Jump to content
Tuts 4 You

[unpackme] VProtect_1[1].9.2.0


thisistest

Recommended Posts

  • 2 weeks later...
  • 1 month later...

*Unpacked By Narnia*

Just for XP ( Tested on XP SP2 and SP3 )


/>http://www.hyperupload.com/downloadfile.aspx?fv=Public/634376149112031250Project1_VP.1.93.unpacked.by.Narnia.rar

  • Like 2
Link to comment
  • 3 months later...

Hi,

at the moment I write a unpacker script for VProtect. :)

So can someone test my unpacked file?Just test whether it runs for you.

XP SP2 <-- My OS | Test also the original file > NOTEPAD_VP 1.93.rar < so see whether it runs on your system.

greetz

NOTEPAD_VP 1.93_Unpacked.rar

Link to comment

Not works in my XP SP3 .

0111CE85 50 PUSH EAX

0111CE86 8D0418 LEA EAX,DWORD PTR DS:[EAX+EBX]

0111CE89 58 POP EAX

0111CE8A C3 RETN > 77D242A4 = Crash

$ ==> > 77D242A4

$+4 > 01004521 NOTEPAD_.01004521

$+8 > 01000000 NOTEPAD_.01000000

But works after NOPing 0100451B CALL NOTEPAD.010C740C .

Best Regards

JeRRy

Link to comment

Hi JeRRy,

thanks for testing. :) Nice to hear that it works.

Ah ok this was a script fault they missed this call in my LOG file.

Ok good to know so I will add a double check into the script now.

----------

0100451B | CALL DWORD PTR DS:[ADDR] ; USER32.LoadImageW | 77D242A4 SP2

----------

01004518     8945 E8             MOV DWORD PTR SS:[EBP-18],EAX
0100451B E8 EC2E0C00 CALL 010C740C ; NOTEPAD_.010C740C
01004520 F6 ??? ; Unknown commandE8E8 <--- Here was the reason My script was searching for E8 and then add 5 bytes.

greetz

Edited by LCF-AT
  • Like 1
Link to comment

Hi,

ok here now my other unpacked unpackme from the "Project1_VP 1.93.rar" package.

I added 2 files for testing on your system [one file is smaller so I cutted sections away].So both should work for you if "also" the original packed unpackme is running on your system.Just test it.Thank you.If all is working good then my unpack script will comming soon.

XP SP2 <-- My OS

greetz

Project1_VP 1.93_Unpacked_x2.rar

Link to comment

@ Zer0Flag & BLaCkViRuS

Thank you for testing.Seems that I am on the right way. :)

Ok I see there are not much VProtect unpackmes on this board which I can test now. :( Is there someone who knows where to get some more VProtect unpackme's?If yes then you can post them too or does someone know some targets which are protected with VProtect?

Or if someone of you used the full VProtect protector.....then it would be nice if you can create a handfull of diffrent unpackme's with diffrent protection setings [everything except HWID] etc.This would be very nice and helpfully to test my script.Unfortunately is this protection a china version without a english language support [i think so].Have test the demo file and see just unreadable signs. :)

Thank you

Link to comment

Hi Dear LCF-AT

i just have demo version of VProtect.in Demo version protected file have Nag Screen and your file not protected with full functions :(

do you need to Orginal VProtect ? Or i Make Unpack Me with Demo Version ?

have a nice day

Edited by BLaCkViRuS
Link to comment

Hi BLaCkViRuS,

so normaly it would be good to get some diffrent protected VProtect files which I can test.

So if you have just the demo and if you know how to protect files with this demo then you can also create some unpackmes and write which protection features are enabled in your files.I don't know how to use the demo so its not in english.

Thank you

PS: Do you know some china men who can create some full protected VP files?Maybe you can ask someone there. :)

greetz

Link to comment
  • 1 month later...

Hi,

nice to hear thisistest. :)

Ok here the second file GetHWID.Whole IAT & commands are fixed except the one SDK call. :) So you will get no number in the free field.

