December 12, 201014 yr Hello,ok here my unpacked files so far.I have insert 2 unpacked files so if the just unpacked file not works then try the unpacked file + CPUID patch.So both files are working like the original file.I get a number if I press the OK button.So what does it mean with - pack the output file?Ok just test them and tell whether the file / s are working or not.PS: If you use Win7 then disable the ASLR feature to get the same sections addresses.PS2: If you need to use the CPUID file and if it crash then try it some more times.greetz2x_UnpackME_Unpacked+CPUID.rar
December 12, 201014 yr UnpackME.exe (protected) = Runs fine of course , I get numbers when i press OK button . No matter how many times i press. UnpackME_Unpacked+CPUID.exe = Runs fine in WinXP3 , i get numbers when i press OK button. But its unstable . Crashes if i press OK button some more time. UnpackME_Unpacked.exe = Runs fine in WinXPSP3 , crashes when i press OK button. Not perfect Edited December 12, 201014 yr by (*_*)
December 13, 201014 yr @ (*_*) Thanks for testing.Ah yes this is the nasty CPUID + self-code-checkings! I find no good solution for this feature. PS: Do it better! greetz
December 13, 201014 yr The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply]
December 13, 201014 yr how to disable ASLR on win 7???? I searched about it and didn't found any solution
December 13, 201014 yr @ (*_*) Hahahaha! Today is not the 1. April or? @ blackpirate Vista & 7 have ASLR (Address Space Layout Randomization) enabled by default. ASLR (Address Space Layout Randomization So try to goog..it where you can disable this feature for win7 or try to ask panga so he must know it.Maybe someone else can answer this question here for you.If someone of you know then post a answer please. @ wgz0001 "only sometimes crash" --- Yes I know it the anti patch self-code-checking.Maybe I can find a solution for this in the future. greetz
December 13, 201014 yr thnx LCF! i asked because i used google already! but no result for win 7! only Vista! and things are not the same.... cheers! i just wanna test your unpacks on win 7! regards master! bp
December 14, 201014 yr @ blackpiratehmmm,so you know I just use winXP and "panga" told me about the ASLR feature that he had to disable it and he is use win7!So better you ask him where to disable it.Just have a look on my VMP script topic.@ EvOlUtIoN00471594 CPUID00471596 JMP 0119A3B2 ---------My CPUID Values x4---------0119A3B2 MOV EAX,6830119A3B7 MOV ECX,00119A3BC MOV EDX,387F9FF0119A3C1 MOV EBX,2---------0119A3C6 BT CX,BP0119A3CA BT DX,DI0119A3CE JMP 0047159ESo just set a BP on the CPUID above and then press the OK button of the UnpackMe then you will break on it.So I need to patch all 4 reg values to get the target also run on other systems but the problem is still the self-checking of the code itself so you know this problem.So I really have no idea how to defeat this anti-patching problem.0040211C XOR AL,BYTE PTR DS:[EDX] // edx = Address to calc [EBP] - Counter0012FFBC 000000FA // Address + counter = Last check Address 00471E59 INC EDX // Address +100472879 DEC DWORD PTR SS:[EBP] // dec counter00473744 JNZ 004727CF 0047374A PUSHFD // Block endgreetz
December 14, 201014 yr thank you lcf-at, i would like to find a solution without lose time in unpacking target itself. Tried on another one but also for me it's still impossible to solve. Hope to have news soon.Notivce that in some targets i found more than one CPUID check, sometimes 3 different places also. Edited December 14, 201014 yr by EvOlUtIoN
December 14, 201014 yr @ EvOlUtIoN no problem.Yes I have seen the more than one CPUID checkings to on other targets. Maybe you can find a solution for this check problem soon.So I hope it. Info: You can also set a bp here 004020A0 VM Entry. Let's start rebuilding the VM now! Or do this now.... PUSH 40PUSH xxxxxxxx ; ASCII "Vmprotect 2.07 UnpackMePUSH xxxxxxxx ; 58621626BDD6F3E6F491EC22171AFAC0PUSH hOwner ; ('Vmprotect 2.07 UnpackMe',class='#32770')CALL MessageBoxAret greetz
December 15, 201014 yr eheh, yes...it can be done. But as you know it won't solve the problem...maybe for this unpackme but not for others at all
December 15, 201014 yr Works without any problem . btw , i would like to register there , can you please PM me that (邀请码) code ?
December 15, 201014 yr mhhhh...this seems to work, but again it is only for this target, he rebuilt some code so vm is never executed, but in other targets won't be so easy. nice it rebuilding indeed.
December 16, 201014 yr Author Works without any problem . btw , i would like to register there , can you please PM me that (邀请码) code ? BBS will be open registration on New Year's day please pay attention thx
December 22, 201014 yr 开放注册几天啊? 就元旦一天吗? 帮我注册个cooooldog吧? 我元旦可能上不了网啊 BBS will be open registration on New Year's day please pay attention thx
June 2, 201114 yr one else example of unpacked http://rghost.ru/9150321tested only on one computer but contains simple pre-OEP fix for CPUID antidump Edited June 3, 201114 yr by av999
Create an account or sign in to comment