[unpackme] HSN.C3r protector 1.00 UnpackMe

[HSN.C3r]

New features:

+ CRC is added 
+ some improvement in obfuscation
+ some anti debug is added

level: --- please vote

unpackme.rar

[kao]

The only problem is to make nice looking import table. Maybe script by Pavka would still work, did not try.

Unpacked: http://www.mediafire.com/?5mjjmuzhqjm

[LCF-AT]

Hi,

level: --- please vote = easy

Some nops / small script so ImpRec makes trouble to trace the direct API addresses.

greetz

unpackme_unpacked.rar

[Ronar22]

Had to modify ImpRec to get "Auto Trace" working .

Unpacked.rar

[HSN.C3r]

Thanks all.

Well done.

[pavka]

Another way, without a script.

patch

005332D3 60 PUSHAD

005332D4 B9 18114500 MOV ECX,unpackme.00451118

005332D9 03CB ADD ECX,EBX

005332DB 8339 00 CMP DWORD PTR DS:[ECX],0

005332DE 74 07 JE SHORT unpackme.005332E7

005332E0 8901 MOV DWORD PTR DS:[ECX],EAX

005332E2 33C9 XOR ECX,ECX

005332E4 EB 17 JMP SHORT unpackme.005332FD

005332E6 90 NOP

005332E7 83C1 04 ADD ECX,4

005332EA 8901 MOV DWORD PTR DS:[ECX],EAX

005332EC 33C9 XOR ECX,ECX

005332EE 61 POPAD

005332EF 83C3 08 ADD EBX,8

005332F2 EB 0D JMP SHORT unpackme.00533301

005332F4 0000 ADD BYTE PTR DS:[EAX],AL

005332F6 8B09 MOV ECX,DWORD PTR DS:[ECX]

005332F8 83C3 05 ADD EBX,5

005332FB 890B MOV DWORD PTR DS:[EBX],ECX

005332FD 61 POPAD

005332FE 83C3 04 ADD EBX,4

00533301 03D1 ADD EDX,ECX

00533303 59 POP ECX

00533304 49 DEC ECX

00533305 0BC9 OR ECX,ECX

00533307 ^ 0F85 7BFFFFFF JNZ unpackme.00533288

0053330D 83C6 04 ADD ESI,4

00533310 59 POP ECX

00533311 49 DEC ECX

00533312 0BC9 OR ECX,ECX

00533314 ^ 0F85 2DFFFFFF JNZ unpackme.00533247

0053331A 68 6F5E5300 PUSH unpackme.00535E6F

0053331F C3 RETN

[HSN.C3r]

Here is the V 1.01

+ some anti debugs

unpackme.rar

[LCF-AT]

Hi,

test it

greetz

unpackme_unpacked.rar

[kao]

Nothing important has changed protection wise. http://www.mediafire.com/?kl1gtnkn1td

This is how I resolve imports. After that, use ImpRec with "Trace Level1 (Disasm)".

Pavka's method is little bit different but should work as well.

0056DADE   60               PUSHAD
0056DADF   90               NOP
0056DAE0   90               NOP
0056DAE1   90               NOP
0056DAE2   90               NOP
0056DAE3   90               NOP
0056DAE4   90               NOP
0056DAE5   90               NOP
0056DAE6   90               NOP
0056DAE7   81C3 3AF05600    ADD EBX,unpackme.0056F03A
0056DAED   C603 E9          MOV BYTE PTR DS:[EBX],0E9
0056DAF0   2BC3             SUB EAX,EBX
0056DAF2   83E8 05          SUB EAX,5
0056DAF5   8943 01          MOV DWORD PTR DS:[EBX+1],EAX
0056DAF8   90               NOP
0056DAF9   90               NOP
0056DAFA   90               NOP
0056DAFB   90               NOP
0056DAFC   90               NOP
0056DAFD   90               NOP
0056DAFE   90               NOP
0056DAFF   90               NOP
0056DB00   90               NOP
0056DB01   90               NOP
0056DB02   90               NOP
0056DB03   90               NOP
0056DB04   90               NOP
0056DB05   90               NOP
0056DB06   90               NOP
0056DB07   90               NOP
0056DB08   61               POPAD

[HSN.C3r]

However the protection is stronger than version 1.00.

Thanks.

[Apuromafo]

However the protection is stronger than version 1.00.

Thanks.

i will made an tut in spanish for 2 version of this topic packme..

see if wana read:
/>http://ricardonarvaja.net/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1201-1300/1265-hsn%20by%20Apuromafo.7z

i was decripted the sub al,bl and add al,bl and inlined,

i was see how you divide and move the value of apis..

is a 9.x mb of tool and method to unpack this 2 unpackmes,without strong od./plugins only the script..and reading a little..

greeting Apuromafo

[FuJ!N]

hi apuromafo

your link does not work

[Apuromafo]

hi apuromafo

your link does not work

is down the .net.. try the .info
http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1201-1300/'>/>http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1201-1300/1265-hsn%20by%20Apuromafo.7z'>/>http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1201-1300/1265-hsn%20by%20Apuromafo.7z

or
/>http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1201-1300/

number 1265

[Gladiator]

Thank you so much.

::::

What is that language ? Please English

Edited August 2, 2010 by Gladiator

[HSN.C3r]

It would be better to post English version of it.

Thank you apuromafo.

