Jump to content
Tuts 4 You

[unpackme] SEH Protector 3.0 UnpackME

GioTiN

By GioTiN
in UnPackMe

 Share

Recommended Posts

GioTiN

GioTiN

Posted
Posted

Under SEH Team Proudly Presents !

SEH Protector 3.0 UnpackME

Options Are Enabled in this version :

[+] Debugger Detection

[+] Code Encryption

[+] Code Obfuscation

[+] AntiDump Protection

[+] Anti Decompiler

[+] Memory Protection

[+] Self CRC Protection

Just Unpack file and write a tutorial ;)

Mirror :

http://dc129.4shared.com/download/124350332/fce5e655/SEH_Protector_UnpackME_30.rar

Regards , Under SEH Team

SEH Protector UnpackME 3.0.rar

Link to comment
Share on other sites
The_SSJ - retired

The_SSJ - retired

Posted
Posted

I keep getting BSOD's, so I can't even start the app without having to reboot my machine then...:(

You should keep an eye on compatibility...^^

Link to comment
Share on other sites
Encrypto

Encrypto

Posted
Posted

Damn... Same thing happened to me. Gio, Had a BSOD too on Win XP SP3. Please do test this thoroughly!. Thanks.

Link to comment
Share on other sites
GioTiN

GioTiN

Posted
  • Author
Posted

not ring0 used ;) i using of WinXP Sp2 and i have n't any problem . target run very good becuase in this version we used of less Junk codes ;)

Bye

Link to comment
Share on other sites
Encrypto

Encrypto

Posted
Posted

well obviously this isn't the "better" version since already you have two BSOD's and apparently on SP3 / Vista. If it doesn't work with the latest OS's then whats the point of developing this protector?. Just saying.

Link to comment
Share on other sites
The_SSJ - retired

The_SSJ - retired

Posted
Posted

I started the app WITHOUT Olly on my Win XP SP2...still BSOD...

if you really implement something like that as protection mechanism, this is not really the best way to protect an app...

Link to comment
Share on other sites
Encrypto

Encrypto

Posted
Posted

same here. olly wasn't open. nothing remotely relavent to RE was open. I even tried in on a clean PC and that too suffered from a BSOD!.

Link to comment
Share on other sites
The_SSJ - retired

The_SSJ - retired

Posted
Posted (edited)

I've lost my interest. ^^

Hope someone else will take this challenge on...:)

Edited by The_SSJ
Link to comment
Share on other sites
Gladiator

Gladiator

Posted
Posted

i have test it in WinXP SP2 and SP3 and Vista ( All versions )

may be its caused by Anti Virus , please Disable your AV before runing Unpackme.

Link to comment
Share on other sites
The_SSJ - retired

The_SSJ - retired

Posted
Posted (edited)

Did so, too...I never have AV turned on when reversing...:(

that's a pity - I really wanted to analyze your master work, Gladiator...

But I'm convinced it is really good ;)

Edited by The_SSJ
Link to comment
Share on other sites
Gladiator

Gladiator

Posted
Posted

@The_SSJ:

thanks , but i really confused , i don't know what is the problem , i think protector detect some anti debugger services or some thing like it ....

in this version i used 10 anti debug methods.

Link to comment
Share on other sites
Encrypto

Encrypto

Posted
Posted

me too I tried without AV in the background. still BSOD im afraid. :(

@Gladiator: You may have to consider when protecting something, the majority of users will have an AV installed and if that screws with the protector code then there is no point protecting it if the AV detects as a virus.

Link to comment
Share on other sites
Gladiator

Gladiator

Posted
Posted

it is a test of protector , its run to be a good and standard protector in the future , now the goal is best protection against dumping and Unpacking .

and about language and country limitation i had test it on a machine with windows XP + Full English language and without Persian support , works fine ! :wacko:

Link to comment
Share on other sites
GioTiN

GioTiN

Posted
  • Author
Posted

No BSOD here, works fine but very easy to unpack.

~5 mins

Will now see what makes it tick.. :)

yeah ! i checked it , work perfect , thanQ quosego ;)

Bye

Link to comment
Share on other sites
quosego

quosego

Posted
Posted (edited)

Okay pretty good idea of how it works now,

Retn the below routine to be able to dump the app properly without using fancy stuff.

Lordpe won't complain.

It is executed as a remote thread in the secondary process, making sure lordpe goes bonkers using standard options.

Should be clear what it does.. ;)


001FFF94                                64:8B05 30000000 MOV EAX,DWORD PTR FS:[30]
001FFF9B                                8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
001FFF9E                                8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
001FFFA1                                C740 20 00000000 MOV DWORD PTR DS:[EAX+20],0
001FFFA8                                C740 1C 00000000 MOV DWORD PTR DS:[EAX+1C],0
001FFFAF                                C740 21 FFFFFFFF MOV DWORD PTR DS:[EAX+21],-1
001FFFB6                                C740 22 FFFFFFFF MOV DWORD PTR DS:[EAX+22],-1
001FFFBD                                C740 23 FFFFFFFF MOV DWORD PTR DS:[EAX+23],-1
001FFFC4                                C740 24 FFFFFFFF MOV DWORD PTR DS:[EAX+24],-1
001FFFCB                                C740 25 FFFFFFFF MOV DWORD PTR DS:[EAX+25],-1
001FFFD2                                64:8B05 30000000 MOV EAX,DWORD PTR FS:[30]
001FFFD9                                8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
001FFFDC                                8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
001FFFDF                                8D58 20          LEA EBX,DWORD PTR DS:[EAX+20]
001FFFE2                                8D48 18          LEA ECX,DWORD PTR DS:[EAX+18]
001FFFE5                                B8 FFFFFFFF      MOV EAX,-1
001FFFEA                                8903             MOV DWORD PTR DS:[EBX],EAX
001FFFEC                                64:8B05 30000000 MOV EAX,DWORD PTR FS:[30]
001FFFF3                                8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
001FFFF6                                8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
001FFFF9                                C740 20 FFFFFFFF MOV DWORD PTR DS:[EAX+20],-1
00200000                                C740 1C FFFFFFFF MOV DWORD PTR DS:[EAX+1C],-1
00200007                                C740 19 FFFFFFFF MOV DWORD PTR DS:[EAX+19],-1
0020000E                                C740 20 FFFFFFFF MOV DWORD PTR DS:[EAX+20],-1
00200015                                C740 25 FFFFFFFF MOV DWORD PTR DS:[EAX+25],-1
0020001C                                C3               RET

Then break on ZwResumeThread though make sure the program has passed his checks etc.. (It checks this api for breakpoints).

Attach to the secondary process with olly, it'll whine about the fact it can't initialize properly, but partial initialization is enough here.

Then dump the secondary program with lordpe, don't paste PE header from disk though.

And done you got the proper oep dump exeutable. You could eb fe it on the oep and then dump, or just dump it when it gets written, but ah well..

Edited by quosego
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...