Jump to content
Tuts 4 You

[unpackme] NoobyProtect 1.6.40


thisistest

Recommended Posts

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment

NoobyProtect SE 1.6.4.0 Demo All protection !

0061496B > $ E8 1D000000 call NoobyPro.0061498D ; PUSH ASCII "NoobyProtect SE 1.6.4.0 Demo"

00614970 . 4E 6F 6F 62 7>ascii "NoobyProtect SE "

00614980 . 31 2E 36 2E 3>ascii "1.6.4.0 Demo",0

0061498D >^ EB 8B jmp short NoobyPro.0061491A

0061498F 75 db 75 ; CHAR 'u'

00614990 F0 db F0

00614991 66 db 66 ; CHAR 'f'

00614DE7 >^\0F84 40FCFFFF je NoobyPro.00614A2D

00614DED > 81E8 00000100 sub eax,10000 ; UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"

00614DF3 .^ E9 13FCFFFF jmp NoobyPro.00614A0B

00614DF8 C5 db C5

00614DF9 51 db 51 ; CHAR 'Q'

00614DFA C1 db C1

00614DFB A0 db A0

00405BB0=<jmp.&kernel32.GetModuleHandleA>

Link to comment

OEP : 00613602

Stolen OEP shoud be Same:


PUSH EBP
MOV EBP,ESP
ADD ESP,-10
MOV EAX,00463710
CALL 00405C74
MOV EAX,DWORD PTR DS:[4658EC]
MOV EAX,DWORD PTR DS:[EAX]
CALL 0044D3D8
MOV ECX,DWORD PTR DS:[4659D0]
MOV EAX,DWORD PTR DS:[4658EC]
MOV EAX,DWORD PTR DS:[EAX]
MOV EDX,DWORD PTR DS:[463528]
CALL 0044D3F0
MOV EAX,DWORD PTR DS:[4658EC]
MOV EAX,DWORD PTR DS:[EAX]
CALL 0044D470
CAll 00403D9C

--------------

try to fix Imports ... .

Edited by AnTiCDLoCK
Link to comment

So easily Gaoding it?

Wait unpacking

Source oep 00463910

00463910 > $ 55 push ebp

00463911 . 8BEC mov ebp,esp

00463913 . 83C4 F0 add esp,-10

00463916 . B8 10374600 mov eax,00463710

0046391B . E8 5423FAFF call 00405C74

00463920 . A1 EC584600 mov eax,dword ptr ds:[4658EC]

00463925 . 8B00 mov eax,dword ptr ds:[eax]

00463927 . E8 AC9AFEFF call 0044D3D8

0046392C . 8B0D D0594600 mov ecx,dword ptr ds:[4659D0]

00463932 . A1 EC584600 mov eax,dword ptr ds:[4658EC]

00463937 . 8B00 mov eax,dword ptr ds:[eax]

00463939 . 8B15 28354600 mov edx,dword ptr ds:[463528]

0046393F . E8 AC9AFEFF call 0044D3F0

00463944 . A1 EC584600 mov eax,dword ptr ds:[4658EC]

00463949 . 8B00 mov eax,dword ptr ds:[eax]

0046394B . E8 209BFEFF call 0044D470

00463950 . E8 4704FAFF call 00403D9C

00463955 . 8D40 00 lea eax,dword ptr ds:[eax]

Link to comment

are u sure OEP was like this?

Anyway, this is one of the best protector i ever seen, waiting to try in an faster pc, since here it is hard for me to load it.

Link to comment

Ok i figured all on it...but rebuild all code can take days, not only hours. Very good import portection, and it is nice to see how good you protected oep and near procedures.

I hope to have time to complete this.

Link to comment
  • 2 weeks later...

00613602 > /55 push ebp

00613603 . |EB 72 jmp short NoobyPro.00613677

00613605 |E0 db E0

00613606 |6B db 6B ; CHAR 'k'

00613607 |FB db FB

00613608 |9E db 9E

00613609 |6D db 6D ; CHAR 'm'

0061360A |83 db 83

0061360B |FF db FF

0061360C |7B db 7B ; CHAR '{'

0061360D |EB db EB

0061360E |8E db 8E

0061360F |7D db 7D ; CHAR '}'

00613610 |88 db 88

00613611 |A6 db A6

00613612 |33 db 33 ; CHAR '3'

00613613 |A3 db A3

00613614 |C6 db C6

00613615 |35 db 35 ; CHAR '5'

00613616 |D1 db D1

00613617 |CB db CB

00613618 |41 db 41 ; CHAR 'A'

00613619 |D1 db D1

0061361A |B0 db B0

0061361B |43 db 43 ; CHAR 'C'

