[UnpackMe] Sepanta Unpackme 1.00 Beta

[Gladiator]

Hi my friends

There is an unpackme from Raham

i think its good and want to know your idea

Thanks.

[Raham]

lol

its my unpackme but you publish it? what i Can Tell you?

Kind Regards

Edited February 4, 2012 by Raham

[LCF-AT]

Hi,

are you both friends again?

Ok I had a quick look on it.

IAT no problem so far.Some diffrent ways but not hard.

00401250 - FF25 7C104000 JMP DWORD PTR DS:[40107C] ; msvbvm60.__vbaChkstk
00401256 - FF25 A0104000 JMP DWORD PTR DS:[4010A0] ; msvbvm60.__vbaExceptHandler
0040125C - FF25 B4104000 JMP DWORD PTR DS:[4010B4] ; msvbvm60.__vbaFPException
00401262 - FF25 64104000 JMP DWORD PTR DS:[401064] ; msvbvm60._adj_fdiv_m16i
00401268 - FF25 4C104000 JMP DWORD PTR DS:[40104C] ; msvbvm60._adj_fdiv_m32
0040126E - FF25 D4104000 JMP DWORD PTR DS:[4010D4] ; msvbvm60._adj_fdiv_m32i
00401274 - FF25 2C104000 JMP DWORD PTR DS:[40102C] ; msvbvm60._adj_fdiv_m64
0040127A - FF25 F4104000 JMP DWORD PTR DS:[4010F4] ; msvbvm60._adj_fdiv_r
00401280 - FF25 68104000 JMP DWORD PTR DS:[401068] ; msvbvm60._adj_fdivr_m16i
00401286 - FF25 EC104000 JMP DWORD PTR DS:[4010EC] ; msvbvm60._adj_fdivr_m32
0040128C - FF25 D8104000 JMP DWORD PTR DS:[4010D8] ; msvbvm60._adj_fdivr_m32i
00401292 - FF25 AC104000 JMP DWORD PTR DS:[4010AC] ; msvbvm60._adj_fdivr_m64
00401298 - FF25 8C104000 JMP DWORD PTR DS:[40108C] ; msvbvm60._adj_fpatan
0040129E - FF25 A8104000 JMP DWORD PTR DS:[4010A8] ; msvbvm60._adj_fprem
004012A4 - FF25 38104000 JMP DWORD PTR DS:[401038] ; msvbvm60._adj_fprem1
004012AA - FF25 0C104000 JMP DWORD PTR DS:[40100C] ; msvbvm60._adj_fptan
004012B0 - FF25 2C114000 JMP DWORD PTR DS:[40112C] ; msvbvm60._CIatan
004012B6 - FF25 08104000 JMP DWORD PTR DS:[401008] ; msvbvm60._CIcos
004012BC - FF25 44114000 JMP DWORD PTR DS:[401144] ; msvbvm60._CIexp
004012C2 - FF25 C8104000 JMP DWORD PTR DS:[4010C8] ; msvbvm60._CIlog
004012C8 - FF25 74104000 JMP DWORD PTR DS:[401074] ; msvbvm60._CIsin
004012CE - FF25 94104000 JMP DWORD PTR DS:[401094] ; msvbvm60._CIsqrt
004012D4 - FF25 3C114000 JMP DWORD PTR DS:[40113C] ; msvbvm60._CItan
004012DA - FF25 38114000 JMP DWORD PTR DS:[401138] ; msvbvm60._allmul
004012E0 - FF25 88104000 JMP DWORD PTR DS:[401088] ; msvbvm60.DllFunctionCall
004012E6 - FF25 60104000 JMP DWORD PTR DS:[401060] ; msvbvm60.__vbaOnError
004012EC - FF25 CC104000 JMP DWORD PTR DS:[4010CC] ; msvbvm60.__vbaErrorOverflow
004012F2 - FF25 14104000 JMP DWORD PTR DS:[401014] ; msvbvm60.__vbaStrI4
004012F8 - FF25 40114000 JMP DWORD PTR DS:[401140] ; msvbvm60.__vbaVarForNext
004012FE - FF25 1C114000 JMP DWORD PTR DS:[40111C] ; msvbvm60.__vbaVarMod
00401304 - FF25 84104000 JMP DWORD PTR DS:[401084] ; msvbvm60.__vbaVarTstEq
0040130A - FF25 54104000 JMP DWORD PTR DS:[401054] ; msvbvm60.__vbaVarForInit
00401310 - FF25 5C104000 JMP DWORD PTR DS:[40105C] ; msvbvm60.rtcMsgBox
00401316 - FF25 3C104000 JMP DWORD PTR DS:[40103C] ; msvbvm60.__vbaStrCat
0040131C - FF25 18114000 JMP DWORD PTR DS:[401118] ; msvbvm60.__vbaVarDup
00401322 - FF25 A4104000 JMP DWORD PTR DS:[4010A4] ; msvbvm60.rtcSplit
00401328 - FF25 28104000 JMP DWORD PTR DS:[401028] ; msvbvm60.__vbaFreeVarList
0040132E - FF25 BC104000 JMP DWORD PTR DS:[4010BC] ; msvbvm60.__vbaVarCat
00401334 - FF25 08114000 JMP DWORD PTR DS:[401108] ; msvbvm60.rtcGetDateVar
0040133A - FF25 14114000 JMP DWORD PTR DS:[401114] ; msvbvm60.rtcGetTimeVar
00401340 - FF25 10104000 JMP DWORD PTR DS:[401010] ; msvbvm60.__vbaVarMove
