[unpackme] VMP2.07 unpackme

[wgz0001]

vmp2.07 unpackme

only game.

good luck.

UnpackME(2).rar

[LCF-AT]

Hello,

ok here my unpacked files so far.I have insert 2 unpacked files so if the just unpacked file not works then try the unpacked file + CPUID patch.So both files are working like the original file.I get a number if I press the OK button.

So what does it mean with - pack the output file?

Ok just test them and tell whether the file / s are working or not.

PS: If you use Win7 then disable the ASLR feature to get the same sections addresses.

PS2: If you need to use the CPUID file and if it crash then try it some more times.

greetz

2x_UnpackME_Unpacked+CPUID.rar

[Syntax]

UnpackME.exe (protected) = Runs fine of course , I get numbers when i press OK button . No matter how many times i press.

UnpackME_Unpacked+CPUID.exe = Runs fine in WinXP3 , i get numbers when i press OK button. But its unstable . Crashes if i press OK button some more time.

UnpackME_Unpacked.exe = Runs fine in WinXPSP3 , crashes when i press OK button.

Not perfect

Edited December 12, 2010 by (*_*)

[LCF-AT]

@ (*_*)

Thanks for testing.Ah yes this is the nasty CPUID + self-code-checkings!

I find no good solution for this feature.

PS: Do it better!

greetz

[Teddy Rogers]

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

[Syntax]

PS: Do it better!

Not that hard , honey

UnpackME_Unpacked+ProperFix.rar

[blackpirate]

how to disable ASLR on win 7????

[Syntax]

how to disable ASLR on win 7????

I searched about it and didn't found any solution

[wgz0001]

LCF-AT very strong

only sometimes crash

[LCF-AT]

@ (*_*)

Hahahaha!

Today is not the 1. April or?

@ blackpirate

Vista & 7 have ASLR (Address Space Layout Randomization) enabled by default.

ASLR (Address Space Layout Randomization

So try to goog..it where you can disable this feature for win7 or try to ask panga so he must know it.Maybe someone else can answer this question here for you.If someone of you know then post a answer please.

@ wgz0001

"only sometimes crash" --- Yes I know it the anti patch self-code-checking.Maybe I can find a solution for this in the future.

greetz

[blackpirate]

thnx LCF!

i asked because i used google already! but no result for win 7!

only Vista! and things are not the same....

cheers!

i just wanna test your unpacks on win 7!

regards master!

bp

[EvOlUtIoN]

LCF-AT, what are your CPUID codes?

[LCF-AT]

@ blackpirate

hmmm,so you know I just use winXP and "panga" told me about the ASLR feature that he had to disable it and he is use win7!So better you ask him where to disable it.Just have a look on my VMP script topic.

@ EvOlUtIoN

00471594  CPUID
00471596  JMP 0119A3B2  
---------
My CPUID Values x4
---------
0119A3B2  MOV EAX,683
0119A3B7  MOV ECX,0
0119A3BC  MOV EDX,387F9FF
0119A3C1  MOV EBX,2
---------
0119A3C6  BT CX,BP
0119A3CA  BT DX,DI
0119A3CE  JMP 0047159E

So just set a BP on the CPUID above and then press the OK button of the UnpackMe then you will break on it.So I need to patch all 4 reg values to get the target also run on other systems but the problem is still the self-checking of the code itself so you know this problem.So I really have no idea how to defeat this anti-patching problem.

0040211C  XOR AL,BYTE PTR DS:[EDX]  // edx = Address to calc [EBP] - Counter
0012FFBC  000000FA   // Address + counter = Last check Address 00471E59   INC EDX  // Address +100472879   DEC DWORD PTR SS:[EBP]  // dec counter00473744   JNZ 004727CF 
0047374A  PUSHFD           // Block end

greetz

[EvOlUtIoN]

thank you lcf-at, i would like to find a solution without lose time in unpacking target itself. Tried on another one but also for me it's still impossible to solve. Hope to have news soon.

Notivce that in some targets i found more than one CPUID check, sometimes 3 different places also.

Edited December 14, 2010 by EvOlUtIoN

[LCF-AT]

@ EvOlUtIoN

no problem.Yes I have seen the more than one CPUID checkings to on other targets.

Maybe you can find a solution for this check problem soon.So I hope it.

Info: You can also set a bp here 004020A0 VM Entry. Let's start rebuilding the VM now!

Or do this now....

PUSH 40
PUSH xxxxxxxx ; ASCII "Vmprotect 2.07 UnpackMe
PUSH xxxxxxxx ; 58621626BDD6F3E6F491EC22171AFAC0
PUSH hOwner   ; ('Vmprotect 2.07 UnpackMe',class='#32770')
CALL MessageBoxA
ret

greetz

[EvOlUtIoN]

eheh, yes...it can be done. But as you know it won't solve the problem...maybe for this unpackme but not for others at all

[wgz0001]

test this

unpacked by josong from www.52pojie.cn

thx

d_.rar

[Syntax]

Works without any problem .

btw ,

i would like to register there , can you please PM me that (邀请码) code ?

[EvOlUtIoN]

mhhhh...this seems to work, but again it is only for this target, he rebuilt some code so vm is never executed, but in other targets won't be so easy. nice it rebuilding indeed.

[wgz0001]

test this

unpacked by ximo from LCG.

thx

UnpackED.rar

[wgz0001]

Works without any problem .

btw ,

i would like to register there , can you please PM me that (邀请码) code ?

BBS will be open registration on New Year's day

please pay attention

thx

[cooooldog]

开放注册几天啊? 就元旦一天吗?

帮我注册个cooooldog吧? 我元旦可能上不了网啊

BBS will be open registration on New Year's day

please pay attention

thx

[av999]

one else example of unpacked http://rghost.ru/9150321

tested only on one computer but contains simple pre-OEP fix for CPUID antidump

Edited June 3, 2011 by av999