0061361C |A5 db A5

0061361D |0C db 0C

0061361E |18 db 18

0061361F $ |8D6424 04 lea esp,dword ptr ss:[esp+4]

00613623 . |E9 DD020000 jmp NoobyPro.00613905

00613628 |D5 db D5

00613629 |5C db 5C ; CHAR '\'

0061362A |F2 db F2

0061362B |95 db 95

0061362C |64 db 64 ; CHAR 'd'

0061362D |97 db 97

0061362E |B3 db B3

0061362F |43 db 43 ; CHAR 'C'

00613630 |D3 db D3

00613631 . |B6 45 mov dh,45

00613633 . |E4 B8 in al,0B8

00613635 . |35 A5CC3FE9 xor eax,E93FCCA5

0061363A . |73 02 jnb short NoobyPro.0061363E

0061363C . |EC in al,dx

0061363D . |9D popfd

0061363E > |AD lods dword ptr ds:[esi]

0061363F > |E8 E8E7E4FF call NoobyPro.00461E2C

00613644 . |8BE5 mov esp,ebp

00613646 . |5D pop ebp

00613647 . |C2 0800 retn 8

0061364A .-|E9 1AFEE4FF jmp NoobyPro.00463469

0061364F |C2 db C2

00613650 > |8B00 mov eax,dword ptr ds:[eax]

00613652 . |EB 59 jmp short NoobyPro.006136AD

00613654 |A9 db A9

00613655 |B1 db B1

00613656 > |8B0D D0594600 mov ecx,dword ptr ds:[4659D0] ; NoobyPro.00466BE0

0061365C . |EB 31 jmp short NoobyPro.0061368F

0061365E |C5 db C5

0061365F |4F db 4F ; CHAR 'O'

00613660 |DF db DF

00613661 |BA db BA

00613662 |49 db 49 ; CHAR 'I'

00613663 |95 db 95

00613664 |98 db 98

00613665 |1B db 1B

00613666 |8B db 8B

00613667 |EE db EE

00613668 |1D db 1D

00613669 |BC db BC

0061366A |C5 db C5

0061366B |55 db 55 ; CHAR 'U'

0061366C |C5 db C5

0061366D |AC db AC

0061366E |5F db 5F ; CHAR '_'

0061366F |EB db EB

00613670 |76 db 76 ; CHAR 'v'

00613671 |EB db EB

00613672 |7B db 7B ; CHAR '{'

00613673 |1E db 1E

00613674 |ED db ED

00613675 |42 db 42 ; CHAR 'B'

00613676 |3D db 3D ; CHAR '='

00613677 > |8BEC mov ebp,esp

00613679 . |83C4 F0 add esp,-10

0061367C . |C7C0 10374600 mov eax,NoobyPro.00463710

00613682 . |E8 ED25DFFF call NoobyPro.00405C74

00613687 . |8B05 EC584600 mov eax,dword ptr ds:[4658EC] ; NoobyPro.00466BB0

0061368D .^|EB C1 jmp short NoobyPro.00613650

0061368F > |8B05 EC584600 mov eax,dword ptr ds:[4658EC] ; NoobyPro.00466BB0

00613695 . |EB 22 jmp short NoobyPro.006136B9

00613697 |DB db DB

00613698 |49 db 49 ; CHAR 'I'

00613699 |D9 db D9

0061369A |B8 db B8

0061369B |4B db 4B ; CHAR 'K'

0061369C |F8 db F8

0061369D |FC db FC

0061369E |73 db 73 ; CHAR 's'

0061369F >^|E3 86 jecxz short NoobyPro.00613627

006136A1 .^|75 DA jnz short NoobyPro.0061367D

006136A3 . |45 inc ebp

006136A4 . |D141 20 rol dword ptr ds:[ecx+20],1

006136A7 . |D362 1B shl dword ptr ds:[edx+1B],cl

006136AA |9A db 9A

006136AB . |7A F2 jpe short NoobyPro.0061369F

006136AD > |E8 269DE3FF call NoobyPro.0044D3D8

006136B2 .^|EB A2 jmp short NoobyPro.00613656

006136B4 |AE db AE

006136B5 |C0 db C0

006136B6 . |A6 cmps byte ptr ds:[esi],byte ptr es:[edi]

006136B7 . |D032 sal byte ptr ds:[edx],1

006136B9 > |8B00 mov eax,dword ptr ds:[eax]

006136BB . |E9 F2010000 jmp NoobyPro.006138B2

006136C0 |19 db 19

006136C1 |2C db 2C ; CHAR ','

