Jump to content
Tuts 4 You

[unpackme] VMP2.07 unpackme


wgz0001

Recommended Posts

Hello,

ok here my unpacked files so far.I have insert 2 unpacked files so if the just unpacked file not works then try the unpacked file + CPUID patch.So both files are working like the original file.I get a number if I press the OK button.

So what does it mean with - pack the output file?

Ok just test them and tell whether the file / s are working or not.

PS: If you use Win7 then disable the ASLR feature to get the same sections addresses.

PS2: If you need to use the CPUID file and if it crash then try it some more times.

greetz

2x_UnpackME_Unpacked+CPUID.rar

  • Like 1
Link to comment

UnpackME.exe (protected) = Runs fine of course , I get numbers when i press OK button . No matter how many times i press.

UnpackME_Unpacked+CPUID.exe = Runs fine in WinXP3 , i get numbers when i press OK button. But its unstable . Crashes if i press OK button some more time.

UnpackME_Unpacked.exe = Runs fine in WinXPSP3 , crashes when i press OK button.

Not perfect :P

Edited by (*_*)
  • Like 1
Link to comment

@ (*_*)

Thanks for testing.Ah yes this is the nasty CPUID + self-code-checkings!

I find no good solution for this feature.

PS: Do it better! :woot:

greetz

  • Like 1
Link to comment

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

  • Like 1
Link to comment

@ (*_*)

Hahahaha! :)

Today is not the 1. April or?

@ blackpirate

Vista & 7 have ASLR (Address Space Layout Randomization) enabled by default.

ASLR (Address Space Layout Randomization

So try to goog..it where you can disable this feature for win7 or try to ask panga so he must know it.Maybe someone else can answer this question here for you.If someone of you know then post a answer please.

@ wgz0001

"only sometimes crash" --- Yes I know it the anti patch self-code-checking.Maybe I can find a solution for this in the future.

greetz

  • Like 1
Link to comment

thnx LCF! :yes:

i asked because i used google already! but no result for win 7!

only Vista! and things are not the same....

cheers!

i just wanna test your unpacks on win 7!

regards master!

bp

Link to comment

@ blackpirate

hmmm,so you know I just use winXP and "panga" told me about the ASLR feature that he had to disable it and he is use win7!So better you ask him where to disable it.Just have a look on my VMP script topic.

@ EvOlUtIoN

00471594  CPUID
00471596 JMP 0119A3B2
---------
My CPUID Values x4
---------
0119A3B2 MOV EAX,683
0119A3B7 MOV ECX,0
0119A3BC MOV EDX,387F9FF
0119A3C1 MOV EBX,2
---------
0119A3C6 BT CX,BP
0119A3CA BT DX,DI
0119A3CE JMP 0047159E

So just set a BP on the CPUID above and then press the OK button of the UnpackMe then you will break on it.So I need to patch all 4 reg values to get the target also run on other systems but the problem is still the self-checking of the code itself so you know this problem.So I really have no idea how to defeat this anti-patching problem.

0040211C  XOR AL,BYTE PTR DS:[EDX]  // edx = Address to calc [EBP] - Counter
0012FFBC 000000FA // Address + counter = Last check Address 00471E59 INC EDX // Address +100472879 DEC DWORD PTR SS:[EBP] // dec counter00473744 JNZ 004727CF
0047374A PUSHFD // Block end

greetz

  • Like 1
Link to comment

thank you lcf-at, i would like to find a solution without lose time in unpacking target itself. Tried on another one but also for me it's still impossible to solve. Hope to have news soon.

Notivce that in some targets i found more than one CPUID check, sometimes 3 different places also.

Edited by EvOlUtIoN
Link to comment

@ EvOlUtIoN

no problem.Yes I have seen the more than one CPUID checkings to on other targets.

Maybe you can find a solution for this check problem soon.So I hope it.

Info: You can also set a bp here 004020A0 VM Entry. :) Let's start rebuilding the VM now! :)

Or do this now....

PUSH 40
PUSH xxxxxxxx ; ASCII "Vmprotect 2.07 UnpackMe
PUSH xxxxxxxx ; 58621626BDD6F3E6F491EC22171AFAC0
PUSH hOwner ; ('Vmprotect 2.07 UnpackMe',class='#32770')
CALL MessageBoxA
ret

:)

greetz

  • Like 1
Link to comment

mhhhh...this seems to work, but again it is only for this target, he rebuilt some code so vm is never executed, but in other targets won't be so easy. nice it rebuilding indeed.

Link to comment

Works without any problem .

btw ,

i would like to register there , can you please PM me that (邀请码) code ?

BBS will be open registration on New Year's day

please pay attention

thx :rolleyes:

Link to comment

开放注册几天啊? 就元旦一天吗?

帮我注册个cooooldog吧? 我元旦可能上不了网啊

BBS will be open registration on New Year's day

please pay attention

thx :rolleyes:

Link to comment
  • 5 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...