[UnpackMe] My UnpackMe 1.9

[Gladiator]

Hello Dear Masters

Here we have a new version of hefaz protector with a little more security.

In the UnpackMe we have ....

1.Advanced Nanomits

2.Code Redirection

3.Ultra AntiDebug

4.Better Speed ; than version 1.8.0

5.Fixed Crashes problem ( have seen in 1.8 UnpackMe ).

6.There is no additional protectors like VMProtector or ...

Please Unpack it and write a tut.

Download it from here....

http://www.4shared.com/file/2pwKhbEm/UnpackMe.html

Best Regards.

Thanks.

Edited October 5, 2010 by Gladiator

[LCF-AT]

Hello Gladiator,

nice to see a new version of this protector.

1. Attach your UnpackMe on board,please.Don´t want to use some slow host you know.

2. Problem is that your exe not start correctly.

---- Reason is the DebugBlocker.exe [3 KB] which will created in the windows folder.Also all will scream if the Antivirus app will say something like in my case...Hijacker etc...you know.

0046C4E0   PUSH EBP  <--- Patch to return then it starts correctly.
------------
0046C51E   MOV EDX,46C560                  ; ASCII "\DebugBlocker.exe"
0046C523   CALL 00404C78                   ; 00404C78
0046C528   MOV EAX,DWORD PTR SS:[EBP-4]
0046C52B   CALL 00404E3C                   ; 00404E3C
0046C530   PUSH EAX
0046C531   CALL 00406B78                   ; JMP to kernel32.WinExec
0046C536   XOR EAX,EAX

So I see your exe creates a new exe and then again a new exe.

look ebx
0045649C   CMP BYTE PTR DS:[EAX],0-----------
004564EA   XOR DWORD PTR DS:[EBX],EAX
004564EC   MOV EAX,DWORD PTR SS:[EBP-1060]
004564F2   CALL 00455EA8
004564F7   LEA EDX,DWORD PTR DS:[EBX+4]
004564FA   XOR DWORD PTR DS:[EDX],EAX0045657E   XOR EAX,EAX

0046CB40   CMP DWORD PTR SS:[EBP-5C],80000003 <-- Int3 check0046CB5A   MOV EAX,DWORD PTR DS:[EBX+B8]
           etc

004D9648 <>PUSH EBP
004D9649   MOV EBP,ESP
004D964B   ADD ESP,-10
004D964E   PUSH EBX
004D964F   MOV EAX,4D7688
004D9654   CALL 00406F0C                   ; 00406F0C
004D9659   MOV EAX,DWORD PTR DS:[5765CC]
004D965E   MOV EAX,DWORD PTR DS:[EAX]
004D9660   CALL 004612A4                   ; 004612A4
004D9665   PUSH 4D96C0                     ; ASCII "DeDe"

Last exe OEP

0045770C >PUSH EBP
0045770D  MOV EBP,ESP
0045770F  ADD ESP,-10
00457712  MOV EAX,456B70

All in all are the Nanos the problem so I can´t see what they write exactly for after a fast look.I will see later again.

greetz

[Gladiator]

Thanks for your nice and short info , i will wait for your next and deep look and may be unpacked file.

Would you mind tell your anti virus name ?

Thanks again.

Edited September 10, 2010 by Gladiator

[LCF-AT]

Hi,

Av...AntiVir <--

Ok I attached now your original UnpackMe.So all can now download it from my post on a fast way.Yes I try to figure out / translate /your Nano strings.

greetz

Hefaz1.9beta_UnpackMe.rar

[Gladiator]

Thank you so much , i have forgot attach unpackme to board. Sorry

[Ronar22]

doesn't work here , it worked for the first two times after that it keeps crashing.

[LCF-AT]

Also if you patch.....

0046C4E0 PUSH EBP <--- Patch to return then it starts correctly.

....?

For me it just runs if I patch this to prevent the loading / executing the DebugBlocker.exe

Or try also to disable your A virus tool.

greetz

[Gladiator]

doesn't work here , it worked for the first two times after that it keeps crashing.

As LCF-AT Reply its about Anti Debug Routine.

[Ronar22]

I patched that address ,but still crashing.

no av installed,win xp sp2.

[LCF-AT]

Hi,

so just try to break on the DebugBlocker routine and then ret it.Now just trace go on with F8 till the next process is patched to EBFE.Now trace go on til the next resume.Just trace til the process start.So now if I patch it I get also a hanndle violation if I use F9.

