Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[unpackme] Unpack Me (My protector) -Level- Unknown

Exidous
Exidous
in UnPackMe

Featured Replies

Posted

Unpack my protector. I compiled & protected a hello world.This will drop a 1.exe (vb6) this is just for the injection module to inject into (Not malware drop) -analyze the file-This protector will protect x64 x32 .net & non .net software ;) Ya thats right :)The protector was written in C#.This protector has a hwid license check & server check ;)Good luck!Download:http://www.mediafire.com/?8m8cnwo22vg904c

or

UnpackMe1.rarValid License Response "hello world" (Screenshot):http://pokit.org/get/?e6068708cb95ab...d560744d6d.png

    •
    • Like 1

    The [unpackme] tag has been added to your topic title.

    Please remember to follow and adhere to the topic title format - thankyou!

    [This is an automated reply]

    Hi,

    My research:

    - The unpackme uses the 'RC4Str' function to decrypt base64 strings to a readable format.

    - The unpackme uses the 'RC4' function to decrypt "ProtectionDll.dll", which actually is the protected file

    - The password used in this unpackme is "Exodious"

    1) The unpackme goes to the server address "http://totalviruscheck.com/SoftwareProtection/insert.php?HWID=" to do a license check. This check is easily bypassed with a small php script: http://codepad.org/0Gb7UFAD (just redirect totalviruscheck.com to 127.0.0.1)

    2) The data returned from the server is put through the 'CleanHwid' function. This function takes the string directly after "<body>". This data is uppercased and compared with the uppercased HWID to pass the license check.

    3) The "ProtectionDll.dll" is decrypted using the RC4 function.

    4) OEP and the HWID are sent to the server: "?HWID2=[Hwid]]http://totalviruscheck.com/SoftwareProtection/insert.php?OEP=[buildNumber]?HWID2=[Hwid]"

    5) OEP Bytes in hex format are retrieved from the server (you cannot know the OEP bytes in this way, smart but with one valid license you're screwed)

    6) OEP Bytes are written to memory and file is executed in memory

    Luckily this is VB5 so it's quite easy to retrieve the OEP bytes (They match with the included 'invoke.exe', which is embedded in the resources)

    I attached my dumps, php scripts and used tools(+source), I liked the challenge :)

    Greetings,

    Mr. eXoDia

    PS Level would be 1-3 don't know exactly

    dumps_php_tools.rar

    Edited by Mr. eXoDia

    • Like 3
    • Author

    Damn, Nice.. Im almost done w/ a stronger version (Imports are gone now) & The RC4 Private Key will be sotored in the db.


     


    Im actually kinda shocked it got cracked :S

    Edited by Exidous2008

    @Exodious: plz include a valid license with your unpackme. It should also be hard when you have a valid license, without one I cannot test certain features, especially when you store RC4 keys on the server.

    Greetings

    • Author

    I can do that :)


     


    Thank you for taking the time to help me w/ improving my software protection methods.


     


    Apparently im headed in the right direction :P


    Edited by Exidous2008

    • Like 1

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.