Jump to content
Tuts 4 You

[Unpackme] IntelliProtect v2.15


Somata

Recommended Posts

BLaCkViRuS

Dear Somata

For test unpack me file you must insert unpackme file with out license

i unpacked file.But crashed after run .i do not know why :dunno:

Please insert the unpackme with out license.with license this is CrackMe not unpack Me

File is Visual Basic

Edited by BLaCkViRuS
Link to comment
BLaCkViRuS

please attach unpacked file, i tell what wrong

please insert your unpack me file with out license

Edited by BLaCkViRuS
Link to comment

i will give valid key after 10 days of this unpackme. please let other people try. your application crash because you did not fix imports.

Link to comment
So we need valid license for this?

for unpacking only? no.

i dont know anything about this protector, but maybe you can use a non-vb .exe & state which protection options you used.

anyways, let`s wait for evolution`s results.... :^

Link to comment
BLaCkViRuS

Just we need the validkey for unpack this

without the validkey you can't fix imports.Orginal File Must be Run ;)

Link to comment

Hi

Unpacked By a stupid technic!

Note:

if a license manager has very huge security..but its protection technic be poor

in my opinion its not a valuable protection.

even if we need valid license to run it...but after run we can unpack it veryyyy easy.

like this Protector.

Regards

Raham

UnPacked_By_Raham.rar

Edited by Raham
  • Like 4
Link to comment
BLaCkViRuS

Hi

Unpacked By a stupid technic!

will not work for other compiler

Note:

if a license manager has very huge security..but its protection technic be poor

in my opinion its not a valuable protection.

even if we need valid license to run it...but after run we can unpack it veryyyy easy.

like this Protector.

Regards

Raham

Hi Dear Raham :flowers:

File Unpacked Full and Worked Fine.LOL

Tnx

Link to comment
cozofdeath

Maybe he traced out a serial or keygenned it allowing him to get to OEP? Either way Good job Raham!

Link to comment
  • 1 month later...
  • 1 month later...

Hey Guys

you can't fix imports without valid key in Intelli Protector :)

if See Raham Post.you can see he said:Unpacked Intelli Protector with Stupid Method ;) but this method is not for big programs :)

anyway Unpacking Intelli Protector With Valid Key is very Easy ;) it's Like UPX (but with valid key)

maybe Can Keygen it ! but is not my Specialty.Please Reply Keygenners Friends ;)

Link to comment

Serial checking is done in a server.

Send: Return Code: 0x00000000
GET /IntelliProtectorChild2/register.ashx?USec=IPL456789012345-78901234567890123456789012345678DF4E&ActNum=vYzgaqdX6QWOlYQ5HtOsl41YeeT4Jl2AqFSQbIXyZF1afnnxNiglMZk7lAxt7eA3nGTQiE3w0cGcyL5hSNVgiZiSqHVJRp3BhIWdaBjBHSHpSAAAAAAAAAAUAAAAAAAAA HTTP/1.1
User-Agent: my s
Host: license3.intelliprotector.com
Connection: Keep-Alive
Receive: Return Code: 0x00000000
HTTP/1.1 200 OK
Date: Sat, 30 Jul 2011 16:14:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 118770af612dbeb40baa28ed08563de989a7Wrong license code. Please, recheck data you entered.79d602c89c604f33afc43ad961aae960

Sends the key to one of the servers:

http://license1.intelliprotector.com
http://license2.intelliprotector.com
http://license3.intelliprotector.com

But if you enter the following key and are not connected to the internet or have blocked the app with your firewall,

then it will go to some sort of a manual file activation:

IPL456789012345-78901234567890123456789012345678DF4E
Link to comment

Well, if you look at my unpacked file, you'll see that many imports are unresolved and only 3 are fixed.

It works only because the other imports are not called by this app. I would also like to know how Raham fixed all the imports.

OK, getting to the OEP is very easy:

Search for this binary string (hex):

75 ?? 53 68 ?? ?? ?? ?? 53 8D 4D D4 51 53

And set a bp on the found JNZ and run.

Once it breaks, change the zero flag to take the jump.

Step over the code, until RET.

Once you step over the RET, you're at the OEP.

Now, you can't fix Imports with ImportREC automatically.

I fixed the 3 Imports manually by hand.

If you study a VB6 app EP, you'll see that the first call is to MSVBVM60.ThunRTMain, so you can fix that Import immediately.

After you try to run it with that 1 Import fixed, it will crash immediately. That's because ThunRTMain tries to call MSVBVM60.EVENT_SINK_AddRef.

Since the address of that API is unresolved, it will call 00000000, which is not accessible by Win32 apps, so the app will crash with an access violation exception.

To fix that, you have to locate the JMP NEAR [<some address>] that is called and fix that to MSVBVM60.EVENT_SINK_AddRef.

Now the app should run, but you will soon see that when you try to close it, it will crash instead of close normally.

That's because it calls another API when closing. That API is MSVBVM60.EVENT_SINK_Release. You have to fix that one too.

After you've done that, the app should work normally. For a real app, you will have to fix many more APIs for it to work properly.

I fixed these Imports by creating an IAT Tree .txt file for ImportREC. Here's the file I created:

; Syntax for each function in a thunk (the separator is a TAB)
; ------------------------------------------------------------
; Flag RVA ModuleName Ordinal Name
;
; Details for <Valid> parameter:
; ------------------------------
; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set
; it to zero if you edit it).
; - Ordinal is not considered but you should let '0000' as value.
; - ModuleName is not considered but you should let '?' as value.
;
; 1 = valid: yes -> All next parameters on the line will be considered.
; Function imported by ordinal must have no name (the 4th TAB must
; be there though).
;
; 2 = Equivalent to 0 but it is for the loader.
;
; 3 = Equivalent to 1 but it is for the loader.
;
; 4 = Equivalent to 0 with (R) tag.
;
; 5 = Equivalent to 1 with (R) tag.
;
; And finally, edit this file as your own risk! :-)Target: C:\IntelliProtect v2.15\IntelliProtect v2.15.exe
OEP: 00001128 IATRVA: 00001000 IATSize: 00000070FThunk: 00001024 NbFunc: 00000001
1 00001024 msvbvm60.dll 0191 EVENT_SINK_AddRefFThunk: 0000102C NbFunc: 00000001
1 0000102C msvbvm60.dll 0192 EVENT_SINK_ReleaseFThunk: 0000105C NbFunc: 00000001
1 0000105C msvbvm60.dll 0064 ThunRTMain
Edited by Saduff
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...