Jump to content
Tuts 4 You

[unpackme] VPRotect1.6.2unpackme


zenix

Recommended Posts

VProtect is a new Protector by cooolie.

This is the unpackme for you to test.


/>http://fs.unpack.cn/?fs=0&u=80 test_VP

If you are interested, here is the download address of DEMO version.
http://www.vmprotect.net'>/>http://www.vmprotect.net/demo/VProtectDemo.rar'>/>http://www.vmprotect.net/demo/VProtectDemo.rar

And here is the official website
/>http://www.vmprotect.net

Link to comment

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment

Hi,

here my unpacked file.So I have all fixed execpt one....


00407E86 PUSH 0
00407E88 PUSH 0CF8000
00407E8D PUSH 80
00407E92 MOV ECX,EDI
00407E94 CALL EAX <--------
00407E96 TEST EAX,EAX----------------
00404C40 PUSH -1
00404C42 PUSH 5494B8
00404C47 MOV EAX,DWORD PTR FS:[0]
00404C4D PUSH EAX
00404C4E PUSH ECX
00404C4F PUSH ESI
00404C50 PUSH EDI
00404C51 MOV EAX,DWORD PTR DS:[5A0B10]
00404C56 XOR EAX,ESP
00404C58 PUSH EAX
00404C59 LEA EAX,DWORD PTR SS:[ESP+10]
00404C5D MOV DWORD PTR FS:[0],EAX
00404C63 MOV EDI,ECX
00404C65 JMP 0099DD74
----------

So I have no second OS at the moment to test the unpacked file under a other system.So I hope this unpacked file will work also for you.Just test it post a comment whether it works or not.If it not works then the reason should be in this routine which I have not fixed now.So then you can set a BP on...

00407E94  CALL EAX  <-------- BP / run
00407E96 TEST EAX,EAX <-- BP too

Try if you come out to address 00407E96.If yes then the unpacked file should work.

greetz

test_VP_Unpacked.rar

Link to comment

On my system, It will come out to address 00407E96.

Yes, the problem is inside 00407E94 CALL EAX.

This is VProtect SDK and also the calls inside are not fixed.

However, I think it should be no problem with SDK.

Did you fixed some codes inside?

And I found it crashed inside this call at 411CF5.

00411CF2 8B45 EC mov eax, dword ptr [ebp-14]

00411CF5 E8 F6031100 call 005220F0

00411CFA C2 1000 retn 10

I guess that some Virtualized IAT is not restored, yet.

Link to comment

Hi,

ah ok and thanks for testing.

No I just fixed all call jmp and mov APIs.

00950BEC     C3            RETN
--------
009468A0 C3 RETN // Jump back to codesection BP it. {output}---------
This is one calc routine for next trace
00976402 PUSH -0D92
00976407 PUSH -2CB4
0097640C PUSH EAX
0097640D PUSHFD
0097640E MOV EAX,DWORD PTR SS:[ESP+8]
00976412 XOR DWORD PTR SS:[ESP+C],EAX
00976416 CALL 0097641B
0097641B POP EAX
0097641C SUB EAX,0F
0097641F ADD DWORD PTR SS:[ESP+8],EAX
00976423 POPFD
00976424 POP EAX
00976425 RETN <-- Jump back to next trace routine / pushfd {Input}

I analyze this routines after call eax now then I try to fix it.

greetz

Link to comment
  • 1 year later...

Hi,

does someone of you still have this unpackme somewhere?So I have it no more and it was also not attached on this board and the link does no more work.So if you got it then it would be nice if you can attach it here again. :)

Thank you

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...