Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[unpackme] PC-Guard 5.0 UnpackMe

burdoz
burdoz
in UnPackMe

Featured Replies

Posted

PC-Guard 5.0 UnpackMe

Calc.rar

Edited by burdoz

check dependencies before upload

jwldbutn2b.ocx missing

Is this a protector or a packer?! , cause all u have to do is to locate the oep and dumb ,no IAT Redirecting no oep stolen nothing at all!

"JwldButn2b.ocx" Included.

Unpacked.rar

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Prolly it was protected by a demo version, cause registered one is equally simple but can remove some procedures and execute at runtime.

  • 6 months later...

it can be easily unpacked using ESP trick and dumped worked well.

my question: got a VB protected with PC-Guard, dumped but encountered error and have to closed.

do i miss something here?

@ tracymee

which kind of error message?Maybe just a VB problem after unpacking.

Or.....

PC Guard can also use EN & DE Cryption Code.

push Bytes
call DeCrypt
encrypted code
......
......
push Bytes
call EnCrypt

Just have a look whether you see something like this.If yes then you need to execute all calls.After execute one DeCrypt call you need to nop the right EnCrypt call.Do this and then dump & fix.

greetz

Something like this:

AppName: dumped_.exe AppVer: 2.1.0.1 ModName: dumped_.exe

ModVer: 2.1.0.1 Offset: 000f7a1f

Where should notice this de-en call? after landed to VB oep or before?

thx for the reply :-)

You can search them at the OEP in the code section but I think you have a other problem.Try this.Step into the first API jmp ThunRTMain and set a BP on the ret of this API and run or press exeute til ret.See whether you get the error before you reach the ret.If yes then it can be a version check.On the other hand it can be that the file used some empty addresses which are no more empty and filled with some mem addresses.This can also be your problem [mostly happend if you dump after the OEP] and if yes then you need to zero the address.

You can also try this.Set a BP on all intermodular calls and run.If you break then remove the BP and run go on til you get the bad message.Now you know the code address before so that you can trace from this address forward to find & fix the reason.

Also have a look with LordPE maybe you can see somethig which is no more good like BoundImports etc.

If you can't find out the reason then send us your UnpackMe {target name etc}.

greetz

@LCF-AT

I tried BP on the RET of the first API and got error before it.

I tried BP AllIntermodularCall, and I landed to the same error code as the first:

004C74B9 . FF15 74615000 CALL DWORD PTR DS:[<&msvbvm60.#384>] ; msvbvm60.__vbaRecUniToAnsi

004C74BF . 50 PUSH EAX

004C74C0 . E8 973EF4FF CALL dumped_.0040B35C =====>got "error to close" after this call)

004C74C5 . 8945 88 MOV DWORD PTR SS:[EBP-78],EAX

004C74C8 . FF15 78605000 CALL DWORD PTR DS:[<&msvbvm60.#394>] ; msvbvm60.__vbaSetSystemError

Call landed to:

0040B35C $ A1 B0A24D00 MOV EAX,DWORD PTR DS:[4DA2B0]

0040B361 . 0BC0 OR EAX,EAX

0040B363 . 74 02 JE SHORT dumped_.0040B367

0040B365 - FFE0 JMP EAX =========> error ends after this

0040B367 > 68 44B34000 PUSH dumped_.0040B344

0040B36C . B8 402C4000 MOV EAX,<JMP.&msvbvm60.#187>

0040B371 . FFD0 CALL EAX

0040B373 .- FFE0 JMP EAX

hehe, pls check it for me, this is the target, thks:

unpackme

Edited by tracymee

@ tracymee

Problem is that you need some .ocx files like sevEin20.ocx.Download all needed ocx files til the original file also start.

Run-time error '339':Component 'sevEin20.ocx' or one of its dependencies not correctly registered: a file is missing or invalid

So you can see this message also which file it needs.I don't have this file so there was no ocx file in your package.If you got this file and it's not working for you then you need to register this file on your system.

regsvr32 c:\windows\system32\sevEin20.ocx

greetz

@ tracymee

Problem is that you need some .ocx files like sevEin20.ocx.Download all needed ocx files til the original file also start.

Run-time error '339':Component 'sevEin20.ocx' or one of its dependencies not correctly registered: a file is missing or invalid

So you can see this message also which file it needs.I don't have this file so there was no ocx file in your package.If you got this file and it's not working for you then you need to register this file on your system.

regsvr32 c:\windows\system32\sevEin20.ocx

greetz

@LCF-AT

oh my mistake, i thought it was a simple exe, pls download the setup (ca. 3mb):

setup

  • 1 month later...

hi

Please unpack by a movie How to Teach?

tanks

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.