[unpackme] Unpack Me WL 2.1.9

November 21, 2011

Unpack and send to me your tutorial or script. Here is my email: blueskys0702@gmail.com.Thanks

UnPackMe WL 2.1.9.rar

November 21, 2011

Hi,

ok here my unpacked files.Just test and tell.

greetz

WLTest_Unpacked_x2.rar

November 22, 2011

Great bro. I'm using you script, but can't dump. Can you help me?

November 22, 2011

@ nguyenhung0702

What you mean you can't dump?Some infos etc.So my 1.2 script should also work with this unpackme.Just try again or give some infos about your problem.Enter IAT data manually in ImpRec etc.

PS: I use the scylla fixing tool now [no more ImpRec at the moment].

greetz

November 23, 2011

Thank for your reply. When use your script, i got error:

Script Log Window

----------******************----------

VM antidump redirector is used.

Version retriever is not used.

Oreans kernel32, user32 and advapi32 dll's are disabled.

-------------

Modulebase: 00400000

Code & IAT Section: 00401000

Found new Anti-Dump store location at address: 40D0A0

CISC VM is located in the Themida - Winlicense section.

TM_WL_2: 0040FE60

Check Protection Antdump not redirected, version too low/high.

-------------

IAT fixing started.

DEC jumps detected at: 00529059

Cmp eax,50 detected at: 00529B7C

Magic Jump 1 at 52905A

IAT Jumper was found & fixed at address 528E14

Can큧 create special IAT patch!Just normal magic jump nopping method!

Stack-AntiDump does not break in the main target: WLTest | ntdll

Stack Anti Dump will disabled now!

Heap Fixing was skipped!

-------------

First is_registered dword retrieval point not found.

Second is_registered dword retrieval point not found.

-------------

All multithreading sleep api's fixed, number of VM entries: 00000001

VM oep finder failed, near oep finder was executed instead.

Stackantidump fixed XOR value changed, antidump redirecter failed.

------IMPORTANT MESSAGE!!!------

Stackantidump fixed XOR value changed, antidump redirecter failed.

Thank for your help!

November 23, 2011

@ nguyenhung0702

So you told me you can not dump the file.Some infos about this issue you should post.So where is the problem.

Heap Fixing was skipped! <-- Do not skip heap fixing!Must be fixed if you keep the VM.Press NO if you get the message "skip Heep etc" and YES for second HEAP.

           Stack Antidump located at: 0040D1A0
           SEH Antidump located at: 0040D1B4
           Heap Antidump(1) located at: 0040D1A8
           Heap Antidump(2) located at: 0040D1AC <---- Only access in VM later
0040D1AC  152C9614 <--- If wrong = crashVA:
00401ABE | OEP
00403000 | IAT
000002F8 | SIZE

Have also unpacked the file with script 1.2 and it works too.

greetz

November 23, 2011

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

November 24, 2011

hi brother "nguyenhung0702"

Can you protect this delphi7 file by your TM/WL 2.1.9

And set these protection levels.(3 unpackme)

Here is delphi7:
/>http://hotfile.com/dl/135856072/7c9a08e/Target(delphi_7).rar.html


Protection Options Level (2)
------------------
Anti-Debugger: Ultra
Anti-Dumpers: ENABLED
Entry Point Obfuscation: ENABLED
Resource Encryption: ENABLED
VMWare compatible: ENABLED
API-Wrapping Level: LEVEL2
Anti-Patching: None ***
Metamorph Security: ENABLED
Memory Guard: ENABLED
When Debugger Found: Display Message
Application compression: ENABLED
Resources compression: ENABLE
SecureEngine compression: ENABLED
Anti-File Monitor: ENABLED
Anti-Registry Monitor: ENABLED
Delphi/BCB form protection: ENABLE
Ring-0 Protection: ENABLED

Regards

Edited November 25, 2011 by Pertic@n

November 24, 2011

I've resolved my problem. I really appreciate for your help, LCF-AT!

@ Pertic@n: Here you go: http://hotfile.com/dl/135881395/9238553/Target(delphi_7).rar.html

November 24, 2011

Hi,

@ nguyenhung0702

Nice to hear it that you got it working now.

greetz

Target_Unpacked.rar

November 25, 2011

thanks brothers nguyenhung0702 & LCF-AT

@nguyenhung0702

Anti-Patching Disabled in this Unpackme (level 2)

Can you enable it and upload again

Level (3)


Protection Options Level (3)
------------------
Anti-Debugger: Ultra
Anti-Dumpers: ENABLED
Entry Point Obfuscation: ENABLED
Resource Encryption: ENABLED
VMWare compatible: ENABLED
API-Wrapping Level: LEVEL2
Anti-Patching: File Patching
Metamorph Security: ENABLED
Memory Guard: ENABLED
When Debugger Found: Display Message
Application compression: ENABLED
Resources compression: ENABLE
SecureEngine compression: ENABLED
Anti-File Monitor: ENABLED
Anti-Registry Monitor: ENABLED
Delphi/BCB form protection: ENABLE
Ring-0 Protection: ENABLED

Brother nguyenhung0702

Do you have Full version setup TM/WL 2.1.9 (just setup , no license)

If yes can you upload full version setup for us?

Regards

Edited November 25, 2011 by Pertic@n

November 25, 2011

@ LCF-AT: Thank for your help! How do i restore VM code?

@ Pertic@n: Sorry I can't.

November 25, 2011

@ nguyenhung0702

You can restore the VM code manually in your unpackme so there are only a messagebox with some values which you can see if you set a BP on this API and then rebuild it.For other targets you can try to use a plugin by Deathway [CISC only].If you can`t fix the VMed code then you have to keep the TM WL section = AntiDumps access & checking.

greetz

November 26, 2011

Thanks LCF-AT. I'll learn how to do it. Thanks for you help!

November 26, 2011

@ Pertic@n: Sorry I can't.

okay brother

Can you ENABLED All protection (don't forget Anti - Patching : File Patching)in your TM\WL and protect my delphi target

Regards

Edited November 26, 2011 by Pertic@n

Sign In

[unpackme] Unpack Me WL 2.1.9

Recommended Posts

nguyenhung0702

LCF-AT

nguyenhung0702

LCF-AT

nguyenhung0702

LCF-AT

Teddy Rogers

Pertic@n

nguyenhung0702

LCF-AT

Pertic@n

nguyenhung0702

LCF-AT

nguyenhung0702

Pertic@n

Create an account or sign in to comment

Create an account

Sign in

Community

Search