Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

Hi

Please Unpack and write a tut

Enabled Options :

[+] Anti OllyDbg

[+] Anti Dump Protection

[+] IAT Redirection

Unpacking this one is quite easy but the problem is that none of the currently aviable import fixers can fix the IAT successfully. Neither on Win XP x86 nor Win 7 x64.

  • ImpREC: Detects wrong ImageBase.
  • CHimpRC: Detects wrong ImageBase.
  • Imports Fixer: Says "The process doesn't exist anymore!", but it does.
  • Scylla: Detects right ImageBase but crashes whils fixing the dump

Thats very frustrating. Anyone got a solution?

Hi,

ok here my unpacked file.Test it.

solution is very simple. :)

There is nothing to fix.

Level 1 | 10

greetz

UnpackMe_Unpacked.rar

  • Author

Thanks LCF-AT

This is very similar to binders , am i right ?

Scylla: Detects right ImageBase but crashes whils fixing the dump

go report it, scylla still is in the intial phase of developpment.

@ Magician

No problem but you should better throw this protection in the trash. :) The problem is that the full target is already there which is original and not protected.Some kind of wrapper or so.You only need to catch the real place and then only dump it with the right PE datas and thats all.

So you had already used better protections in the past. :)

greetz

Oh damn I forgot that everything is valid already. crazy.gif

So here my dumped file.

Dumped.rar

Edited by DizzY_D

  • Author

may you make a little and short tut ?

Thanks

Sorry I have to finish the Enigma paper first.

Maybe after that.

  • Author

Thanks , i like wait for enigma paper , its better ;)

Nice unpackme.

How do you fake the process image path? I know there is some PEB trick, but usually it is still possible to get the image path with NtQueryInformationProcess and ProcessImageFileName.

Hi,

here a small script. :)

pause
bphwc
bc
// VI Protect UnpackMe direct dumper
// Start script at EP
var A
var MZ
mov A, eip
////////////////////
LOOP:
sti
cmp eip, A
je LOOP
bphws esp, "r"
esto
bphwc
bp eip+0BA
esto
bc
bp eip+35
run
bc
cmt eip ,"IsDebuggerPresent PEB | JMP if NOT"
add eip, 101
mov A, eip
bp eip+15
run
bc
add eip, 94
mov A, eip
////////////////////
LOOP2:
sti
cmp eip, A
je LOOP2
mov A, eip
mov MZ, esi
pusha
mov eax, [esi+3C]
add eax, MZ
mov eax, [eax+50]
dm esi, eax, "Unpacked_AT.exe"
popa
ret

greetz

  • Author

Thanks Dear LCF-ATcupidarrow.gif

It's the infamous RunPE method which is why import tools have troubles to find the real executable's path (the process is started as your default browser and then unmapped).

Edited by metr0

CreateProcessW("C:\Program Files\Mozilla Firefox\firefox.exe")

so easy

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.