Jump to content
Tuts 4 You

[unpackme] SEH Protector 3.0 UnpackME


GioTiN

Recommended Posts

Under SEH Team Proudly Presents !

SEH Protector 3.0 UnpackME

Options Are Enabled in this version :

[+] Debugger Detection

[+] Code Encryption

[+] Code Obfuscation

[+] AntiDump Protection

[+] Anti Decompiler

[+] Memory Protection

[+] Self CRC Protection

Just Unpack file and write a tutorial ;)

Mirror :

http://dc129.4shared.com/download/124350332/fce5e655/SEH_Protector_UnpackME_30.rar

Regards , Under SEH Team

SEH Protector UnpackME 3.0.rar

Link to comment
The_SSJ - retired

I keep getting BSOD's, so I can't even start the app without having to reboot my machine then...:(

You should keep an eye on compatibility...^^

Link to comment

not ring0 used ;) i using of WinXP Sp2 and i have n't any problem . target run very good becuase in this version we used of less Junk codes ;)

Bye

Link to comment

well obviously this isn't the "better" version since already you have two BSOD's and apparently on SP3 / Vista. If it doesn't work with the latest OS's then whats the point of developing this protector?. Just saying.

Link to comment
The_SSJ - retired

I started the app WITHOUT Olly on my Win XP SP2...still BSOD...

if you really implement something like that as protection mechanism, this is not really the best way to protect an app...

Link to comment

same here. olly wasn't open. nothing remotely relavent to RE was open. I even tried in on a clean PC and that too suffered from a BSOD!.

Link to comment
The_SSJ - retired

I've lost my interest. ^^

Hope someone else will take this challenge on...:)

Edited by The_SSJ
Link to comment

i have test it in WinXP SP2 and SP3 and Vista ( All versions )

may be its caused by Anti Virus , please Disable your AV before runing Unpackme.

Link to comment
The_SSJ - retired

Did so, too...I never have AV turned on when reversing...:(

that's a pity - I really wanted to analyze your master work, Gladiator...

But I'm convinced it is really good ;)

Edited by The_SSJ
Link to comment

@The_SSJ:

thanks , but i really confused , i don't know what is the problem , i think protector detect some anti debugger services or some thing like it ....

in this version i used 10 anti debug methods.

Link to comment

me too I tried without AV in the background. still BSOD im afraid. :(

@Gladiator: You may have to consider when protecting something, the majority of users will have an AV installed and if that screws with the protector code then there is no point protecting it if the AV detects as a virus.

Link to comment

it is a test of protector , its run to be a good and standard protector in the future , now the goal is best protection against dumping and Unpacking .

and about language and country limitation i had test it on a machine with windows XP + Full English language and without Persian support , works fine ! :wacko:

Link to comment

No BSOD here, works fine but very easy to unpack.

~5 mins

Will now see what makes it tick.. :)

yeah ! i checked it , work perfect , thanQ quosego ;)

Bye

Link to comment

Okay pretty good idea of how it works now,

Retn the below routine to be able to dump the app properly without using fancy stuff.

Lordpe won't complain.

It is executed as a remote thread in the secondary process, making sure lordpe goes bonkers using standard options.

Should be clear what it does.. ;)


001FFF94 64:8B05 30000000 MOV EAX,DWORD PTR FS:[30]
001FFF9B 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
001FFF9E 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
001FFFA1 C740 20 00000000 MOV DWORD PTR DS:[EAX+20],0
001FFFA8 C740 1C 00000000 MOV DWORD PTR DS:[EAX+1C],0
001FFFAF C740 21 FFFFFFFF MOV DWORD PTR DS:[EAX+21],-1
001FFFB6 C740 22 FFFFFFFF MOV DWORD PTR DS:[EAX+22],-1
001FFFBD C740 23 FFFFFFFF MOV DWORD PTR DS:[EAX+23],-1
001FFFC4 C740 24 FFFFFFFF MOV DWORD PTR DS:[EAX+24],-1
001FFFCB C740 25 FFFFFFFF MOV DWORD PTR DS:[EAX+25],-1
001FFFD2 64:8B05 30000000 MOV EAX,DWORD PTR FS:[30]
001FFFD9 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
001FFFDC 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
001FFFDF 8D58 20 LEA EBX,DWORD PTR DS:[EAX+20]
001FFFE2 8D48 18 LEA ECX,DWORD PTR DS:[EAX+18]
001FFFE5 B8 FFFFFFFF MOV EAX,-1
001FFFEA 8903 MOV DWORD PTR DS:[EBX],EAX
001FFFEC 64:8B05 30000000 MOV EAX,DWORD PTR FS:[30]
001FFFF3 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
001FFFF6 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
001FFFF9 C740 20 FFFFFFFF MOV DWORD PTR DS:[EAX+20],-1
00200000 C740 1C FFFFFFFF MOV DWORD PTR DS:[EAX+1C],-1
00200007 C740 19 FFFFFFFF MOV DWORD PTR DS:[EAX+19],-1
0020000E C740 20 FFFFFFFF MOV DWORD PTR DS:[EAX+20],-1
00200015 C740 25 FFFFFFFF MOV DWORD PTR DS:[EAX+25],-1
0020001C C3 RET

Then break on ZwResumeThread though make sure the program has passed his checks etc.. (It checks this api for breakpoints).

Attach to the secondary process with olly, it'll whine about the fact it can't initialize properly, but partial initialization is enough here.

Then dump the secondary program with lordpe, don't paste PE header from disk though.

And done you got the proper oep dump exeutable. You could eb fe it on the oep and then dump, or just dump it when it gets written, but ah well..

Edited by quosego
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...