Exeinfo PE :Poly!Crypt v.2.8(2007.03) by [BUNG] 

It's false detection or the BUNG's PolyCrypter is similar!

The obfuscator engine is created by myself.And I am improving it.

[Apuromafo]

It would be better to post English version of it.

Thank you apuromafo.

Exeinfo PE :Poly!Crypt v.2.8(2007.03) by [BUNG] 

It's false detection or the BUNG's PolyCrypter is similar!

The obfuscator engine is created by myself.And I am improving it.

that are my native lenguaje

i will try in some day traduce that..but script can resume all..

and the maximus.exe will helped to decode the packer involved.

yes, i know that are custom, because i was unpacked some old time similar, but all are packer inself..

is a good challenge

[Apuromafo]

tutorial in english .is only a little traduction.(46 pages..)
/>http://forum.tuts4you.com/index.php?showtopic=23950

Edited September 25, 2010 by apuromafo

[HSN.C3r]

Unpackme v 1.02

New features:

-Anti BP
-Anti HWBP
-Monitor RCE Tools
-Stolen OEP 
-New Anti-Debug method
-Some improvement in obfuscation

unpackme.rar

[quosego]

Hmmm won't run on XP SP3. works fine on windows 7 though.

Will give it a try on win7.

EDIT:

1.

Lol you're killing my explorer.exe when I go to the map ollydbg.

2.

hooking GetmOdulehandleA and I should be able to attach my olly. Since I'm to lazy to actually debug your code.

00405B04                                             $- FF25 E4214500             JMP DWORD PTR DS:[4521E4]

Never underestimate the power of weirdo exotic dumpers you can't possibly check all.

3.

Jups done hooked it and supsended all threads. Which'll mean I can attach near oep. Everything else should be a walk in the park.

running tracer to find logic in IAT redirs.

4.

Voila tracer produces an API. (takes a minute though. )

(well since this process should take fing long and am not in the mood to make something decent time to do some other stuff.)

Unpack should follow in about 1 hour. (if not longer.. )

00452118  77777B5B  [{ww  ntdll.RtlDeleteCriticalSection
0045211C  77766B40  @kvw  ntdll.RtlLeaveCriticalSection
00452120  77766B7E  ~kvw  ntdll.RtlEnterCriticalSection
00452124  7777F8BE  ¾øww  ntdll.RtlInitializeCriticalSection
00452128  76AE0D35  5.®v  kernel32.VirtualFree
0045212C  76AE05F4  ô®v  kernel32.VirtualAlloc
00452130  76AE057C  |®v  kernel32.LocalFree

etc.

Okay takes way to long, improved and should be fixed in a few secs.

5.

Done, import table retrieved. Only oep is left.

6.

Here ya go; Final unpack;
/>http://ifile.it/ynfismr/dumped_.rar

Lame IAT script below.

bphws 01601230, "x"mov temp, 452118
jmp LABEL_04LABEL_03:
add temp, 4LABEL_04:
mov temp_1, temp
cmp [temp], 0
je LABEL_03cmp temp, 4526d4
je LABEL_05mov eip, [temp]esto
sti
stiLABEL_02:
mov [temp_1], eip
jmp LABEL_03LABEL_05:
ret

Edited December 10, 2010 by quosego

[EvOlUtIoN]

for me it is working on sp3. Just need to be extracted from archive...dunno why.

[quosego]

Hmm weird, well it just access violates here. Ah well perfectly unpackable in win7 though.

In regard to difficulty I'd give it an low medium. Didn't require to much time, definitely fun though.

(unpack is located in my previous post.)

Edited December 10, 2010 by quosego

[HSN.C3r]

@quosego: Thanks .For explanation of unpacking and finally unpacked file. perfect !

@EvOlUtIoN: Because of anti debug which I've used , it must be extracted.

Edited December 12, 2010 by HSN.C3r

[EvOlUtIoN]

I also finished this...not written a tracer. Took another way.

I just dumped 2 other sections and attached to dumped. then written a little handler that fixed all pointers for me.

This unpackme is quite interesting imho, iat redirect is just like old obsidium version, but antidebug is really nice. Congratz!

OEP are only few bytes to rebuild does not take more than one minute.

will post my clean unpacked (few more than 400KB) as soon as i arrive at home.

[Ronar22]

Antidebug can be bypassed using unmodified olly with Phantom and StrongOD .

StrongOD Configurations: kernel mode , Hidepeb and skip some exceptions

Phantom Configurations: Change olly caption.

u have to edit ollydbg.ini first

CAPTEXT=Anyname
PRETEXT=Anyname

For iat fixing use the script below.

BPHWCALL
GPA "VirtualAlloc", "kernel32.dll"
BP $RESULT
RUN
BC $RESULT
FINDMEM #8937E94966FEFFE89E84FFFF#
MOV [$RESULT+1],#07#
BPHWS 405bc8, "x"
Run
ret

UnPacked.rar

Edited December 10, 2010 by Ronar22

[HSN.C3r]

Well done!

It seems this Anti debug is not compatible with some Operating Systems ,so you can easily bypass it.

Setting configurations that you mentioned above does not bypass anti-debug on my OS .

(And I think some of users's OS who downloaded the unpackme!)

Edit:

The special anti debug that I used in this version is not compatible with Win7 & maybe Vista,so you can easily unpack it.

But on Win XP it fully works , and it will be harder to unpack.

Edited December 13, 2010 by HSN.C3r