Jump to content
Tuts 4 You

[unpackme] lARP64Pro 1.0.3...

Teddy Rogers

By Teddy Rogers
in UnPackMe

 Share

Recommended Posts

GIV

GIV

Posted
Posted

Italy take first place on X64 unpacking.

:)

  • Like 1
  • Replies 56
  • Created
  • Last Reply

Top Posters In This Topic

  • lena151

    13

  • mm10121991

    5

  • quosego

    4

  • GIV

    4

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

SmilingWolf
SmilingWolf

Doh, looks like I arrived an year and three months late to the party Attached: lots of things lol The important ones: The unpacked and de-nagged file; x64_dbg scripts to do... things (Pilot.txt ->

SmilingWolf
SmilingWolf

Yes indeed I was interested to the trophy too - the free licensed copy I read was offered to who would have been able to unpack it... but... wait... OMFG I mixed up the informations from the lARP

lena151
lena151

Really? Well, I can only say that you aren't even close The unpackme is a protection of an old keygen that was slightly modified. I don't understand why you mention aSerialNumber which is in the mai

  • 1 month later...
m0rpheus

m0rpheus

Posted
Posted

I think Lena151 will be proud now.

:)

why should lena151 be proud bro, any reasons , just asking if you dont mind

SmilingWolf

SmilingWolf

Posted
Posted (edited)

why should lena151 be proud bro, any reasons , just asking if you dont mind

Probably because of posts like this:

[...] Maybe someone there has the time to restore my faith in reversing [...]

:P

 

Anyway, I have updated my post above with a new archive featuring:

- updated IATPilot.txt and ReplacePilot.asm (they take into account the isRETN WORD now)

- a much (MUCH!) cleaner MUPed file, thanks to the updates to IATPilot.txt and ReplacePilot.asm and especially thanks to a little tool I have been lazily working on in the last three days. No dupes in the IAT anymore -> 50+ kilobytes saved and the MUPed file can now be lARPed again! :D

The MUPed file is also ASLR compatible now ("DLL can move" bit set) since the reloc section has been dumped properly this time.

Edited by SmilingWolf
  • Like 2
GIV

GIV

Posted
Posted (edited)

@m0rpheus

First of all...Happy new year 2015.

Second.

Do you know who is Lena151 and what Larp64 is?

Third.

What is your business in this forum if you don't understand what is happening...

Edited by GIV
  • Like 1
mm10121991

mm10121991

Posted
Posted (edited)

I don't think that larp64 is that hard  :no:


There is nothing really special in it that could make it the ultimate protector,


It has stayed unpacked all those years just because of the lack of adequate x64 tools, no more no less.


But it's still  a good experience as it was the first protector that i have fully traced.


 


BTW, another way to defeat the advanced IAT redirection is just by bypassing the vm which can be done by noping those bytes


and then trace the calls


:)





.ldata:00000000004A317B or      rsp, rsp

.ldata:00000000004A317E jnz     q_4A04A0_3_less_8

.ldata:00000000004A3184 call    loc_49619B

.ldata:00000000004A3189 retn

.ldata:00000000004A3189 ; ---------------------------------------------------------------------------

.ldata:00000000004A318A db  50h ; P

.ldata:00000000004A318B db 48h

.ldata:00000000004A318C db  81h ; ü

.ldata:00000000004A318D db 0B4h ; ¦

.ldata:00000000004A318E ; 


 


Edited by mm10121991
  • Like 1
SmilingWolf

SmilingWolf

Posted
Posted (edited)

I don't think that larp64 is that hard  :no:

There is nothing really special in it that could make it the ultimate protector,

It has stayed unpacked all those years just because of the lack of adequate x64 tools, no more no less.

I tend to agree with you. Having traced trough the 32bit lARPs (Ultra and Ultimate didn't want to run even on a clean Win7 64bit so I had to do it the hard way :P) my first impression was that the 32bit code was ported to 64bit and obfuscated a lot. Some "errors" weren't there anymore (such as CALLs being redirected while the code was being unpacked instead of being "rewritten" while protecting), other arose (such as the IAT redirected the simple way being fully written in place and then redirected).

The VM part was fun though, I don't usually code my own tools (yeah, that bad thing called lazyness :P) but I like when packers force me to. I had only worked on another VM before (RLPack's) and found this to be easier but cleaner (apart from obfu).

Having finally unpacked something protected with another version of the protector, though, I can say the weakest spot of lARP64 is what originally was it's strongest point: the language the stub has been written in.

Coding it with pure (M?)ASM lena has been able to easily put a lot of obfuscation in place, which terribly slowed me down, but with a list of addresses and interesting spots in the code pattern matching works great.

I know what I have written in the paper, but I saw yesterday that there are only a few critical parts crypted; when you need them you can simply (hw)bp on one of the helper functions (like the CC/EBFE check one or one of the code en/decryption functions) and land near them, find your pattern, write down the address and use an hwbp on it in subsequent runs.

 

However

it's still  a good experience as it was the first protector that i have fully traced.

Same :) Edited by SmilingWolf
  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...