Jump to content
Tuts 4 You

[unpackme] PC-Guard 5.0 UnpackMe

burdoz

By burdoz
in UnPackMe

 Share

Recommended Posts

Teddy Rogers

Teddy Rogers

Posted
Posted

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment
Share on other sites
EvOlUtIoN

EvOlUtIoN

Posted
Posted

Prolly it was protected by a demo version, cause registered one is equally simple but can remove some procedures and execute at runtime.

Link to comment
Share on other sites
  • 6 months later...
tracymee

tracymee

Posted
Posted

it can be easily unpacked using ESP trick and dumped worked well.

my question: got a VB protected with PC-Guard, dumped but encountered error and have to closed.

do i miss something here?

Link to comment
Share on other sites
LCF-AT

LCF-AT

Posted
Posted

@ tracymee

which kind of error message?Maybe just a VB problem after unpacking.

Or.....

PC Guard can also use EN & DE Cryption Code.

push Bytes
call DeCrypt
encrypted code
......
......
push Bytes
call EnCrypt

Just have a look whether you see something like this.If yes then you need to execute all calls.After execute one DeCrypt call you need to nop the right EnCrypt call.Do this and then dump & fix.

greetz

Link to comment
Share on other sites
tracymee

tracymee

Posted
Posted

Something like this:

AppName: dumped_.exe AppVer: 2.1.0.1 ModName: dumped_.exe

ModVer: 2.1.0.1 Offset: 000f7a1f

Where should notice this de-en call? after landed to VB oep or before?

thx for the reply :-)

Link to comment
Share on other sites
LCF-AT

LCF-AT

Posted
Posted

You can search them at the OEP in the code section but I think you have a other problem.Try this.Step into the first API jmp ThunRTMain and set a BP on the ret of this API and run or press exeute til ret.See whether you get the error before you reach the ret.If yes then it can be a version check.On the other hand it can be that the file used some empty addresses which are no more empty and filled with some mem addresses.This can also be your problem [mostly happend if you dump after the OEP] and if yes then you need to zero the address.

You can also try this.Set a BP on all intermodular calls and run.If you break then remove the BP and run go on til you get the bad message.Now you know the code address before so that you can trace from this address forward to find & fix the reason.

Also have a look with LordPE maybe you can see somethig which is no more good like BoundImports etc.

If you can't find out the reason then send us your UnpackMe {target name etc}.

greetz

Link to comment
Share on other sites
tracymee

tracymee

Posted
Posted (edited)

@LCF-AT

I tried BP on the RET of the first API and got error before it.

I tried BP AllIntermodularCall, and I landed to the same error code as the first:

004C74B9 . FF15 74615000 CALL DWORD PTR DS:[<&msvbvm60.#384>] ; msvbvm60.__vbaRecUniToAnsi

004C74BF . 50 PUSH EAX

004C74C0 . E8 973EF4FF CALL dumped_.0040B35C =====>got "error to close" after this call)

004C74C5 . 8945 88 MOV DWORD PTR SS:[EBP-78],EAX

004C74C8 . FF15 78605000 CALL DWORD PTR DS:[<&msvbvm60.#394>] ; msvbvm60.__vbaSetSystemError

Call landed to:

0040B35C $ A1 B0A24D00 MOV EAX,DWORD PTR DS:[4DA2B0]

0040B361 . 0BC0 OR EAX,EAX

0040B363 . 74 02 JE SHORT dumped_.0040B367

0040B365 - FFE0 JMP EAX =========> error ends after this

0040B367 > 68 44B34000 PUSH dumped_.0040B344

0040B36C . B8 402C4000 MOV EAX,<JMP.&msvbvm60.#187>

0040B371 . FFD0 CALL EAX

0040B373 .- FFE0 JMP EAX

hehe, pls check it for me, this is the target, thks:

unpackme

Edited by tracymee
Link to comment
Share on other sites
LCF-AT

LCF-AT

Posted
Posted

@ tracymee

Problem is that you need some .ocx files like sevEin20.ocx.Download all needed ocx files til the original file also start.

Run-time error '339':Component 'sevEin20.ocx' or one of its dependencies not correctly registered: a file is missing or invalid

So you can see this message also which file it needs.I don't have this file so there was no ocx file in your package.If you got this file and it's not working for you then you need to register this file on your system.

regsvr32 c:\windows\system32\sevEin20.ocx

greetz

Link to comment
Share on other sites
tracymee

tracymee

Posted
Posted

@ tracymee

Problem is that you need some .ocx files like sevEin20.ocx.Download all needed ocx files til the original file also start.

Run-time error '339':Component 'sevEin20.ocx' or one of its dependencies not correctly registered: a file is missing or invalid

So you can see this message also which file it needs.I don't have this file so there was no ocx file in your package.If you got this file and it's not working for you then you need to register this file on your system.

regsvr32 c:\windows\system32\sevEin20.ocx

greetz

@LCF-AT

oh my mistake, i thought it was a simple exe, pls download the setup (ca. 3mb):

setup

Link to comment
Share on other sites
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...