thisistest Posted December 8, 2009 Posted December 8, 2009 hi, this is test!SDProtector All protection optionsSDProtector 1.16.rar
LCF-AT Posted December 8, 2009 Posted December 8, 2009 Hello,here my unpacked file.Test it and tell me whether it runs for you or not.greetzSDProtector 1.14_Unpacked.rar
thisistest Posted December 9, 2009 Author Posted December 9, 2009 (edited) I think you can write a script for sDProtector1.16 Edited December 9, 2009 by thisistest
thisistest Posted December 13, 2009 Author Posted December 13, 2009 004065C4 - FF25 D0744600 jmp dword ptr ds:[4674D0]004065CA 8BC0 mov eax,eax004065CC - FF25 CC744600 jmp dword ptr ds:[4674CC]004065D2 8BC0 mov eax,eax004065D4 - FF25 C8744600 jmp dword ptr ds:[4674C8]004065DA 8BC0 mov eax,eax004065DC - FF25 C4744600 jmp dword ptr ds:[4674C4]004065E2 8BC0 mov eax,eax004065E4 - FF25 C0744600 jmp dword ptr ds:[4674C0]004065EA 8BC0 mov eax,eax004065EC - FF25 BC744600 jmp dword ptr ds:[4674BC]004065F2 8BC0 mov eax,eax004065F4 - FF25 B8744600 jmp dword ptr ds:[4674B8]004065FA 8BC0 mov eax,eax004065FC - FF25 B4744600 jmp dword ptr ds:[4674B4]00406602 8BC0 mov eax,eax00406604 - FF25 B0744600 jmp dword ptr ds:[4674B0]0040660A 8BC0 mov eax,eax-------------------------------------------------------00148600 58 pop eax ; SDProtec.0044D25C00148601 50 push eax00148602 60 pushad00148603 9C pushfd00148604 68 03000000 push 300148609 50 push eax0014860A B8 CFCEABDC mov eax,DCABCECF0014860F 50 push eax00148610 B8 9DFA259B mov eax,9B25FA9D00148615 50 push eax00148616 E8 0A403900 call SDProtec.004DC6250014861B 9D popfd0014861C 61 popad0014861D B8 9DFA259B mov eax,9B25FA9D00148622 9C pushfd00148623 05 CFCEABDC add eax,DCABCECF00148628 9D popfd00148629 FFE0 jmp eax00148628 9D popfd00148629 - FFE0 jmp eax ; user32.PeekMessageAEAX 77D1C96C user32.PeekMessageAECX 0012FFA8EDX 0012FF5CEBX 00000000ESP 0012FF30EBP 0012FFA8ESI 00BD17CCEDI 0012FF5CEIP 00148629----------------------------------------------00405BB0 - FF25 E4714600 jmp dword ptr ds:[4671E4]00405BB6 8BC0 mov eax,eax00405BB8 - FF25 E0714600 jmp dword ptr ds:[4671E0]00405BBE 8BC0 mov eax,eax00405BC0 - FF25 DC714600 jmp dword ptr ds:[4671DC]00145F80 58 pop eax ; SDProtec.00405C8500145F81 50 push eax00145F82 60 pushad00145F83 9C pushfd00145F84 68 03000000 push 300145F89 50 push eax00145F8A B8 2F267CDB mov eax,DB7C262F00145F8F 50 push eax00145F90 B8 829004A1 mov eax,A104908200145F95 50 push eax00145F96 E8 8A663900 call SDProtec.004DC62500145F9B 9D popfd00145F9C 61 popad00145F9D B8 829004A1 mov eax,A104908200145FA2 9C pushfd00145FA3 05 2F267CDB add eax,DB7C262F00145FA8 9D popfd00145FA9 FFE0 jmp eax00145FA9 - FFE0 jmp eax ; kernel32.GetModuleHandleAEAX 7C80B6B1 kernel32.GetModuleHandleAECX 00000002EDX 00000003EBX 00463710 SDProtec.00463710ESP 0128FCF0EBP 0128FD10ESI 00000004EDI 00000005EIP 00145FA9---------------------------------------00147D08 58 pop eax ; SDProtec.0044D2C600147D09 50 push eax00147D0A 60 pushad00147D0B 9C pushfd00147D0C 68 01000000 push 100147D11 50 push eax00147D12 B8 F5E584DC mov eax,DC84E5F500147D17 50 push eax00147D18 B8 F68BD177 mov eax,user32.TranslateMessage00147D1D 50 push eax00147D1E E8 02493900 call