Posted September 7, 201113 yr HiPlease Unpack and write a tutEnabled Options :[+] Anti OllyDbg[+] Anti Dump Protection[+] IAT Redirection
September 7, 201113 yr Unpacking this one is quite easy but the problem is that none of the currently aviable import fixers can fix the IAT successfully. Neither on Win XP x86 nor Win 7 x64.ImpREC: Detects wrong ImageBase.CHimpRC: Detects wrong ImageBase.Imports Fixer: Says "The process doesn't exist anymore!", but it does.Scylla: Detects right ImageBase but crashes whils fixing the dumpThats very frustrating. Anyone got a solution?
September 7, 201113 yr Hi, ok here my unpacked file.Test it. solution is very simple. There is nothing to fix. Level 1 | 10 greetz UnpackMe_Unpacked.rar
September 7, 201113 yr Scylla: Detects right ImageBase but crashes whils fixing the dumpgo report it, scylla still is in the intial phase of developpment.
September 7, 201113 yr @ Magician No problem but you should better throw this protection in the trash. The problem is that the full target is already there which is original and not protected.Some kind of wrapper or so.You only need to catch the real place and then only dump it with the right PE datas and thats all. So you had already used better protections in the past. greetz
September 7, 201113 yr Oh damn I forgot that everything is valid already. So here my dumped file. Dumped.rar Edited September 7, 201113 yr by DizzY_D
September 7, 201113 yr Nice unpackme.How do you fake the process image path? I know there is some PEB trick, but usually it is still possible to get the image path with NtQueryInformationProcess and ProcessImageFileName.
September 7, 201113 yr Hi, here a small script. pausebphwcbc// VI Protect UnpackMe direct dumper// Start script at EPvar Avar MZmov A, eip////////////////////LOOP:sticmp eip, Aje LOOPbphws esp, "r"estobphwcbp eip+0BAestobcbp eip+35runbccmt eip ,"IsDebuggerPresent PEB | JMP if NOT"add eip, 101mov A, eipbp eip+15runbcadd eip, 94mov A, eip////////////////////LOOP2:sticmp eip, Aje LOOP2mov A, eipmov MZ, esipushamov eax, [esi+3C]add eax, MZmov eax, [eax+50]dm esi, eax, "Unpacked_AT.exe"poparet greetz
September 8, 201113 yr It's the infamous RunPE method which is why import tools have troubles to find the real executable's path (the process is started as your default browser and then unmapped). Edited September 8, 201113 yr by metr0
Create an account or sign in to comment