00401346 - FF25 30104000 JMP DWORD PTR DS:[401030] ; msvbvm60.__vbaFreeObjList
0040134C - FF25 40104000 JMP DWORD PTR DS:[401040] ; msvbvm60.__vbaSetSystemError
00401352 - FF25 04104000 JMP DWORD PTR DS:[401004] ; msvbvm60.__vbaStrI2
00401358 - FF25 30114000 JMP DWORD PTR DS:[401130] ; msvbvm60.__vbaStrMove
0040135E - FF25 10114000 JMP DWORD PTR DS:[401110] ; msvbvm60.__vbaStrToAnsi
00401364 - FF25 1C104000 JMP DWORD PTR DS:[40101C] ; msvbvm60.__vbaFreeVar
0040136A - FF25 E8104000 JMP DWORD PTR DS:[4010E8] ; msvbvm60.__vbaFreeStrList
00401370 - FF25 B8104000 JMP DWORD PTR DS:[4010B8] ; msvbvm60.__vbaStrVarVal
00401376 - FF25 58104000 JMP DWORD PTR DS:[401058] ; msvbvm60.__vbaObjSet
0040137C - FF25 4C114000 JMP DWORD PTR DS:[40114C] ; msvbvm60.__vbaFreeObj
00401382 - FF25 44104000 JMP DWORD PTR DS:[401044] ; msvbvm60.__vbaHresultCheckObj
00401388 - FF25 D0104000 JMP DWORD PTR DS:[4010D0] ; msvbvm60.__vbaNew2
0040138E - FF25 48114000 JMP DWORD PTR DS:[401148] ; msvbvm60.__vbaFreeStr
00401394 - FF25 E0104000 JMP DWORD PTR DS:[4010E0] ; msvbvm60.__vbaStrCopy
0040139A - FF25 C4104000 JMP DWORD PTR DS:[4010C4] ; msvbvm60.VarPtr
004013A0 - FF25 E4104000 JMP DWORD PTR DS:[4010E4] ; msvbvm60.__vbaI4Str
004013A6 - FF25 00114000 JMP DWORD PTR DS:[401100] ; msvbvm60.__vbaVarTstNe
004013AC - FF25 F0104000 JMP DWORD PTR DS:[4010F0] ; msvbvm60.__vbaPowerR8
004013B2 - FF25 18104000 JMP DWORD PTR DS:[401018] ; msvbvm60.rtcLog
004013B8 - FF25 24114000 JMP DWORD PTR DS:[401124] ; msvbvm60.__vbaFpI4
004013BE - FF25 00104000 JMP DWORD PTR DS:[401000] ; msvbvm60.__vbaVarSub
004013C4 - FF25 48104000 JMP DWORD PTR DS:[401048] ; msvbvm60.__vbaLenVar
004013CA - FF25 70104000 JMP DWORD PTR DS:[401070] ; msvbvm60.__vbaVarTstLt
004013D0 - FF25 C0104000 JMP DWORD PTR DS:[4010C0] ; msvbvm60.__vbaI2Var
004013D6 - FF25 50104000 JMP DWORD PTR DS:[401050] ; msvbvm60.__vbaAryDestruct
004013DC - FF25 34114000 JMP DWORD PTR DS:[401134] ; msvbvm60.rtcRightCharVar
004013E2 - FF25 9C104000 JMP DWORD PTR DS:[40109C] ; msvbvm60.__vbaVarMul
004013E8 - FF25 28114000 JMP DWORD PTR DS:[401128] ; msvbvm60.rtcLeftCharVar
004013EE - FF25 B0104000 JMP DWORD PTR DS:[4010B0] ; msvbvm60.rtcVarBstrFromAnsi
004013F4 - FF25 6C104000 JMP DWORD PTR DS:[40106C] ; msvbvm60.__vbaVarIndexLoad
004013FA - FF25 0C114000 JMP DWORD PTR DS:[40110C] ; msvbvm60.__vbaVarAdd
00401400 - FF25 50114000 JMP DWORD PTR DS:[401150] ; msvbvm60.rtcR8ValFromBstr
00401406 - FF25 F8104000 JMP DWORD PTR DS:[4010F8] ; msvbvm60.rtcErrObj
0040140C - FF25 20114000 JMP DWORD PTR DS:[401120] ; msvbvm60.__vbaVarCopy
00401412 - FF25 DC104000 JMP DWORD PTR DS:[4010DC] ; msvbvm60.rtcHexVarFromVar
00401418 - FF25 24104000 JMP DWORD PTR DS:[401024] ; msvbvm60.__vbaStrVarMove
0040141E - FF25 04114000 JMP DWORD PTR DS:[401104] ; msvbvm60.__vbaI4Var
00401424 - FF25 78104000 JMP DWORD PTR DS:[401078] ; msvbvm60.rtcMidCharVar
0040142A - FF25 34104000 JMP DWORD PTR DS:[401034] ; msvbvm60.rtcAnsiValueBstr
00401430 - FF25 20104000 JMP DWORD PTR DS:[401020] ; msvbvm60.__vbaLenBstr
00401436 - FF25 98104000 JMP DWORD PTR DS:[401098] ; msvbvm60.EVENT_SINK_QueryInterface
0040143C - FF25 80104000 JMP DWORD PTR DS:[401080] ; msvbvm60.EVENT_SINK_AddRef
00401442 - FF25 90104000 JMP DWORD PTR DS:[401090] ; msvbvm60.EVENT_SINK_Release
00401448 - FF25 FC104000 JMP DWORD PTR DS:[4010FC] ; msvbvm60.ThunRTMain
0040144E <> 68 04664100 PUSH 416604
00401453 E8 F0FFFFFF CALL 00401448 ; <JMP.&msvbvm60.ThunRTMain>

