[unpackme] lARP64Pro 1.0.3...

[Aguila]

That's gonna be history then now

Sorry to disappoint you, but we are ready for x64. -> See attachment.

my dream is real now, I can correct lena151:

Sorry to disappoint you, but your import table is not correct

Well but there is still e.g. Enigma x64 or Themida x64, I don't even have an unpackme for that I haven't seen any crack yet.

Edited May 27, 2012 by Aguila

[EvOlUtIoN]

i agree

[lena151]

... your import table is not correct

Hehe, I did this manually, so I repaired only the apis necessary for it to run. I didn't realize you were requesting for more of my 1-hour-a-day-hobby-time to make the full import table completely correct. But if you don't mind, I'm gonna join my family now.

Well but there is still e.g. Enigma x64 or Themida x64, I don't even have an unpackme for that I haven't seen any crack yet.

:lol: It's not because you haven't seen something solved that the knowledge isn't available but ... it's your good right to doubt our abilities :lol:

lena151.

[EvOlUtIoN]

It's not because you haven't seen something solved that the knowledge isn't available

I totally agree with you.

I'm actually not ready to handle x64 targets, but papers on it arrived years ago.

For example this guide http://ntcore.com/files/vista_x64.htm was written more than 5 years ago.

Well ntoskrnl is not one of all, he has been (and probably also is still so) the best ever italian reverser imho. This is proving that x64 is well known since years, the most important is to be interested in new targets and the most part of reversers are still not interested on it.

So, if one is not able to do one thing, this means only he is not able to do, and not that the thing is not possible.

Maybe sometimes knowledge has to be reached by oursleves and not reading papers from others, which is always a good thing, but sometimes not a solution.

Hope i'll have time in the future to study something about x64 world.

[Kurapica]

Oh dear Lena !

you shouldn't have mentioned me

honestly I wish I could do a better image, this one makes me embarrassed

I was checking the larp64 website but It seems off-line

If you need any help in the future then I'm ready.

regards.

[Loveless]

I just get "Unregistered Stack" when I run the binary?...

[lena151]

I just get "Unregistered Stack" when I run the binary?...

It means that your system is too obviously a cracker's system

Example when this happens is if you have installed IDA as JIT debugger, etc

lena151.

[Loveless]

Got it, thanks Lena. I don't have time to look at this right now but it's on the todo list for mid-August. Take care

Edited June 1, 2012 by Loveless

[Rumour]

@lena151: Can make tutor for unpacking pespin x64 ? That help learn x64 unpacking

[lena151]

@lena151: Can make tutor for unpacking pespin x64 ? That help learn x64 unpacking

My tutorialing days are over but there is no learning required for 64bit unpacking! Anyone knowing the basics of 32bit unpacking is ready to go after a 5 minutes read about x64 registers and qwords.

Just jump in!

Success!

lena151.

[chickenbutt]

Hehe, you are right, but perhaps not because of your protection.. Though I will admit it'll prolly take me a while. It's more that I'm steadily losing the capacity to spend continuous hours at cracking something. I had hoped this unpackme would spark my interest some more by taking up the challenge you pose, initially it did and got slightly cocky but it didn't last.. Strangely it seems the days of cracking for me are passing, I seem to have lost the excitement. Though I had fun, I never spend more than 2 hours on this.. which isn't even enough to get the hang of x64.

Honestly I do not know if I will really take this up.. It wouldn't matter if you'd posted easier versions, it also kinda kills the legend.

I've know exceptionally talented RCE people before who got tired of the big investment in time required. Usually they only become active if something interesting comes around outside of PE protectors.

I also believe the fact you have to use static analyses and trace tools to defeat this protector is the core factor in it going undefeated; someone extremely profecient in RCE would take at least a month to do this, weeks if they didn't have a job to go to. That along with the fact it's not used on valuable targets that get the attention of teams and lurkers..

[lena151]

*BUMP*

Over 4 years uncracked/unpacked now and still counting

lena151.

[shahril]

 

haha, its make me look like this

Edited June 26, 2013 by shahril

[GIV]

Well... as a operation environment X64 is great with many possibilities but for reversing i thing there are not so many "user friendly" reversing tools for the moment.

I try once to approach the X64 reversing but i got stuck on dis pleasant interface of the tools for reversing. So still on X86...

Edited December 2, 2012 by GIV

[mm10121991]

Hello

Unpacked

Can anyone test ? 

lARP64Pro.rar

[deepzero]

dont have a lot of time atm, but it doesnt run here (w7sp1x64 vm). Hangs indefinitely somewhere.

 

What have you done to get this dump? What is oep.dll for?

[mm10121991]

strange 

the oep.dll just has the oep code

can anyone help me find the problem where on his machine ?

 

Edit: found the problem

Edited July 27, 2013 by mm10121991

[mm10121991]

Hello

can anyone test this new unpacked file ?  

larp64Pro.rar

Edited July 27, 2013 by mm10121991

[mrexodia]

@mm10121991: runs good here, on win 7 x64

[JoeBullet]

This is very easy to do via static reverse code engineering. Just fire up IDA x64 and trace manually. Though you must be patient because there is plenty of code rewriting and (not)cool code flow. You could probably write some IDC/python scripts for automating this once you learn how it works; Basically the main thing to keep track of is RSP. The very common code sequence is:

CODE

call redirector

JUNK_BYTES(usually 1-4 bytes)

CODE

ETC.

