94                                64:8B05 30000000 MOV EAX,DWORD PTR FS:[30]
001FFF9B                                8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
001FFF9E                                8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
001FFFA1                                C740 20 00000000 MOV DWORD PTR DS:[EAX+20],0
001FFFA8                                C740 1C 00000000 MOV DWORD PTR DS:[EAX+1C],0
001FFFAF                                C740 21 FFFFFFFF MOV DWORD PTR DS:[EAX+21],-1
001FFFB6                                C740 22 FFFFFFFF MOV DWORD PTR DS:[EAX+22],-1
001FFFBD                                C740 23 FFFFFFFF MOV DWORD PTR DS:[EAX+23],-1
001FFFC4                                C740 24 FFFFFFFF MOV DWORD PTR DS:[EAX+24],-1
001FFFCB                                C740 25 FFFFFFFF MOV DWORD PTR DS:[EAX+25],-1
001FFFD2                                64:8B05 30000000 MOV EAX,DWORD PTR FS:[30]
001FFFD9                                8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
001FFFDC                                8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
001FFFDF                                8D58 20          LEA EBX,DWORD PTR DS:[EAX+20]
001FFFE2                                8D48 18          LEA ECX,DWORD PTR DS:[EAX+18]
001FFFE5                                B8 FFFFFFFF      MOV EAX,-1
001FFFEA                                8903             MOV DWORD PTR DS:[EBX],EAX
001FFFEC                                64:8B05 30000000 MOV EAX,DWORD PTR FS:[30]
001FFFF3                                8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
001FFFF6                                8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
001FFFF9                                C740 20 FFFFFFFF MOV DWORD PTR DS:[EAX+20],-1
00200000                                C740 1C FFFFFFFF MOV DWORD PTR DS:[EAX+1C],-1
00200007                                C740 19 FFFFFFFF MOV DWORD PTR DS:[EAX+19],-1
0020000E                                C740 20 FFFFFFFF MOV DWORD PTR DS:[EAX+20],-1
00200015                                C740 25 FFFFFFFF MOV DWORD PTR DS:[EAX+25],-1
0020001C                                C3               RET

Then break on ZwResumeThread though make sure the program has passed his checks etc.. (It checks this api for breakpoints).

Attach to the secondary process with olly, it'll whine about the fact it can't initialize properly, but partial initialization is enough here.

Then dump the secondary program with lordpe, don't paste PE header from disk though.

And done you got the proper oep dump exeutable. You could eb fe it on the oep and then dump, or just dump it when it gets written, but ah well..

Edited August 11, 2009 by quosego

August 12, 2009

very nice way to unpack it quosego

bye

August 12, 2009

Not running in my system,

August 12, 2009

Thanks for dumping , i should make a better way for hiding Anti dump Trick

Sign In

[unpackme] SEH Protector 3.0 UnpackME

Recommended Posts

GioTiN

The_SSJ - retired

Encrypto

The_SSJ - retired

GioTiN

Encrypto

Gladiator

The_SSJ - retired

Encrypto

The_SSJ - retired

BEHESHT

Gladiator

The_SSJ - retired

Gladiator

Gladiator

The_SSJ - retired

Encrypto

The_SSJ - retired

Gladiator

quosego

GioTiN

quosego

GioTiN

Mr. X

Gladiator

Create an account or sign in to comment

Create an account

Sign in

Community

Search