Jump to content
Tuts 4 You

[unpackme] VProtect_1[1].9.2.0

thisistest

By thisistest
in UnPackMe

 Share

Recommended Posts

  • 2 weeks later...
  • 1 month later...
Raham

Raham

Posted
Posted

*Unpacked By Narnia*

Just for XP ( Tested on XP SP2 and SP3 )


/>http://www.hyperupload.com/downloadfile.aspx?fv=Public/634376149112031250Project1_VP.1.93.unpacked.by.Narnia.rar

  • Like 2
BLaCkViRuS

BLaCkViRuS

Posted
Posted

Worked Fine :yes:

Thank You :lol:

thisistest

thisistest

Posted
  • Author
Posted

unpacked can run my on working xp

  • 3 months later...
LCF-AT

LCF-AT

Posted
Posted

Hi,

at the moment I write a unpacker script for VProtect. :)

So can someone test my unpacked file?Just test whether it runs for you.

XP SP2 <-- My OS | Test also the original file > NOTEPAD_VP 1.93.rar < so see whether it runs on your system.

greetz

NOTEPAD_VP 1.93_Unpacked.rar

JeRRy

JeRRy

Posted
Posted

Not works in my XP SP3 .

0111CE85 50 PUSH EAX

0111CE86 8D0418 LEA EAX,DWORD PTR DS:[EAX+EBX]

0111CE89 58 POP EAX

0111CE8A C3 RETN > 77D242A4 = Crash

$ ==> > 77D242A4

$+4 > 01004521 NOTEPAD_.01004521

$+8 > 01000000 NOTEPAD_.01000000

But works after NOPing 0100451B CALL NOTEPAD.010C740C .

Best Regards

JeRRy

LCF-AT

LCF-AT

Posted
Posted (edited)

Hi JeRRy,

thanks for testing. :) Nice to hear that it works.

Ah ok this was a script fault they missed this call in my LOG file.

Ok good to know so I will add a double check into the script now.

----------

0100451B | CALL DWORD PTR DS:[ADDR] ; USER32.LoadImageW | 77D242A4 SP2

----------

01004518     8945 E8             MOV DWORD PTR SS:[EBP-18],EAX
0100451B     E8 EC2E0C00         CALL 010C740C                                  ; NOTEPAD_.010C740C
01004520     F6                  ???                                            ; Unknown commandE8E8  <--- Here was the reason  My script was searching for E8 and then add 5 bytes.

greetz

Edited by LCF-AT
  • Like 1
LCF-AT

LCF-AT

Posted
Posted

Hi,

ok here now my other unpacked unpackme from the "Project1_VP 1.93.rar" package.

I added 2 files for testing on your system [one file is smaller so I cutted sections away].So both should work for you if "also" the original packed unpackme is running on your system.Just test it.Thank you.If all is working good then my unpack script will comming soon.

XP SP2 <-- My OS

greetz

Project1_VP 1.93_Unpacked_x2.rar

Zer0Flag

Zer0Flag

Posted
Posted

@LCF-AT

Both tested on WinXP SP3 and worked fine.

~0

BLaCkViRuS

BLaCkViRuS

Posted
Posted

tested and worked fine in winxpsp3 and xpsp2 ;)

LCF-AT

LCF-AT

Posted
Posted

@ Zer0Flag & BLaCkViRuS

Thank you for testing.Seems that I am on the right way. :)

Ok I see there are not much VProtect unpackmes on this board which I can test now. :( Is there someone who knows where to get some more VProtect unpackme's?If yes then you can post them too or does someone know some targets which are protected with VProtect?

Or if someone of you used the full VProtect protector.....then it would be nice if you can create a handfull of diffrent unpackme's with diffrent protection setings [everything except HWID] etc.This would be very nice and helpfully to test my script.Unfortunately is this protection a china version without a english language support [i think so].Have test the demo file and see just unreadable signs. :)

Thank you

BLaCkViRuS

BLaCkViRuS

Posted
Posted (edited)

Hi Dear LCF-AT

i just have demo version of VProtect.in Demo version protected file have Nag Screen and your file not protected with full functions :(

do you need to Orginal VProtect ? Or i Make Unpack Me with Demo Version ?

have a nice day

Edited by BLaCkViRuS
LCF-AT

LCF-AT

Posted
Posted

Hi BLaCkViRuS,

so normaly it would be good to get some diffrent protected VProtect files which I can test.

So if you have just the demo and if you know how to protect files with this demo then you can also create some unpackmes and write which protection features are enabled in your files.I don't know how to use the demo so its not in english.

Thank you

PS: Do you know some china men who can create some full protected VP files?Maybe you can ask someone there. :)

greetz

  • 1 month later...
LCF-AT

LCF-AT

Posted
Posted

@ thisistest

Can you also post some new VP 2.04 without HWID | Serial check?Would like to test whether there are new features added or not.