SDProtec.004DC62500147D23 9D popfd00147D24 61 popad00147D25 74 0E je short 00147D3500147D27 75 0C jnz short 00147D3500147D29 FF35 481B4100 push dword ptr ds:[411B48]00147D2F FF20 jmp dword ptr ds:[eax]00147D1D 50 push eax ; user32.TranslateMessageEAX 77D18BF6 user32.TranslateMessageECX 0000000FEDX 0012FF5CEBX 00000001ESP 0012FF10EBP 0012FFA8ESI 00BD17CCEDI 0012FF5CEIP 00147D1D-----------------------------------------------------00149862 60 pushad00149863 9C pushfd00149864 68 04000000 push 400149869 50 push eax0014986A B8 1CF2D6DC mov eax,DCD6F21C0014986F 50 push eax00149870 B8 A46407AB mov eax,AB0764A400149875 50 push eax00149876 E8 AA2D3900 call SDProtec.004DC6250014987B 9D popfd0014987C 61 popad0014987D B8 A46407AB mov eax,AB0764A400149882 9C pushfd00149883 35 1CF2D6DC xor eax,DCD6F21C00149888 9D popfd00149889 50 push eax ; user32.DispatchMessageA0014988A C3 retnEAX 77D196B8 user32.DispatchMessageAECX 0012FF5CEDX 0012FF5CEBX 00000001ESP 0012FF40EBP 0012FFA8ESI 00BD17CCEDI 0012FF5C--------------------467118 iat start467708 iat end---------------------------------use SDProtector_Pro_1.1x_Redirect Joker_ItalyInvalid Pointer00467134 7C80999D kernel32.LocalAlloc00467138 004DAE97 SDProtec.004DAE9700467164 004DBA24 SDProtec.004DBA2400467178 004DBA13 SDProtec.004DBA1300467188 004DB7F0 ASCII "VWj"004671AC 004DB84B SDProtec.004DB84B00467270 004DB9D6 SDProtec.004DB9D6004672B4 004DBA44 SDProtec.004DBA44004674D8 77D30097 user32.OemToCharA004674DC 004DB84B SDProtec.004DB84B0046726C 7C8360F1 kernel32.GlobalAddAtomA----------------------------00467130 >7C80993F ?檧| kernel32.LocalFree00467134 >7C80999D 潤
thisistest Posted December 13, 2009 Author Posted December 13, 2009 my unpacked no run123_.rarSDProtect 1.16 script.rarWSDP116 unpacker.rar
LCF-AT Posted December 13, 2009 Posted December 13, 2009 Hi, @ thisistest so the reason why your unpacked file not run is that you have a dirty dump!So this happend if you dump A.] if the target is alraedy running or B.] if alraedy is executed to much code after the real OEP ------ Solution: - dump the next time near at the OEP or just cleanup your alraedy dumped dirty file So if you dump a running target then all is alraedy executed and in your codesection there are also filled addresses with some memory addresses like this part... 00464258 00BD0358 <----0046425C 0040703C ASCII 0A,"EDivByZero"00464260 00BD0338 <----00464264 00407094 ASCII 0B,"ERangeError"00464268 00BD0318 <----0046426C 004070EC ASCII 0C,"EIntOverflow"00464270 00BD02F8 <----00464274 004071A0 ASCII 0A,"EInvalidOp"00464278 00BD02C8 <----0046427C 004071F8 ASCII 0B,"EZeroDivide"00464280 00BD029C <----00464284 00407250 ASCII 09,"EOverflow"00464288 00BD0278 <---- Must be 00000000 0046428C 004072A8 ASCII 0A,"EUnderflow" But this are not the only place which you have to clean. So your unpacked file is also running on my system but after a cleanup. Of course I can write a cleanup script but I think its not really needed.Also this unpackme is a easy unpackme so you can also break direct at the OEP in Olly to dump your file.Try one of the 2 methods and then you have a working dump file. greetz
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now