February 27, 201015 yr Is this a protector or a packer?! , cause all u have to do is to locate the oep and dumb ,no IAT Redirecting no oep stolen nothing at all!"JwldButn2b.ocx" Included.Unpacked.rar
February 28, 201015 yr The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply]
March 1, 201015 yr Prolly it was protected by a demo version, cause registered one is equally simple but can remove some procedures and execute at runtime.
September 16, 201014 yr it can be easily unpacked using ESP trick and dumped worked well.my question: got a VB protected with PC-Guard, dumped but encountered error and have to closed.do i miss something here?
September 16, 201014 yr @ tracymeewhich kind of error message?Maybe just a VB problem after unpacking.Or.....PC Guard can also use EN & DE Cryption Code.push Bytescall DeCryptencrypted code............push Bytescall EnCryptJust have a look whether you see something like this.If yes then you need to execute all calls.After execute one DeCrypt call you need to nop the right EnCrypt call.Do this and then dump & fix.greetz
September 16, 201014 yr Something like this:AppName: dumped_.exe AppVer: 2.1.0.1 ModName: dumped_.exeModVer: 2.1.0.1 Offset: 000f7a1fWhere should notice this de-en call? after landed to VB oep or before?thx for the reply :-)
September 16, 201014 yr You can search them at the OEP in the code section but I think you have a other problem.Try this.Step into the first API jmp ThunRTMain and set a BP on the ret of this API and run or press exeute til ret.See whether you get the error before you reach the ret.If yes then it can be a version check.On the other hand it can be that the file used some empty addresses which are no more empty and filled with some mem addresses.This can also be your problem [mostly happend if you dump after the OEP] and if yes then you need to zero the address.You can also try this.Set a BP on all intermodular calls and run.If you break then remove the BP and run go on til you get the bad message.Now you know the code address before so that you can trace from this address forward to find & fix the reason.Also have a look with LordPE maybe you can see somethig which is no more good like BoundImports etc.If you can't find out the reason then send us your UnpackMe {target name etc}.greetz
September 16, 201014 yr @LCF-ATI tried BP on the RET of the first API and got error before it.I tried BP AllIntermodularCall, and I landed to the same error code as the first:004C74B9 . FF15 74615000 CALL DWORD PTR DS:[<&msvbvm60.#384>] ; msvbvm60.__vbaRecUniToAnsi004C74BF . 50 PUSH EAX004C74C0 . E8 973EF4FF CALL dumped_.0040B35C =====>got "error to close" after this call)004C74C5 . 8945 88 MOV DWORD PTR SS:[EBP-78],EAX004C74C8 . FF15 78605000 CALL DWORD PTR DS:[<&msvbvm60.#394>] ; msvbvm60.__vbaSetSystemErrorCall landed to:0040B35C $ A1 B0A24D00 MOV EAX,DWORD PTR DS:[4DA2B0]0040B361 . 0BC0 OR EAX,EAX0040B363 . 74 02 JE SHORT dumped_.0040B3670040B365 - FFE0 JMP EAX =========> error ends after this 0040B367 > 68 44B34000 PUSH dumped_.0040B3440040B36C . B8 402C4000 MOV EAX,<JMP.&msvbvm60.#187>0040B371 . FFD0 CALL EAX0040B373 .- FFE0 JMP EAXhehe, pls check it for me, this is the target, thks:unpackme Edited September 20, 201014 yr by tracymee
September 20, 201014 yr @ tracymeeProblem is that you need some .ocx files like sevEin20.ocx.Download all needed ocx files til the original file also start.Run-time error '339':Component 'sevEin20.ocx' or one of its dependencies not correctly registered: a file is missing or invalidSo you can see this message also which file it needs.I don't have this file so there was no ocx file in your package.If you got this file and it's not working for you then you need to register this file on your system.regsvr32 c:\windows\system32\sevEin20.ocxgreetz
September 20, 201014 yr @ tracymeeProblem is that you need some .ocx files like sevEin20.ocx.Download all needed ocx files til the original file also start.Run-time error '339':Component 'sevEin20.ocx' or one of its dependencies not correctly registered: a file is missing or invalidSo you can see this message also which file it needs.I don't have this file so there was no ocx file in your package.If you got this file and it's not working for you then you need to register this file on your system.regsvr32 c:\windows\system32\sevEin20.ocxgreetz@LCF-AToh my mistake, i thought it was a simple exe, pls download the setup (ca. 3mb):setup
Create an account or sign in to comment