006136C2 > |E8 D506DFFF call NoobyPro.00403D9C

006136C7 . |E9 20010000 jmp NoobyPro.006137EC

006136CC |DF db DF

006136CD |48 db 48 ; CHAR 'H'

006136CE |DE db DE

006136CF |B9 db B9

006136D0 |48 db 48 ; CHAR 'H'

006136D1 |E1 db E1

006136D2 |CC int3

006136D3 |58 db 58 ; CHAR 'X'

006136D4 |CE db CE

006136D5 |A9 db A9

006136D6 |58 db 58 ; CHAR 'X'

006136D7 |EF db EF

006136D8 |8C db 8C

006136D9 |1F db 1F

006136DA |8F db 8F

006136DB |EA db EA

006136DC |19 db 19

006136DD . |807A AC 15 cmp byte ptr ds:[edx-54],15

006136E1 . |8A10 mov dl,byte ptr ds:[eax]

006136E3 > |8B45 FC mov eax,dword ptr ss:[ebp-4]

006136E6 . |8B50 48 mov edx,dword ptr ds:[eax+48]

006136E9 . |8B45 FC mov eax,dword ptr ss:[ebp-4]

006136EC . |8B80 78010000 mov eax,dword ptr ds:[eax+178]

006136F2 . |E8 6DEEE4FF call NoobyPro.00462564

006136F7 .^|E9 49FEFFFF jmp NoobyPro.00613545

Link to comment

0052AD7D . 9D popfd

0052AD7E . C3 retn

0052AD7F 24 db 24 ; CHAR '$'

7C824750 (kernel32.GetModuleHandleA)

0012FEF8 00200246

0012FEFC 7C824750 kernel32.GetModuleHandleA

0012FF00 005928D9 NoobyPro.005928D9 来自 NoobyPro.0052AC17

0012FF04 00000000

0012FEFC 7C824750 kernel32.GetModuleHandleA

0012FF00 005928D9 NoobyPro.005928D9 来自 NoobyPro.0052AC17

0012FF04 00000000

0012FF08 00000000

Edited by thisistest
Link to comment

I really suggest fixing all the imports LCF-AT. :)

Also one dll is not in the descriptor table.. As well as the

00525E0D FF90 AD075AFD CALL DWORD PTR DS:[EAX+FD5A07AD] ; GDI32.77E59F93

calls are not fixed.

Also the obfu is not that impressive it seems.. Nice but not special.

Should be easily removable.

Very nice work,

q.

Edited by quosego
Link to comment

Update, Increased protection strength

NoobyProtect SE 1.6.6.0 (unpackme)

00632257 > $ E8 1D000000 call 8_npse.00632279 ; PUSH ASCII "NoobyProtect SE 1.6.6.0 Demo"

0063225C . 4E 6F 6F 62 7>ascii "NoobyProtect SE "

0063226C . 31 2E 36 2E 3>ascii "1.6.6.0 Demo",0

00632279 >^ E9 DAFEFFFF jmp 8_npse.00632158

0063227E 50 db 50 ; CHAR 'P'

0063227F DD db DD

00632280 4D db 4D ; CHAR 'M'

00632281 14 db 14

Protection of the completion of:

Protection of code size:1771520

Dealing with input reference:1819

Dealing with the implementation of the branch:2387

Treatment Function api :1412

file:------http://filebeam.com/7c1f2e494f99b02f0eb53091506d95d6

3bb72bdf846c706408154c8214db80b5 NoobyProtect SE 1.6.6.0 Demo.exe md5

NoobyProtect SE 1.6.6.0 Demo.rar

Link to comment

Hi,

ah ok and thanks for the feedback.So here my second try maybe this will run now for you.

So for me it runs without to make trouble.Maybe someone can trace a little bit if the new unpacked file will not run for you to find whats wrong.

So I have just XP to test it.

@ quosego

Hmm, so I think I have all what will used fixed.

00525E0D | CALL DWORD PTR DS:[EAX+FD5A07AD] will also not used for me.

Thanks

NoobyProtect 1.6.40_Unpacked_2.rar

Link to comment

If you got the dll's on the same imagebase it does.. However I don't..

VM imports really need to be fixed.

Both the call I mentioned;

00527C0A FF90 7DFA3A9A CALL DWORD PTR DS:[EAX+9A3AFA7D] ; GDI32.77E59F93

Which is getmodulehandla btw..

And VM exits at;

00491F2F 9D POPFD

00491F30 61 POPAD

00491F31 C3 RET

Stack;

0012F4A4 77F416F8 advapi32.77F416F8

Both are good api's addresses at your place however they are not here..

regards,

q.

Edited by quosego
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...