January 27, 201312 yr The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply]
January 27, 201312 yr Hi, just added a Anti-Patch so that you can run more instances at the same time.If you check the original & first unpacked file then you get some china detect message if you try to run more than one instances etc. greetz Safengine Shielden 2.1.9.0_Unpacked+Anti_More_Run_Check_Patch.rar
January 27, 201312 yr Hi, just added a Anti-Patch so that you can run more instances at the same time.If you check the original & first unpacked file then you get some china detect message if you try to run more than one instances etc. greetz congratulations!LCF-AT,Bro!I`m a Newbies.Can you give your OllyDBG for me?ahhh,Your OD is very beauiful,and your VMP script is near perfect.and your tutorials for the script,In the option of script,there are two var of ARIMPREC_PATH need to adjust.or it will be error in the OD Script.
January 27, 201312 yr Hi Here is my unpacked file. its almost easy to unpack Also we can restore all import to standard mode. Kind Regards Unpacked By Raham.rar Edited January 27, 201312 yr by Raham
January 27, 201312 yr LCF-AT's unpacked file works prefect, Raham's unpacked file crash on 64 bit win 7. BTW, I admire your guys unpacking Master. I also want to learn unpacking from Zero knowledge, any ideal how to start??
January 27, 201312 yr congratulations!LCF-AT,Bro!I`m a Newbies.Can you give your OllyDBG for me?ahhh,Your OD is very beauiful,and your VMP script is near perfect.and your tutorials for the script,In the option of script,there are two var of ARIMPREC_PATH need to adjust.or it will be error in the OD Script. 不会又是 Kissy 大牛马甲?
January 27, 201312 yr i have tested in Win 8 , Win 7 x86_x64 + Win XP ...it runs... any one other had Crash problem on my unpacked file?
January 27, 201312 yr @ Kinney So you can use any Olly which you like.Just have a look around so there are a lot diffrent Olly's.Yes I know there are 2 path lines of the ARIMPREC_PATH so I did forget to delete it.So I wrote that important info already on my topic where you can download the script.Just delete the ARIMPREC_PATH line at the end then the script will only use the ARIMPREC_PATH at the top of the script. Delete this at line 3784 or set a // before and save. var ARIMPREC_PATH// mov ARIMPREC_PATH, "C:\Nacho dll test\ARImpRec.dll"var TryGetImportedFunctionName @ chixiaojie Just start with some basic tutorials about unpacking and more.So I would recommend the Lena151 series so just have a look.There you get a basic and advanced overview about almost everything. @ Raham Ok I have seen you did unpacked your file on the "very simplest way". Only restoring one GetModuleHandleA API for the VM access. By the way,so you can also just zero the old heap addresses then it runs too so no extra heap section needed.In your case its only one address. Just fill = work = no Heap section access anymore of your file.So all in all your dump does run of course [XP SP3 & SP0] but can we say its really unpacked on that way [no criticism]? Anyway,so on that way you can unpack the file in one minute and just use the protection code itself to let create all direct API addresses on each run. greetz
January 28, 201312 yr 不会又是 Kissy 大牛马甲? chixiaojie大大你太抬举了,我就是一个小菜鸟~SE完全玩不动。不过倒是分析了一些SE的原子指令和分析了VMP的原子指令及NAND门,也不能说对VMP一点不了解了。希望多跟大大学习啊。
January 28, 201312 yr @ Kinney So you can use any Olly which you like.Just have a look around so there are a lot diffrent Olly's.Yes I know there are 2 path lines of the ARIMPREC_PATH so I did forget to delete it.So I wrote that important info already on my topic where you can download the script.Just delete the ARIMPREC_PATH line at the end then the script will only use the ARIMPREC_PATH at the top of the script. Delete this at line 3784 or set a // before and save. var ARIMPREC_PATH// mov ARIMPREC_PATH, "C:\Nacho dll test\ARImpRec.dll"var TryGetImportedFunctionName @ chixiaojie Just start with some basic tutorials about unpacking and more.So I would recommend the Lena151 series so just have a look.There you get a basic and advanced overview about almost everything. @ Raham Ok I have seen you did unpacked your file on the "very simplest way". Only restoring one GetModuleHandleA API for the VM access. By the way,so you can also just zero the old heap addresses then it runs too so no extra heap section needed.In your case its only one address. Just fill = work = no Heap section access anymore of your file.So all in all your dump does run of course [XP SP3 & SP0] but can we say its really unpacked on that way [no criticism]? Anyway,so on that way you can unpack the file in one minute and just use the protection code itself to let create all direct API addresses on each run. greetz Emmm,Bro!Where is the Lena151 series?ahhh,I search the forum but I didn`t find it,so can you give our a interlinking to it?Thanks a lot.
January 28, 201312 yr @ KinneyLenas Reversing for NewbiesReversing for Newbies - Complete Download Request 139.59 MBgreetz
January 28, 201312 yr @LCF Yes, as i told its easy to unpack.... Via Using Old Heap...Some Patch Needed (1.Add API,RedirectOffset & 2.Check Module ImageBase). but after patching them...you could easiiiilyyy Restore the API (because they are direct now) and also its easy to code a tools to restore them to Normal One... maybe later i code that Tool. PS: Yes, its Unpacked... but not Clean Unpacking;) i call it Dirty Unpacking (anyway i prefer clean one), like the same scenario that some unpacker do with particular protectors;) Kind Regards;) Edited January 28, 201312 yr by Raham
January 28, 201312 yr Hello, Masters, did you using OD to Unpack it or some other debuger? this is I interesting thing to know. Safengine will detect OD and show message debugger found and tell to unload it, thanks all. Edited January 28, 201312 yr by chixiaojie
January 28, 201312 yr @ Dirty Raham Sounds nice that you wanna code also a tool for this protection. Yes I also prefer clean unpack's but also the unclean method is also a solution if it works. So it's good to beat the protector with his own weapon. Hehehe. greetz
January 31, 201312 yr @LCF-AT, how did you unpack that program perfectly, could you please make a simple tutorial for such newbies as me? Thank you
January 31, 201312 yr i have tested in Win 8 , Win 7 x86_x64 + Win XP ...it runs... any one other had Crash problem on my unpacked file? Works fine on my Win 7 x64 Ultimate.
January 31, 201312 yr congratulations!LCF-AT,Bro!I`m a Newbies.Can you give your OllyDBG for me?ahhh,Your OD is very beauiful,and your VMP script is near perfect.and your tutorials for the script,In the option of script,there are two var of ARIMPREC_PATH need to adjust.or it will be error in the OD Script. Private tool
January 31, 201312 yr @ blueflycn So I wrote a script to fix all APIs & commands. So fixing the APIs is simple so you just need to trace the calls which you can find in the codesection calling the protector section.Just analyse this.In the routines you get the APIs or EMU APIs and later you come out in the API or EMU API or only codesection with API / EMU API in register = API command.So you can handle this also with a script but it will take a longer time to check all calls etc so a script is just a temporary solution but no good solution for large files which are using a lot calls. I will see what I can do in the future to create a tutorial / turbo script etc or someone of the coders can create tools which work much faster etc. greetz
February 1, 201312 yr @LCF-AT well I am a newbie so please excuse me if that question is somewhat non-professional:) but would you mind sharing the script with me, cause I guess it's a very good start for me to learn. thank you Edited February 1, 201312 yr by blueflycn
Create an account or sign in to comment