Jump to content
Tuts 4 You

[unpackme] Safengine Shielden 2.1.9.0


Xjun

Recommended Posts

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment
Share on other sites

Hi,

just added a Anti-Patch so that you can run more instances at the same time.If you check the original & first unpacked file then you get some china detect message if you try to run more than one instances etc. :)

greetz

congratulations!LCF-AT,Bro!I`m a Newbies.Can you give your OllyDBG for me?ahhh,Your OD is very beauiful,and your VMP script is near perfect.and your tutorials for the script,In the option of script,there are two var of ARIMPREC_PATH need to adjust.or it will be error in the OD Script.

Link to comment
Share on other sites

Dragon Palace

LCF-AT's unpacked file works prefect, Raham's unpacked file crash on 64 bit win 7.


 


BTW, I admire your guys unpacking Master. I also want to learn unpacking from Zero knowledge, any ideal how to start??


Link to comment
Share on other sites

Dragon Palace

congratulations!LCF-AT,Bro!I`m a Newbies.Can you give your OllyDBG for me?ahhh,Your OD is very beauiful,and your VMP script is near perfect.and your tutorials for the script,In the option of script,there are two var of ARIMPREC_PATH need to adjust.or it will be error in the OD Script.

 

不会又是 Kissy 大牛马甲?

Link to comment
Share on other sites

@ Kinney

So you can use any Olly which you like.Just have a look around so there are a lot diffrent Olly's.Yes I know there are 2 path lines of the ARIMPREC_PATH so I did forget to delete it.So I wrote that important info already on my topic where you can download the script.Just delete the ARIMPREC_PATH line at the end then the script will only use the ARIMPREC_PATH at the top of the script.

Delete this at line 3784 or set a // before and save.

var ARIMPREC_PATH// mov ARIMPREC_PATH, "C:\Nacho dll test\ARImpRec.dll"var TryGetImportedFunctionName

@ chixiaojie

Just start with some basic tutorials about unpacking and more.So I would recommend the Lena151 series so just have a look.There you get a basic and advanced overview about almost everything.

@ Raham

Ok I have seen you did unpacked your file on the "very simplest way". :) Only restoring one GetModuleHandleA API for the VM access. :) By the way,so you can also just zero the old heap addresses then it runs too so no extra heap section needed.In your case its only one address. :) Just fill = work = no Heap section access anymore of your file.So all in all your dump does run of course [XP SP3 & SP0] but can we say its really unpacked on that way [no criticism]? :) Anyway,so on that way you can unpack the file in one minute and just use the protection code itself to let create all direct API addresses on each run.

greetz

Link to comment
Share on other sites

不会又是 Kissy 大牛马甲?

chixiaojie大大你太抬举了,我就是一个小菜鸟~SE完全玩不动。不过倒是分析了一些SE的原子指令和分析了VMP的原子指令及NAND门,也不能说对VMP一点不了解了。希望多跟大大学习啊。

Link to comment
Share on other sites

@ Kinney

So you can use any Olly which you like.Just have a look around so there are a lot diffrent Olly's.Yes I know there are 2 path lines of the ARIMPREC_PATH so I did forget to delete it.So I wrote that important info already on my topic where you can download the script.Just delete the ARIMPREC_PATH line at the end then the script will only use the ARIMPREC_PATH at the top of the script.

Delete this at line 3784 or set a // before and save.

var ARIMPREC_PATH// mov ARIMPREC_PATH, "C:\Nacho dll test\ARImpRec.dll"var TryGetImportedFunctionName

@ chixiaojie

Just start with some basic tutorials about unpacking and more.So I would recommend the Lena151 series so just have a look.There you get a basic and advanced overview about almost everything.

@ Raham

Ok I have seen you did unpacked your file on the "very simplest way". :) Only restoring one GetModuleHandleA API for the VM access. :) By the way,so you can also just zero the old heap addresses then it runs too so no extra heap section needed.In your case its only one address. :) Just fill = work = no Heap section access anymore of your file.So all in all your dump does run of course [XP SP3 & SP0] but can we say its really unpacked on that way [no criticism]? :) Anyway,so on that way you can unpack the file in one minute and just use the protection code itself to let create all direct API addresses on each run.

greetz

Emmm,Bro!Where is the Lena151 series?ahhh,I search the forum but I didn`t find it,so can you give our a interlinking to it?Thanks a lot.

Link to comment
Share on other sites

@LCF


 


Yes, as i told its easy to unpack.... Via Using Old Heap...Some Patch Needed (1.Add API,RedirectOffset & 2.Check Module ImageBase). but after patching them...


you could easiiiilyyy Restore the API (because they are direct now) and also its easy to code a tools to restore them to Normal One... maybe later i code that Tool.


 


 


 


 


PS: Yes, its Unpacked... but not Clean Unpacking;) i call it Dirty Unpacking (anyway i prefer clean one), like the same scenario that some unpacker do with particular protectors;)


 


 


 


Kind Regards;)


Edited by Raham
Link to comment
Share on other sites

Dragon Palace

Hello, Masters, did you using OD to Unpack it or some other debuger? this is I interesting thing to know. Safengine will detect OD and show message debugger found and tell to unload it, thanks all.


Edited by chixiaojie
Link to comment
Share on other sites

@ Dirty Raham ;)

Sounds nice that you wanna code also a tool for this protection. :)

Yes I also prefer clean unpack's but also the unclean method is also a solution if it works.

So it's good to beat the protector with his own weapon. :) Hehehe. :)

greetz

  • Like 2
Link to comment
Share on other sites

i have tested in Win 8 , Win 7 x86_x64 + Win XP ...it runs...

 

 

 

any one other had Crash problem on my unpacked file?

 

Works fine on my Win 7 x64 Ultimate. :)

Link to comment
Share on other sites

congratulations!LCF-AT,Bro!I`m a Newbies.Can you give your OllyDBG for me?ahhh,Your OD is very beauiful,and your VMP script is near perfect.and your tutorials for the script,In the option of script,there are two var of ARIMPREC_PATH need to adjust.or it will be error in the OD Script.

 

 

Private tool

Link to comment
Share on other sites

@ blueflycn

So I wrote a script to fix all APIs & commands. :) So fixing the APIs is simple so you just need to trace the calls which you can find in the codesection calling the protector section.Just analyse this.In the routines you get the APIs or EMU APIs and later you come out in the API or EMU API or only codesection with API / EMU API in register = API command.So you can handle this also with a script but it will take a longer time to check all calls etc so a script is just a temporary solution but no good solution for large files which are using a lot calls.

I will see what I can do in the future to create a tutorial / turbo script etc or someone of the coders can create tools which work much faster etc.

greetz

Link to comment
Share on other sites

@LCF-AT well I am a newbie so please excuse me if that question is somewhat non-professional:) but would you mind sharing the script with me, cause I guess it's a very good start for me to learn. thank you


Edited by blueflycn
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...