kobalt Posted May 10, 2010 Posted May 10, 2010 here is a crackMe NoobyPrt+Res PCked ExecryptorI hope this doesnt have the slow run issueTest it 1
LCF-AT Posted May 10, 2010 Posted May 10, 2010 Hi,Just one execution possible!!!Add a new CrackMe.key without a execution count.greetz
kobalt Posted May 10, 2010 Author Posted May 10, 2010 oks here is, the key without execution countCrackMe.rar
quosego Posted May 11, 2010 Posted May 11, 2010 I just love the API protection on this. Hardly impossible to fix but it does require you to rebuild the delphi jump table.Which is an improvement.
deepzero Posted May 11, 2010 Posted May 11, 2010 I just love the API protection on this. Hardly impossible to fix but it does require you to rebuild the delphi jump table.Which is an improvement. Do you know any tutorial/documentation on this mysterious Delphi table? dp0
quosego Posted May 11, 2010 Posted May 11, 2010 (edited) Well it's simply a FF25 table it starts at the beginning of the code section with the kernel32 API's. (after some strings and other delphi stuff but before actual code) Subsequent dll's jump tables are scattered throughout the code section. Noobyprotect modifies calls to this jump table to an address inside the packer section. You could write the new jumps here for instance, overwriting the nooby obfu code. That would not make it a nice table but should work fine. Not certain if it redirects all same API's to the same section. That would safe some time in regards to executing a tracer. You could reinstate the old table but they would be hard to find generically and matching them to the correct dll will also be difficult. The new FF25 jumps you create will have to point to the IAT of course. The IAT well let's say won't be very hard to reconstruct due to a certain flaw. Edited May 11, 2010 by quosego
LCF-AT Posted May 11, 2010 Posted May 11, 2010 Hi, thanks for the new key file with the execution count. Ok I got it almost unpacked.Its alraedy working for me so now I just fix the whole IAT to make it also work on other system. Just one question.Which kind of file do I need to convert?So I wanna test the convert option but I don´t know which files I can choose there.Can you tell me or can you add a very small file where I can test it. greetz
kobalt Posted May 11, 2010 Author Posted May 11, 2010 mm sorry but i've never used that app,i only know is a freeware which convert dfm binary files, i just take it because i want to test NoobyP with a delphi and small app
LCF-AT Posted May 12, 2010 Posted May 12, 2010 Ah good ok so lets say its just a test UnapckMe. Here my Unpacked file so far......I have not fixed all so I have no file to make a test convert and in this case I have the file adding unfixed.So it should run and you can press also some buttons.Its just a test unpack.Try to start this file and send a post whether it also run on your system or not. greetz CrackMe_npse_Unpacked so Far.rar
kobalt Posted May 12, 2010 Author Posted May 12, 2010 No run in my sistem (XP SP3), anyone else report?
quosego Posted May 12, 2010 Posted May 12, 2010 (edited) 004034F5 E8 AACF1900 CALL CrackMe_.005A04A4 Still some to fix. And you should really make it recheck if the API has already been done, makes the table a lot smaller. Edited May 12, 2010 by quosego
LCF-AT Posted May 12, 2010 Posted May 12, 2010 Hi, ah ok and thanks for the reports you two.So yesterday I tried to fix it fast so that it also works for me. So today I feel better and I found alraedy a better way to fix it so I think the next file will also working for you. greetz
NullPointerException Posted May 12, 2010 Posted May 12, 2010 the previous unpacked from lcf worked on my system. good job!
LCF-AT Posted May 13, 2010 Posted May 13, 2010 Hi, ok new day new power. Here my second try and now it should work on every system so I have fixed all.If you have a file where you can use this tool to convert something then test this too so it should also work now.Please test my new unpacked file and post a post with your result whether it works or not ok,thank you. greetz CrackMe_npse_Unpacked_Complete.rar
kobalt Posted May 13, 2010 Author Posted May 13, 2010 (edited) Impressive LCF The file is running now, the same as original file A couple of questions: 1.The resources packed with execryptor do decrease the difficulty? 2.This same file with a locked key ( no runs allowed), how much could increase the difficulty? Thanks Edited May 13, 2010 by kobalt
LCF-AT Posted May 13, 2010 Posted May 13, 2010 Hi, oh yes!The hard work has paid off now! the resources was no problem so you just need to change the offsets in the PE Header. For sure it will be harder if you add a keyfile just with one possible execution. But if I know this info before I run the app then it would be easier.So I also see that TrialReset is not working to delete the execution limit at the moment so maybe the author will have a look on this to make a TrialReset update. 2.This same file with a locked key ( no tuns allowed), how much could increase the difficulty? All in all....Nooby protect or Safengine Licensor {newer name} is really nasty to unpack.At the moment it cost to much time to fix all like in your file.I have also written some diffrent fixing scripts just for your file! Ok this was now the second Nooby UnpackMe which I have unpacked and now I am also a bit smarter how to deal with this protector. greetz
Teddy Rogers Posted May 15, 2010 Posted May 15, 2010 The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply]
EvOlUtIoN Posted May 17, 2010 Posted May 17, 2010 Good job LCF-AT! To rebuild whole of this is quite hard! Most important part is the IAT, both pointers and jump table are patched by the protector, so rebuild all can be a very long work. Especially with a big file. Of course nothing is impossible, but something can be very close to.
SunBeam Posted May 20, 2010 Posted May 20, 2010 Very nice unpackmes, BUT.. Why on earth doesn't anyone use these combos? Take Adobe for instance, they would very well be using something decent, maybe in-house, not clean code and req/recv auth codes..
quosego Posted May 20, 2010 Posted May 20, 2010 (edited) Well that would give us something to do nowadays.. They're trying a brand new tactic.. Boring us, until half of us quit and then come up with something so awesome everybody is baffled. (Might actually not be such a bad idea.) Winlicense + VMprotect is used occasionally though.. VB decompiler had that until it first got patched and then keygenned.. Edited May 20, 2010 by quosego
ScriptKiddy Posted May 22, 2010 Posted May 22, 2010 Hi I am having a problem opening this into any of my debuggers. As soon as I open it my debugger instantly closes. In OllyDbg as soon as its opened it instantly closes. In IDA Pro, as soon as I attach my debugger to it it also instantly closes. I have not even clicked the play button. How can I stop this? Thanks
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now