[UnPackMe]WinLicense2.1.0.10

[thisistest]

WinLicense again updated! Welcome Test @!

Running a special card, in particular, slow, be patient!

te

stMacros Information

------------------

VM Macros: 0

CodeReplace Macros: 0

ENCRYPT Macros: 0

CLEAR Macros: 0

CHECK_PROTECTION Macros: 0

CHECK_CODE_INTEGRITY Macros: 0

CHECK_REGISTRATION Macros: 0

CHECK_VIRTUAL_PC Macros: 0

Protection Options

------------------

Anti-Debugger: Advanced

Anti-Dumpers: ENABLED

Entry Point Obfuscation: ENABLED

Resource Encryption: ENABLED

VMWare compatible: ENABLED

API-Wrapping Level: Level 2

Anti-Patching: File Patching

Metamorph Security: ENABLED

Memory Guard: ENABLED

When Debugger Found: Display Message

Application compression: ENABLED

Resources compression: ENABLED

SecureEngine compression: ENABLED

Anti-File Monitor: ENABLED

Anti-Registry Monitor: ENABLED

Delphi/BCB form protection: ENABLED

Ring-0 Protection: ENABLED

Virtual Machine Settings

------------------------

Number of Virtual APIs wrapped: 6

API Virtualization Level: 3

Entry Point Virtualization: 15 instructions

Multi Branch Technology: DISABLED

Virtual Machine Processor: Mutable CISC-2 processor

Number of CPUs: 1

Opcode Type: Metamorphic - Level 2

Dynamic Opcode: 20% Dynamic

Advanced Protection Options

---------------------------

Encrypt Application: ENABLED

DLL plugin: DISABLED

Export Generators: ENABLED

Keep Trial Running: DISABLED

Hide from PE scanners: Type 1

.NET assemblies: ENABLED

Active Context: DISABLED

Custom Event:

Add Manifest: Don't add manifest

Launch Application: 5 All protection options!

test7.rar

test8.rar

[thisistest]

test5 All protection options
/>http://www.multiupload.com/ZHYMC9DABM

726d083eb1e09255bd74b54697eb62b8 test5.exe md5

[LCF-AT]

Hi,

here my unpacked files.

The test5 file was a little bit to big so in this case have split it into 2 parts.

I upload part 2 in the next post and also a free join tool.

The test5 file also used PE AntiDump / check.

greetz

test7_Unpacked.rar

test5_Unpacked_part01.exe.rar

[LCF-AT]

Here comes part 2 of the unpacked test5 file and the join tool.

@ thisistest

Maybe you should use the next times some other targets so its not the best to use always the same you know.Thanks.

PS: test8 does not run for me so its a .net target so no .net targets run on my system.

greetz

test5_Unpacked_part02.exe.rar

Join it with me.rar

[quosego]

nice work..

What is interesting however is that it virtualizes small API calls in delphi init and puts an antidump block in it, not something I've seen before.

Not very useful, antidumps are public knowledge, however it is new.

00405C80   .-E9 CA572900    JMP test5_Un.0069B44F
00405C85     7B             DB 7B                                    ;  CHAR '{'
00405C86     16             DB 16
00405C87     BB             DB BB
00405C88     F8             DB F8
00405C89     17             DB 17
00405C8A   . 03             DB 03
00405C8B   . 30 51 49       ASCII "0QI"
00405C8E     CD             DB CD
00405C8F   . A3 AC404600    MOV DWORD PTR DS:[4640AC],EAX            ;  test5_Un.00400000

Which is actually a simple getmodulhandlea call and 2 movs.

Edited December 29, 2009 by quosego

[thisistest]

00468353 >- E9 A8330100 jmp test5_Un.0047B700

00468358 F0:B8 10374600 lock mov eax,test5_Un.00463710 ; LOCK prefix is not allowed

0046835E E8 11D9F9FF call test5_Un.00405C74

00468363 - E9 16011C00 jmp test5_Un.0062847E

0047B700 60 pushad

0047B701 9C pushfd

0047B702 50 push eax

0047B703 54 push esp

0047B704 6A 04 push 4

0047B706 68 00100000 push 1000

0047B70B 68 00004000 push test5_Un.00400000 ; ASCII "MZP"

0047B710 FF15 78B74700 call dword ptr ds:[<&kernel32.VirtualPro>; kernel32.VirtualProtect

0047B716 58 pop eax

0047B717 C7C6 00B24700 mov esi,test5_Un.0047B200 ; ASCII "MZP"

0047B71D C7C7 00004000 mov edi,test5_Un.00400000 ; ASCII "MZP"

0047B723 C7C1 00050000 mov ecx,500

0047B729 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>

0047B72B C705 53834600 5>mov dword ptr ds:[<ModuleEntryPoint>],83>

0047B735 C705 57834600 C>mov dword ptr ds:[468357],10B8F0C4

0047B73F 9D popfd

0047B740 61 popad

00468353 > 55 push ebp

00468354 8BEC mov ebp,esp

00468356 83C4 F0 add esp,-10

00468359 B8 10374600 mov eax,test5_Un.00463710

0046835E E8 11D9F9FF call test5_Un.00405C74

00468363 - E9 16011C00 jmp test5_Un.0062847E

test7 and test5 can run my system!strong！

You further progress, but it is difficult for me!

[thisistest]

test8 Microsoft Visual C# / Basic .NET

Source here

WindowsFormsApplicat99.rar

[thisistest]

test5_Unpacked Backup
/>http://www.multiupload.com/VCABPHNBSJ

/>http://www.multiupload.com/XQ19U24NP0 Themida 2.08 all Protection Options test！

@LCF-AT

I think you can make a tutorial WinLicense all protected, or update your script! Make more friends, to get to learn, thank you!

[LCF-AT]

Hello,

here my unpacked Themida 2.08 all Protection file.

So this time the original file runs very slow on my system!Some kind of slow motion.This is real bad.

Maybe someone can also DL this UnpackMe and test it to see whether you get the same slow motion result or not.

So I have test it with win XP and win 2000 and I get the same slow result with the original and unpacked file.

No-one will protect a file / target on this way like in this UnpackMe case.

Anyway.So here my split files so its again a bit large + VM section.

Rename the Themida all Unpacked_A.rar file to Themida all Unpacked_A.001

Update your script!Hhmmm,good idea!

But it would be better if someone creates a new Unpacker tool like quosego alraedy said.

I have no idea about coding tools etc but someone else could do this so the knowledge is available and public.

greetz

Themida all Unpacked_A.rar

[LCF-AT]

Here the second part and the join tool.

Rename the Themida all Unpacked_B.rar to Themida all Unpacked_A.002

Join this 2 files then you have the full rar file which you then can unpack.

greetz

Themida all Unpacked_B.rar

Join it with me.rar

[thisistest]

Themida 2.08 Unpacked run my system(xp), strong!