So you are using again NANOS!I had this nano stuff! Have not fixed them.

004EACC5   CMP DWORD PTR SS:[EBP-2C],80000003LEA EAX,DWORD PTR DS:[4583B0]004583B0  00000000
004583B4  00CAFB6C
004583B8  00418852  UnPackMe.00418852
004583BC  0000001B  <-- +1 | 1C
004583C0  00000202
004583C4  00CAFACC
004583C8  00000023 <-- Maybe JMP JNZ JGL etc check
004583CC  0000000000418851    CC               INT3
00418852    90               NOP00418851   /75 1C            JNZ SHORT 0041886F   

Something like this you know.

You can get the unpacked file without NANO fix.Anyway,without nanos it would be almost easy to unpack.

greetz

[Raham]

hi DEAR LCF:x

first....congratz again for import;)

but after Nano we Have Stolen Resource on Sepanta:D

hmmmmmmmm i know i have very simple VM...

but totally what was the effect of my VM + My Code Obfuscation?

plz give me your opinion....

also plz continue unpacking.... i need full unpacked file;)

Thx Dear

Good Luck

Raham

[Gladiator]

lol

its unpackme but you publish it? what i Can Tell you?

Kind Regards

what did i wrong ? i just want to see the analysis of this unpackme and its seems to be nice , i am sorry about any problem that i have made for you

[Raham]

hi guys

whats up with unpacking this ?

What did you do,LCF?

again in Nano?

Regards

Edited November 4, 2011 by Raham