00401371  CALL 007738DE                         ; SDK
-------
$+66 >AND BYTE PTR DS:[ECX],AL // SDK end
$+68 >MOV EAX,1 // normal code again

Will check this SDK stuff deeper if my main script is finished.

greetz

GetHwid_Unpacked_No_SDK_Fix.rar

Link to comment

$-3 > 51 push ecx

$-2 > FFD6 call esi ; USER32.SendMessageW

$ ==> > 90 nop

$+1 > 90 nop

$+2 > 90 nop

$+3 > 90 nop

$+4 > 90 nop

$+5 > 90 nop

$+6 > 90 nop

$+7 > 90 nop

$+8 > 90 nop

$+9 > 90 nop

$+A > 90 nop

$+B > 90 nop

$+C > 90 nop

$+D > 90 nop

$+E > 90 nop

$+F > 90 nop

$+10 > 90 nop

$+11 > 90 nop

$+12 > 90 nop

$+13 > 90 nop

$+14 > 90 nop

$+15 > 90 nop

$+16 > 90 nop

$+17 > 90 nop

$+18 > 90 nop

$+19 > 90 nop

$+1A > 90 nop

$+1B > 90 nop

$+1C > 90 nop

$+1D > 90 nop

$+1E > 90 nop

$+1F > 90 nop

$+20 > 90 nop

$+21 > 90 nop

$+22 > 90 nop

$+23 > 90 nop

$+24 > 90 nop

$+25 > 90 nop

$+26 > 90 nop

$+27 > 90 nop

$+28 > 90 nop

$+29 > 90 nop

$+2A > 90 nop

$+2B > 90 nop

$+2C > 90 nop

$+2D > 90 nop

$+2E > 90 nop

$+2F > 90 nop

$+30 > 90 nop

$+31 > 90 nop

$+32 > 90 nop

$+33 > 90 nop

$+34 > 90 nop

$+35 > 90 nop

$+36 > 90 nop

$+37 > 90 nop

$+38 > 90 nop

$+39 > 90 nop

$+3A > 90 nop

$+3B > 90 nop

$+3C > 90 nop

$+3D > 90 nop

$+3E > 90 nop

$+3F > 90 nop

$+40 > 90 nop

$+41 > 90 nop

$+42 > 90 nop

$+43 > 90 nop

$+44 > 90 nop

$+45 > 90 nop

$+46 > 90 nop

$+47 > 90 nop

$+48 > 90 nop

$+49 > 90 nop

$+4A > 90 nop

$+4B > 90 nop

$+4C > 90 nop

$+4D > 90 nop

$+4E > 90 nop

$+4F > 90 nop

$+50 > 90 nop

$+51 > 90 nop

$+52 > 90 nop

$+53 > 90 nop

$+54 > 90 nop

$+55 > 90 nop

$+56 > 90 nop

$+57 > 90 nop

$+58 > 90 nop

$+59 > 90 nop

$+5A > 90 nop

$+5B > 90 nop

$+5C > 90 nop

$+5D > 90 nop

$+5E > 90 nop

$+5F > 90 nop

$+60 > 90 nop

$+61 > 90 nop

$+62 > 90 nop

$+63 > 90 nop

$+64 > 90 nop

$+65 > 90 nop

$+66 > 90 nop

$+67 > 90 nop

$+68 > B8 01000000 mov eax,1

$+6D > 8B4D F4 mov ecx,dword ptr ss:[ebp-C]

$+70 > 64:890D 0000000>mov dword ptr fs:[0],ecx

GetHwid_Unpacked_No_SDK_Fix can working~!

Link to comment

"It is possible to create a universal WmProtect unpacker?"

For OEP & Full IAT Fixing = Yes

Script is already in work and working (without SDK Fix) but not finished yet. :) If you know some other VProtect unpackmes | targets without HWID check then you can send them to me to check them.I never have seen a real target using the VProtect protection til now.

greetz

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...