Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[UnpackMe] VI_Protect Unpackme

Gladiator
Gladiator
in UnPackMe (.NET)

Featured Replies

Posted

Hi

Please Unpack and write a tut

Enabled Options :

[+] Anti OllyDbg

[+] Anti Dump Protection

[+] IAT Redirection

Unpacking this one is quite easy but the problem is that none of the currently aviable import fixers can fix the IAT successfully. Neither on Win XP x86 nor Win 7 x64.

  • ImpREC: Detects wrong ImageBase.
  • CHimpRC: Detects wrong ImageBase.
  • Imports Fixer: Says "The process doesn't exist anymore!", but it does.
  • Scylla: Detects right ImageBase but crashes whils fixing the dump

Thats very frustrating. Anyone got a solution?

Hi,

ok here my unpacked file.Test it.

solution is very simple. :)

There is nothing to fix.

Level 1 | 10

greetz

UnpackMe_Unpacked.rar

    •
    • Like 1
    • Author

    Thanks LCF-AT

    This is very similar to binders , am i right ?

    Scylla: Detects right ImageBase but crashes whils fixing the dump

    go report it, scylla still is in the intial phase of developpment.

    @ Magician

    No problem but you should better throw this protection in the trash. :) The problem is that the full target is already there which is original and not protected.Some kind of wrapper or so.You only need to catch the real place and then only dump it with the right PE datas and thats all.

    So you had already used better protections in the past. :)

    greetz

    •
    • Like 1

    Oh damn I forgot that everything is valid already. crazy.gif

    So here my dumped file.

    Dumped.rar

    Edited by DizzY_D

    • Like 1
    • Author

    may you make a little and short tut ?

    Thanks

    Sorry I have to finish the Enigma paper first.

    Maybe after that.

    • Author

    Thanks , i like wait for enigma paper , its better ;)

    Nice unpackme.

    How do you fake the process image path? I know there is some PEB trick, but usually it is still possible to get the image path with NtQueryInformationProcess and ProcessImageFileName.

    Hi,

    here a small script. :)

    pause
    bphwc
    bc
    // VI Protect UnpackMe direct dumper
    // Start script at EP
    var A
    var MZ
    mov A, eip
    ////////////////////
    LOOP:
    sti
    cmp eip, A
    je LOOP
    bphws esp, "r"
    esto
    bphwc
    bp eip+0BA
    esto
    bc
    bp eip+35
    run
    bc
    cmt eip ,"IsDebuggerPresent PEB | JMP if NOT"
    add eip, 101
    mov A, eip
    bp eip+15
    run
    bc
    add eip, 94
    mov A, eip
    ////////////////////
    LOOP2:
    sti
    cmp eip, A
    je LOOP2
    mov A, eip
    mov MZ, esi
    pusha
    mov eax, [esi+3C]
    add eax, MZ
    mov eax, [eax+50]
    dm esi, eax, "Unpacked_AT.exe"
    popa
    ret

    greetz

    •
    • Like 1
    • Author

    Thanks Dear LCF-ATcupidarrow.gif

    It's the infamous RunPE method which is why import tools have troubles to find the real executable's path (the process is started as your default browser and then unmapped).

    Edited by metr0

    • Like 1

    CreateProcessW("C:\Program Files\Mozilla Firefox\firefox.exe")

    so easy

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.