Jump to content
Tuts 4 You

[unpackme] Nooby P 1.7+Resources Packed EC


kobalt

Recommended Posts

here is a crackMe

NoobyPrt+Res PCked Execryptor

I hope this doesnt have the slow run issue

Test it

Link to comment
Share on other sites

I just love the API protection on this. Hardly impossible to fix but it does require you to rebuild the delphi jump table.

Which is an improvement.

Link to comment
Share on other sites

I just love the API protection on this. Hardly impossible to fix but it does require you to rebuild the delphi jump table.

Which is an improvement.

Do you know any tutorial/documentation on this mysterious Delphi table? :turned:

dp0 :)

Link to comment
Share on other sites

Well it's simply a FF25 table it starts at the beginning of the code section with the kernel32 API's. (after some strings and other delphi stuff but before actual code)

Subsequent dll's jump tables are scattered throughout the code section.

Noobyprotect modifies calls to this jump table to an address inside the packer section. You could write the new jumps here for instance, overwriting the nooby obfu code.

That would not make it a nice table but should work fine. Not certain if it redirects all same API's to the same section. That would safe some time in regards to executing a tracer. You could reinstate the old table but they would be hard to find generically and matching them to the correct dll will also be difficult.

The new FF25 jumps you create will have to point to the IAT of course. :) The IAT well let's say won't be very hard to reconstruct due to a certain flaw. ;)

Edited by quosego
Link to comment
Share on other sites

Hi,

thanks for the new key file with the execution count. :)

Ok I got it almost unpacked.Its alraedy working for me so now I just fix the whole IAT to make it also work on other system.

Just one question.Which kind of file do I need to convert?So I wanna test the convert option but I don´t know which files I can choose there.Can you tell me or can you add a very small file where I can test it.

greetz

Link to comment
Share on other sites

mm sorry but i've never used that app,i only know is a freeware which convert dfm binary files, i just take it because i want to test NoobyP with a delphi and small app :rolleyes:

Link to comment
Share on other sites

Ah good ok so lets say its just a test UnapckMe. :)

Here my Unpacked file so far......I have not fixed all so I have no file to make a test convert and in this case I have the file adding unfixed.So it should run and you can press also some buttons.Its just a test unpack.Try to start this file and send a post whether it also run on your system or not.

greetz

CrackMe_npse_Unpacked so Far.rar

Link to comment
Share on other sites

004034F5   E8 AACF1900      CALL CrackMe_.005A04A4

Still some to fix. ;) And you should really make it recheck if the API has already been done, makes the table a lot smaller.

Edited by quosego
Link to comment
Share on other sites

Hi,

ah ok and thanks for the reports you two.So yesterday I tried to fix it fast so that it also works for me. :) So today I feel better and I found alraedy a better way to fix it so I think the next file will also working for you. :)

greetz

Link to comment
Share on other sites

Hi,

ok new day new power. :) Here my second try and now it should work on every system so I have fixed all.If you have a file where you can use this tool to convert something then test this too so it should also work now.Please test my new unpacked file and post a post with your result whether it works or not ok,thank you.

greetz

CrackMe_npse_Unpacked_Complete.rar

Link to comment
Share on other sites

Impressive LCF

The file is running now, the same as original file :thumbsup:

A couple of questions:

1.The resources packed with execryptor do decrease the difficulty?

2.This same file with a locked key ( no runs allowed), how much could increase the difficulty?

Thanks :teehee:

Edited by kobalt
Link to comment
Share on other sites

Hi,

oh yes!The hard work has paid off now!

the resources was no problem so you just need to change the offsets in the PE Header.

For sure it will be harder if you add a keyfile just with one possible execution. :) But if I know this info before I run the app then it would be easier.So I also see that TrialReset is not working to delete the execution limit at the moment so maybe the author will have a look on this to make a TrialReset update.

2.This same file with a locked key ( no tuns allowed), how much could increase the difficulty?

All in all....Nooby protect or Safengine Licensor {newer name} is really nasty :) to unpack.At the moment it cost to much time to fix all like in your file.I have also written some diffrent fixing scripts just for your file! :) Ok this was now the second Nooby UnpackMe which I have unpacked and now I am also a bit smarter how to deal with this protector.

greetz

Link to comment
Share on other sites

Teddy Rogers

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment
Share on other sites

Good job LCF-AT!

To rebuild whole of this is quite hard!

Most important part is the IAT, both pointers and jump table are patched by the protector, so rebuild all can be a very long work. Especially with a big file.

Of course nothing is impossible, but something can be very close to.

:)

Link to comment
Share on other sites

Very nice unpackmes, BUT.. Why on earth doesn't anyone use these combos? Take Adobe for instance, they would very well be using something decent, maybe in-house, not clean code and req/recv auth codes..

Link to comment
Share on other sites

Well that would give us something to do nowadays.. They're trying a brand new tactic.. Boring us, until half of us quit and then come up with something so awesome everybody is baffled. :D (Might actually not be such a bad idea.)

Winlicense + VMprotect is used occasionally though.. VB decompiler had that until it first got patched and then keygenned..

Edited by quosego
Link to comment
Share on other sites

ScriptKiddy

Hi I am having a problem opening this into any of my debuggers. As soon as I open it my debugger instantly closes. In OllyDbg as soon as its opened it instantly closes. In IDA Pro, as soon as I attach my debugger to it it also instantly closes. I have not even clicked the play button. How can I stop this? Thanks

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...