zenix Posted June 2, 2010 Posted June 2, 2010 VProtect is a new Protector by cooolie.This is the unpackme for you to test./>http://fs.unpack.cn/?fs=0&u=80 test_VPIf you are interested, here is the download address of DEMO version.http://www.vmprotect.net'>/>http://www.vmprotect.net/demo/VProtectDemo.rar'>/>http://www.vmprotect.net/demo/VProtectDemo.rarAnd here is the official website/>http://www.vmprotect.net
quosego Posted June 2, 2010 Posted June 2, 2010 The [unpackme] tag has been added to your topic title.Please remember to follow and adhere to the topic title format - thankyou![This is an automated reply]
LCF-AT Posted June 3, 2010 Posted June 3, 2010 Hi,here my unpacked file.So I have all fixed execpt one....00407E86 PUSH 000407E88 PUSH 0CF800000407E8D PUSH 8000407E92 MOV ECX,EDI00407E94 CALL EAX <--------00407E96 TEST EAX,EAX----------------00404C40 PUSH -100404C42 PUSH 5494B800404C47 MOV EAX,DWORD PTR FS:[0]00404C4D PUSH EAX00404C4E PUSH ECX00404C4F PUSH ESI00404C50 PUSH EDI00404C51 MOV EAX,DWORD PTR DS:[5A0B10]00404C56 XOR EAX,ESP00404C58 PUSH EAX00404C59 LEA EAX,DWORD PTR SS:[ESP+10]00404C5D MOV DWORD PTR FS:[0],EAX00404C63 MOV EDI,ECX00404C65 JMP 0099DD74----------So I have no second OS at the moment to test the unpacked file under a other system.So I hope this unpacked file will work also for you.Just test it post a comment whether it works or not.If it not works then the reason should be in this routine which I have not fixed now.So then you can set a BP on...00407E94 CALL EAX <-------- BP / run00407E96 TEST EAX,EAX <-- BP tooTry if you come out to address 00407E96.If yes then the unpacked file should work.greetztest_VP_Unpacked.rar
zenix Posted June 3, 2010 Author Posted June 3, 2010 On my system, It will come out to address 00407E96.Yes, the problem is inside 00407E94 CALL EAX.This is VProtect SDK and also the calls inside are not fixed.However, I think it should be no problem with SDK.Did you fixed some codes inside?And I found it crashed inside this call at 411CF5.00411CF2 8B45 EC mov eax, dword ptr [ebp-14]00411CF5 E8 F6031100 call 005220F000411CFA C2 1000 retn 10I guess that some Virtualized IAT is not restored, yet.
LCF-AT Posted June 5, 2010 Posted June 5, 2010 Hi,ah ok and thanks for testing.No I just fixed all call jmp and mov APIs.00950BEC C3 RETN--------009468A0 C3 RETN // Jump back to codesection BP it. {output}---------This is one calc routine for next trace00976402 PUSH -0D9200976407 PUSH -2CB40097640C PUSH EAX0097640D PUSHFD0097640E MOV EAX,DWORD PTR SS:[ESP+8]00976412 XOR DWORD PTR SS:[ESP+C],EAX00976416 CALL 0097641B0097641B POP EAX0097641C SUB EAX,0F0097641F ADD DWORD PTR SS:[ESP+8],EAX00976423 POPFD00976424 POP EAX00976425 RETN <-- Jump back to next trace routine / pushfd {Input}I analyze this routines after call eax now then I try to fix it.greetz
LCF-AT Posted July 26, 2011 Posted July 26, 2011 Hi, does someone of you still have this unpackme somewhere?So I have it no more and it was also not attached on this board and the link does no more work.So if you got it then it would be nice if you can attach it here again. Thank you
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now