Jump to content
Tuts 4 You

[Unpackme] IntelliProtect v2.15

Somata

By Somata
in UnPackMe

 Share

Recommended Posts

BLaCkViRuS

BLaCkViRuS

Posted
Posted (edited)

Dear Somata

For test unpack me file you must insert unpackme file with out license

i unpacked file.But crashed after run .i do not know why :dunno:

Please insert the unpackme with out license.with license this is CrackMe not unpack Me

File is Visual Basic

Edited by BLaCkViRuS
Link to comment
Share on other sites
BLaCkViRuS

BLaCkViRuS

Posted
Posted (edited)

please attach unpacked file, i tell what wrong

please insert your unpack me file with out license

Edited by BLaCkViRuS
Link to comment
Share on other sites
Somata

Somata

Posted
  • Author
Posted

i will give valid key after 10 days of this unpackme. please let other people try. your application crash because you did not fix imports.

Link to comment
Share on other sites
deepzero

deepzero

Posted
Posted
So we need valid license for this?

for unpacking only? no.

i dont know anything about this protector, but maybe you can use a non-vb .exe & state which protection options you used.

anyways, let`s wait for evolution`s results.... :^

Link to comment
Share on other sites
BLaCkViRuS

BLaCkViRuS

Posted
Posted

Just we need the validkey for unpack this

without the validkey you can't fix imports.Orginal File Must be Run ;)

Link to comment
Share on other sites
Raham

Raham

Posted
Posted (edited)

Hi

Unpacked By a stupid technic!

Note:

if a license manager has very huge security..but its protection technic be poor

in my opinion its not a valuable protection.

even if we need valid license to run it...but after run we can unpack it veryyyy easy.

like this Protector.

Regards

Raham

UnPacked_By_Raham.rar

Edited by Raham
  • Like 4
Link to comment
Share on other sites
BLaCkViRuS

BLaCkViRuS

Posted
Posted

Hi

Unpacked By a stupid technic!

will not work for other compiler

Note:

if a license manager has very huge security..but its protection technic be poor

in my opinion its not a valuable protection.

even if we need valid license to run it...but after run we can unpack it veryyyy easy.

like this Protector.

Regards

Raham

Hi Dear Raham :flowers:

File Unpacked Full and Worked Fine.LOL

Tnx

Link to comment
Share on other sites
cozofdeath

cozofdeath

Posted
Posted

Maybe he traced out a serial or keygenned it allowing him to get to OEP? Either way Good job Raham!

Link to comment
Share on other sites
  • 1 month later...
  • 1 month later...
BLaCkViRuS

BLaCkViRuS

Posted
Posted

Hey Guys

you can't fix imports without valid key in Intelli Protector :)

if See Raham Post.you can see he said:Unpacked Intelli Protector with Stupid Method ;) but this method is not for big programs :)

anyway Unpacking Intelli Protector With Valid Key is very Easy ;) it's Like UPX (but with valid key)

maybe Can Keygen it ! but is not my Specialty.Please Reply Keygenners Friends ;)

Link to comment
Share on other sites
Saduff

Saduff

Posted
Posted

Serial checking is done in a server.

Send: Return Code: 0x00000000
GET /IntelliProtectorChild2/register.ashx?USec=IPL456789012345-78901234567890123456789012345678DF4E&ActNum=vYzgaqdX6QWOlYQ5HtOsl41YeeT4Jl2AqFSQbIXyZF1afnnxNiglMZk7lAxt7eA3nGTQiE3w0cGcyL5hSNVgiZiSqHVJRp3BhIWdaBjBHSHpSAAAAAAAAAAUAAAAAAAAA HTTP/1.1
User-Agent: my s
Host: license3.intelliprotector.com
Connection: Keep-Alive
Receive: Return Code: 0x00000000
HTTP/1.1 200 OK
Date: Sat, 30 Jul 2011 16:14:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 118770af612dbeb40baa28ed08563de989a7Wrong license code. Please, recheck data you entered.79d602c89c604f33afc43ad961aae960

Sends the key to one of the servers:

http://license1.intelliprotector.com
http://license2.intelliprotector.com
http://license3.intelliprotector.com

But if you enter the following key and are not connected to the internet or have blocked the app with your firewall,

then it will go to some sort of a manual file activation:

IPL456789012345-78901234567890123456789012345678DF4E
Link to comment
Share on other sites
Saduff

Saduff

Posted
Posted (edited)

Well, if you look at my unpacked file, you'll see that many imports are unresolved and only 3 are fixed.

It works only because the other imports are not called by this app. I would also like to know how Raham fixed all the imports.

OK, getting to the OEP is very easy:

Search for this binary string (hex):

75 ?? 53 68 ?? ?? ?? ?? 53 8D 4D D4 51 53

And set a bp on the found JNZ and run.

Once it breaks, change the zero flag to take the jump.

Step over the code, until RET.

Once you step over the RET, you're at the OEP.

Now, you can't fix Imports with ImportREC automatically.

I fixed the 3 Imports manually by hand.

If you study a VB6 app EP, you'll see that the first call is to MSVBVM60.ThunRTMain, so you can fix that Import immediately.

After you try to run it with that 1 Import fixed, it will crash immediately. That's because ThunRTMain tries to call MSVBVM60.EVENT_SINK_AddRef.

Since the address of that API is unresolved, it will call 00000000, which is not accessible by Win32 apps, so the app will crash with an access violation exception.

To fix that, you have to locate the JMP NEAR [<some address>] that is called and fix that to MSVBVM60.EVENT_SINK_AddRef.

Now the app should run, but you will soon see that when you try to close it, it will crash instead of close normally.

That's because it calls another API when closing. That API is MSVBVM60.EVENT_SINK_Release. You have to fix that one too.

After you've done that, the app should work normally. For a real app, you will have to fix many more APIs for it to work properly.

I fixed these Imports by creating an IAT Tree .txt file for ImportREC. Here's the file I created:

; Syntax for each function in a thunk (the separator is a TAB)
; ------------------------------------------------------------
; Flag   RVA   ModuleName   Ordinal   Name
;
; Details for <Valid> parameter:
; ------------------------------
; Flag:  0 = valid: no  -> - Name contains the address of the redirected API (you can set
;                            it to zero if you edit it).
;                          - Ordinal is not considered but you should let '0000' as value.
;                          - ModuleName is not considered but you should let '?' as value.
;
;        1 = valid: yes -> All next parameters on the line will be considered.
;                          Function imported by ordinal must have no name (the 4th TAB must
;                                                                          be there though).
;
;        2 = Equivalent to 0 but it is for the loader.
;
;        3 = Equivalent to 1 but it is for the loader.
;
;        4 = Equivalent to 0 with (R) tag.
;
;        5 = Equivalent to 1 with (R) tag.
;
; And finally, edit this file as your own risk! :-)Target: C:\IntelliProtect v2.15\IntelliProtect v2.15.exe
OEP: 00001128	IATRVA: 00001000	IATSize: 00000070FThunk: 00001024	NbFunc: 00000001
1	00001024	msvbvm60.dll	0191	EVENT_SINK_AddRefFThunk: 0000102C	NbFunc: 00000001
1	0000102C	msvbvm60.dll	0192	EVENT_SINK_ReleaseFThunk: 0000105C	NbFunc: 00000001
1	0000105C	msvbvm60.dll	0064	ThunRTMain
Edited by Saduff
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...