[UnpackMe] VI_Protect Unpackme

[Gladiator]

Hi

Please Unpack and write a tut

Enabled Options :

[+] Anti OllyDbg

[+] Anti Dump Protection

[+] IAT Redirection

[DizzY_D]

Unpacking this one is quite easy but the problem is that none of the currently aviable import fixers can fix the IAT successfully. Neither on Win XP x86 nor Win 7 x64.

• ImpREC: Detects wrong ImageBase.
  
• CHimpRC: Detects wrong ImageBase.
  
• Imports Fixer: Says "The process doesn't exist anymore!", but it does.
  
• Scylla: Detects right ImageBase but crashes whils fixing the dump
  

Thats very frustrating. Anyone got a solution?

[LCF-AT]

Hi,

ok here my unpacked file.Test it.

solution is very simple.

There is nothing to fix.

Level 1 | 10

greetz

UnpackMe_Unpacked.rar

[Gladiator]

Thanks LCF-AT

This is very similar to binders , am i right ?

[deepzero]

Scylla: Detects right ImageBase but crashes whils fixing the dump

go report it, scylla still is in the intial phase of developpment.

[LCF-AT]

@ Magician

No problem but you should better throw this protection in the trash. The problem is that the full target is already there which is original and not protected.Some kind of wrapper or so.You only need to catch the real place and then only dump it with the right PE datas and thats all.

So you had already used better protections in the past.

greetz

[DizzY_D]

Oh damn I forgot that everything is valid already.

So here my dumped file.

Dumped.rar

Edited September 7, 2011 by DizzY_D

[Gladiator]

may you make a little and short tut ?

Thanks

[DizzY_D]

Sorry I have to finish the Enigma paper first.

Maybe after that.

[Gladiator]

Thanks , i like wait for enigma paper , its better

[Aguila]

Nice unpackme.

How do you fake the process image path? I know there is some PEB trick, but usually it is still possible to get the image path with NtQueryInformationProcess and ProcessImageFileName.

[LCF-AT]

Hi,

here a small script.

pause
bphwc
bc
// VI Protect UnpackMe direct dumper
// Start script at EP
var A
var MZ
mov A, eip
////////////////////
LOOP:
sti
cmp eip, A
je LOOP
bphws esp, "r"
esto
bphwc
bp eip+0BA
esto
bc
bp eip+35
run
bc
cmt eip ,"IsDebuggerPresent PEB | JMP if NOT"
add eip, 101
mov A, eip
bp eip+15
run
bc
add eip, 94
mov A, eip
////////////////////
LOOP2:
sti
cmp eip, A
je LOOP2
mov A, eip
mov MZ, esi
pusha
mov eax, [esi+3C]
add eax, MZ
mov eax, [eax+50]
dm esi, eax, "Unpacked_AT.exe"
popa
ret

greetz

[Gladiator]

Thanks Dear LCF-AT

[metr0]

It's the infamous RunPE method which is why import tools have troubles to find the real executable's path (the process is started as your default browser and then unmapped).

Edited September 8, 2011 by metr0

[CodeExplorer]

CreateProcessW("C:\Program Files\Mozilla Firefox\firefox.exe")

[icezy]

so easy