Thanks

LCF-AT

LCF-AT

Posted
Posted

Ah ok and thanks for the new files without HWID.

Here my first unpacked file.Just test it.

Unpacked with my beta script [2 minutes] + manually API moves [2 minutes].The script will later also support the manually API moves. :)

greetz

VProtectDemo 2.08_Unpacked x2.rar

thisistest

thisistest

Posted
  • Author
Posted

xp sp3 can working

LCF-AT

LCF-AT

Posted
Posted

Hi,

nice to hear thisistest. :)

Ok here the second file GetHWID.Whole IAT & commands are fixed except the one SDK call. :) So you will get no number in the free field.

00401371  CALL 007738DE                         ; SDK
-------
$+66     >AND BYTE PTR DS:[ECX],AL  // SDK end
$+68     >MOV EAX,1   // normal code again

Will check this SDK stuff deeper if my main script is finished.

greetz

GetHwid_Unpacked_No_SDK_Fix.rar

thisistest

thisistest

Posted
  • Author
Posted

$-3 > 51 push ecx

$-2 > FFD6 call esi ; USER32.SendMessageW

$ ==> > 90 nop

$+1 > 90 nop

$+2 > 90 nop

$+3 > 90 nop

$+4 > 90 nop

$+5 > 90 nop

$+6 > 90 nop

$+7 > 90 nop

$+8 > 90 nop

$+9 > 90 nop

$+A > 90 nop

$+B > 90 nop

$+C > 90 nop

$+D > 90 nop

$+E > 90 nop

$+F > 90 nop

$+10 > 90 nop

$+11 > 90 nop

$+12 > 90 nop

$+13 > 90 nop

$+14 > 90 nop

$+15 > 90 nop

$+16 > 90 nop

$+17 > 90 nop

$+18 > 90 nop

$+19 > 90 nop

$+1A > 90 nop

$+1B > 90 nop

$+1C > 90 nop

$+1D > 90 nop

$+1E > 90 nop

$+1F > 90 nop

$+20 > 90 nop

$+21 > 90 nop

$+22 > 90 nop

$+23 > 90 nop

$+24 > 90 nop

$+25 > 90 nop

$+26 > 90 nop

$+27 > 90 nop

$+28 > 90 nop

$+29 > 90 nop

$+2A > 90 nop

$+2B > 90 nop

$+2C > 90 nop

$+2D > 90 nop

$+2E > 90 nop

$+2F > 90 nop

$+30 > 90 nop

$+31 > 90 nop

$+32 > 90 nop

$+33 > 90 nop

$+34 > 90 nop

$+35 > 90 nop

$+36 > 90 nop

$+37 > 90 nop

$+38 > 90 nop

$+39 > 90 nop

$+3A > 90 nop

$+3B > 90 nop

$+3C > 90 nop

$+3D > 90 nop

$+3E > 90 nop

$+3F > 90 nop

$+40 > 90 nop

$+41 > 90 nop

$+42 > 90 nop

$+43 > 90 nop

$+44 > 90 nop

$+45 > 90 nop

$+46 > 90 nop

$+47 > 90 nop

$+48 > 90 nop

$+49 > 90 nop

$+4A > 90 nop

$+4B > 90 nop

$+4C > 90 nop

$+4D > 90 nop

$+4E > 90 nop

$+4F > 90 nop

$+50 > 90 nop

$+51 > 90 nop

$+52 > 90 nop

$+53 > 90 nop

$+54 > 90 nop

$+55 > 90 nop

$+56 > 90 nop

$+57 > 90 nop

$+58 > 90 nop

$+59 > 90 nop

$+5A > 90 nop

$+5B > 90 nop

$+5C > 90 nop

$+5D > 90 nop

$+5E > 90 nop

$+5F > 90 nop

$+60 > 90 nop

$+61 > 90 nop

$+62 > 90 nop

$+63 > 90 nop

$+64 > 90 nop

$+65 > 90 nop

$+66 > 90 nop

$+67 > 90 nop

$+68 > B8 01000000 mov eax,1

$+6D > 8B4D F4 mov ecx,dword ptr ss:[ebp-C]

$+70 > 64:890D 0000000>mov dword ptr fs:[0],ecx

GetHwid_Unpacked_No_SDK_Fix can working~!

user1

user1

Posted
Posted

It is possible to create a universal WmProtect unpacker?

LCF-AT

LCF-AT

Posted
Posted

"It is possible to create a universal WmProtect unpacker?"

For OEP & Full IAT Fixing = Yes

Script is already in work and working (without SDK Fix) but not finished yet. :) If you know some other VProtect unpackmes | targets without HWID check then you can send them to me to check them.I never have seen a real target using the VProtect protection til now.

greetz

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...