@ Gladiator

Ok here my Unpacked file.Test it and tell me whether it works for you.I see you also use now some normal calls [int3].

greetz

Hefaz1.9beta_UnpackMe_Unpacked.rar

[Gladiator]

Its not work probably becuase when i terminate the application with Close Button in main form every thing is ok and when i terminate it with Close button on caption bar i got crash.

Its seems like you did not unpacked middle process , becuase there we have more complex nanomits operators like Push , Pop , Ret , mov and etc and you just Mentioned that Call is new. ( i guess )

I think you have simulate Exit operation by some triks and if i right in complex cases ( if more code will redirected by nanomits ) this will not work and also Close button have Stolen Bytes...

 
  loc_00456B14: int 3
  loc_00456B15: int 3
  loc_00456B16: push edi
  loc_00456B17: dec esp
  loc_00456B18: and [eax], ah
  loc_00456B1A: or al, 00h
  loc_00456B1C: add [eax], al
  loc_00456B1E: add [eax], al
  loc_00456B20: add [eax], al
  loc_00456B22: push edi
  loc_00456B23: dec esp
  loc_00456B24: and [eax], ah
  loc_00456B26: mov eax, [459968h]
  loc_00456B2B: mov eax, [eax]
  loc_00456B2D: int 3
  loc_00456B2E: int 3
  loc_00456B2F: int 3
  loc_00456B30: int 3
  loc_00456B31: int 3
  loc_00456B32: int 3
  loc_00456B33: int 3
  loc_00456B34: push edi
  loc_00456B35: dec esp
  loc_00456B36: and [eax], ah
  loc_00456B38: or eax, 00000000h
  loc_00456B3D: add [eax], al
  loc_00456B3F: add [edi+4Ch], dl
  loc_00456B42: and [eax], ah
  loc_00456B44: ret

Thanks.

Edited September 10, 2010 by Gladiator

[LCF-AT]

Hi,

yes this is the only int3 routine which I not have fixed so it jumps on this routine.So in this case I have forced a jump to exit process before.

greetz

[Gladiator]

I think if i used more complex code in close button event makes unpacking a little harder , am i right ?

and finally please rate its difficulty with a number between 0 to 10 , thanks.

[LCF-AT]

Sure you are right so in this case its just a small unpackme and if you use a bigger target then I have more work to fix it.So I just used a experimental unpack.

Hmmm,its hard again to say a level for this one.So if I would know the nano process then I would say level 3/10 for the moment.

greetz

[Fungus]

Keep in mind LCF probably doesn't rate any packer more than 5

[Gladiator]

Hello all masters again

I have fixed some bugs that i think make unpacking some times easy , i am not sure.

This unpackme needs a while about 30 sec to run.

In this release ...

1.Improved nanomits engine.

2.Removed DebugBlock Anti Debugger.

3.Fixed Some Bugs.

Special Thanks to My Hero , LCF-AT

Best Regards.

Edited September 11, 2010 by Gladiator

[LCF-AT]

Hi,

@ Fungus ...hmmm you're right!

1. - Your new UnpackMe does not start also not after 2 minutes it hungs [stops] somewhere.Need again a debugger to start it correctly.Fix this next time,ok.

2. - The time factor is a important instrument for any user so I HATE TO WAIT you know this is a bad thing.So please kill this feature in your next version.If not then I must throw it out the window.

3. - I see you added some new small bad things....so I must lern to keep my mouth shout in the future right!

4. - I patched the ID check so far.Inc al + jmp after.You know where to look.

5. - Thanks for the flowers Gladiator.

I just need to fix some small code things and then its unpacked again.

PS: Don't forget this time thing to remove next time ok.

greetz

[Gladiator]

1. - Your new UnpackMe does not start also not after 2 minutes it hungs [stops] somewhere.Need again a debugger to start it correctly.Fix this next time,ok.

2. - The time factor is a important instrument for any user so I HATE TO WAIT you know this is a bad thing.So please kill this feature in your next version.If not then I must throw it out the window.

3. - I see you added some new small bad things....so I must lern to keep my mouth shout in the future right!

4. - I patched the ID check so far.Inc al + jmp after.You know where to look.

5. - Thanks for the flowers Gladiator.

Thanks LCF-AT I will fix them in next release , thanks for your note.

I just need to fix some small code things and then its unpacked again.

Thank you again , I Will Wait for your unpacked file.

Thanks.

[Gladiator]

Hello again

What did you do about unpacking ?