Those so-called "redirectors"(there are plenty of them) usually contain code which a) inc [RSP]   add [RSP], OFF c) conditional jump to other redirectors d) final inc [RSP] + retn

* [RSP] = return_address of call

I don't have idb handy so I can't show you some examples. Once when get to know the inner-workings you can do this almost automagically even though script will come handy.

Another helpful pointer I can give you is that there are explicit references to imports and there are some strings embedded inbetween code...

Of course static analysis is not something you'd do if you must get dumped file as soon as possible which is not case here so i though about studying the approach and obfuscation techniques...

[mm10121991]

Yes that's true

you just need to bp those addresses

.ldata:0000000000496225 jmp qword ptr [rsp-8]

&

.ldata:000000000049676D retn

&

.ldata:000000000049659E jmp qword ptr [rsp-8]

and you can trace it very fast

 

but you need to take care of CRC

 

almost the only hard thing for me in this protector is a lot of CRC + IDA 6.1  does not handle well Hardware BPs

I Don't know why always I need to restart program to to activate HWBPs and to remove them I need also to restart program in IDA 6.1

so, I used a lot soft BPs

 

Other than that, there is nothing really interesting : some Antidebugging , some easy IAT redirections and some CCs replacing that should be deafeated easily and some of quite advanced IAT redirections that could be traced

There is also a little vm for atidebugging that also used in the advanced IAT redirection but can be skipped easily

 

So, waiting for another unpackme with max protection

Edited August 27, 2013 by mm10121991

[SmilingWolf]

Doh, looks like I arrived an year and three months late to the party
Attached: lots of things lol
The important ones:
The unpacked and de-nagged file;
x64_dbg scripts to do... things (Pilot.txt -> walk through the stub avoiding the traps; IATPilot.txt -> build an RVA <-> Import Address table to use with the Replace.asm/bin snippet (buggy, didn't take in account the isRETN WORD while writing them); ReplacePilot.txt -> prototype for Replace.asm; Revealer.txt -> used to look for references to the old IAT addresses so that I could fix them with DrunkPilot).
ASM snippets: Replace.asm/bin; DrunkPilot.asm/bin -> used to fix the CALL [qword] redirected by Simple IAT Redirection (that is, the VMless one)
VM.txt: Description of some (most?) of the VM handlers
lARP64 DeVirtualizer folder: what the name says -> throw at it a VM opcodes table and it should spit out some readable assembly in VMLog.txt. The ImageBase field is currently unused.
Strings folder: contains some text files with the names of the WindowNames/ClassNames/processes used during the Anti-Debug phase and some other misc strings.
*.dd64 file: x64_dbg database with a few comments and labeled jumpy calls.
Notes.txt: all of my notes in italian (might partially or integrally translate them if anyone is interested) with VAs and (usually) brief descriptions. Some make sense, some others were over-edited while debugging and might make me look schizophrenic That's all folks!

lARP64Pro.cleaner.7z

Edited December 31, 2014 by SmilingWolf

[GIV]

I think Lena151 will be proud now.

[Loki]

Nice - someone finally did the x64 version.

 

Impressive SmilingWolf - looks like you enjoyed the project too

[SmilingWolf]

Nice - someone finally did the x64 version.

 

Impressive SmilingWolf - looks like you enjoyed the project too

Yes indeed

I was interested to the trophy too - the free licensed copy I read was offered to who would have been able to unpack it... but... wait... OMFG I mixed up the informations from the lARP 2.0 topic and this one... Ahhahahahhahaa goddamnit I'm literally dying from the laughter because I tought there was a bounty on this one looooooool!!! I'm sorry, just gimme a sec to calm down

 

Ok, ok, back to serious now (a few minutes later and still smiling )

I was saying - in part I was interested to the nonexistent trophy, but there was much more involved: it was about stepping up after a couple years of lame cracking (activity that I generally respect, but not at level I was in all seriousness) and trying my hands on something though and new. 64bit Arma was a nice start to get acquainted with x64 reversing, but the 32bit version is so well documented it wasn't even a challenge to unpack and inline it adapting Mr. eXoDia's template.

Then came the undocumented PESpin x64. Really enjoyed reversing it, but it lacked the advancedness of the 32bit counterpart.

3 weeks ago I tried my hands on lARP 2.0 and I was like "Mein Gott, this is awesome", then I stumbled across this thread (and a similar one on ExeTools) where people observed that the main problem was the lack of proper and user-friendly tools. So I thought "It's 2014, I've solved almost all of the lARPs, I've got x64_dbg and Scylla, so why not?".

I regret nothing

In two weeks I traced trough an hell of a lot of obfuscated code learning how to see through it, met 13-14 different non-VMed Anti-Debugging tricks, discovered 2 Anti-Attach techniques, bypassed countless CRC checks and code en/decryption loops, analyzed a VM and defeated two different kinds of IAT redirection techniques... It was a wonderful journey and I learnt a lot.

 

Oh, and I discovered Sabaton while working on this baby, too

 

So, thanks to lena151 for the unpackmes, Mr. eXoDia et al. for the awesome debugger they're building, Aguila for Scylla and everyone I might have forgotten but who has in some way helped me. This is a result I'm really proud of and I don't know if I would have been able to get this far without all of you

Edited November 28, 2014 by SmilingWolf