Jump to content
Tuts 4 You

[unpackme] UnpackMe (Crackme) Safengine Shielden V2.0.1.0

Asian Dragon

Recommended Posts

If you have a lot of time you can load the app in Olly, put a mem breakpnt on shell32.dll on 4f2050 and you can step to system beep/MessageBox to patch the anti routine. Probably more checks too.


Could be a deceptive trick, but I think your algorythm (and the vb6 IAT), strings, etc are all easily viewed. 


loc_004078DF: call 004012B0h ; Len(arg_1)
loc_004078E4: mov var_DC, eax
loc_004078EA: mov var_E4, edi
loc_004078F0: lea edx, var_E4
loc_004078F6: lea ecx, var_78
loc_004078F9: call 004012B6h ; __vbaVarMove
loc_004078FE: push 00000001h
loc_00407900: pop eax
loc_00407901: mov var_DC, eax
loc_00407907: push 00000002h
loc_00407909: pop edi
loc_0040790A: mov var_E4, edi
loc_00407910: mov var_EC, eax
loc_00407916: mov var_F4, edi
loc_0040791C: lea eax, var_E4
loc_00407922: push eax
loc_00407923: lea eax, var_54
loc_00407926: push eax
loc_00407927: lea eax, var_F4
loc_0040792D: push eax
loc_0040792E: lea eax, var_13C
loc_00407934: push eax
loc_00407935: lea eax, var_12C
loc_0040793B: push eax
loc_0040793C: lea eax, var_2C
loc_0040793F: push eax
loc_00407940: call 004012AAh ; For
loc_00407945: cmp eax, esi
loc_00407947: jz 004079FCh
loc_0040794D: mov eax, arg_C
loc_00407950: mov var_DC, eax
loc_00407956: mov var_E4, 00004008h
loc_00407960: lea eax, var_2C
loc_00407963: push eax
loc_00407964: call 0040128Ch ; __vbaI4Var
loc_00407969: push eax
loc_0040796A: lea eax, var_E4
loc_00407970: push eax
loc_00407971: lea eax, var_A4
loc_00407977: push eax
loc_00407978: call 00401292h ; Right(arg_1, arg_2)
loc_0040797D: lea eax, var_A4
loc_00407983: push eax
loc_00407984: lea eax, var_90
loc_0040798A: push eax
loc_0040798B: call 00401298h ; __vbaStrVarVal
loc_00407990: push eax
loc_00407991: call 0040129Eh ; Asc(arg_1)
loc_00407996: mov var_EC, ax
loc_0040799D: mov var_F4, edi
loc_004079A3: lea eax, var_8C
loc_004079A9: push eax
loc_004079AA: lea eax, var_F4
loc_004079B0: push eax
loc_004079B1: lea eax, var_B4
loc_004079B7: push eax
loc_004079B8: call 004012A4h ; __vbaVarAdd
loc_004079BD: mov edx, eax
loc_004079BF: lea ecx, var_8C
loc_004079C5: call 004012B6h ; __vbaVarMove
loc_004079CA: lea ecx, var_90
loc_004079D0: call 004012F2h ; __vbaFreeStr
loc_004079D5: lea ecx, var_A4
loc_004079DB: call 00401286h ; __vbaFreeVar
loc_004079E0: lea eax, var_13C
loc_004079E6: push eax
loc_004079E7: lea eax, var_12C
loc_004079ED: push eax
loc_004079EE: lea eax, var_2C
loc_004079F1: push eax
loc_004079F2: call 00401280h ; Next
loc_004079F7: jmp 00407945h
loc_004079FC: push 00000001h
loc_004079FE: call 0040127Ah ; On Error ...
loc_00407A03: mov var_DC, 0000B884h
loc_00407A0D: mov var_E4, 00000003h
loc_00407A17: fld real8 ptr [00401198h] ;
loc_00407A1D: fstp real8 ptr var_EC
loc_00407A23: mov var_F4, 00000005h
loc_00407A2D: mov var_FC, 00000006h
loc_00407A37: mov var_104, edi
loc_00407A3D: lea eax, var_8C
loc_00407A43: push eax
loc_00407A44: lea eax, var_E4
loc_00407A4A: push eax
loc_00407A4B: lea eax, var_A4
loc_00407A51: push eax
loc_00407A52: call 0040126Eh ; __vbaVarMul
loc_00407A57: push eax
loc_00407A58: lea eax, var_54
loc_00407A5B: push eax
loc_00407A5C: lea eax, var_F4
loc_00407A62: push eax
loc_00407A63: lea eax, var_B4
loc_00407A69: push eax
loc_00407A6A: call 0040126Eh ; __vbaVarMul
loc_00407A6F: push eax
loc_00407A70: lea eax, var_104
loc_00407A76: push eax
loc_00407A77: lea eax, var_C4
loc_00407A7D: push eax
loc_00407A7E: call 00401268h ; __vbaVarDiv
loc_00407A83: push eax
loc_00407A84: lea eax, var_D4
loc_00407A8A: push eax
loc_00407A8B: call 00401274h ; __vbaVarIdiv
loc_00407A90: push eax
loc_00407A91: call 00401304h ; __vbaStrVarMove
loc_00407A96: mov edx, eax
loc_00407A98: lea ecx, var_44
loc_00407A9B: call 0040130Ah ; __vbaStrMove
loc_00407AA0: push var_7C
loc_00407AA3: push var_44
loc_00407AA6: call 00401262h ; __vbaStrCmp
loc_00407AAB: test eax, eax
loc_00407AAD: jnz 407A2Dh
loc_00407AAF: mov ecx, 80020004h
loc_00407AB4: mov var_CC, ecx
loc_00407ABA: push 0000000Ah
loc_00407ABC: pop eax
loc_00407ABD: mov var_D4, eax
loc_00407AC3: mov var_BC, ecx
loc_00407AC9: mov var_C4, eax
loc_00407ACF: mov var_EC, 00402AB8h ; "Kool!!"
loc_00407AD9: mov var_F4, ebx
loc_00407ADF: lea edx, var_F4
loc_00407AE5: lea ecx, var_B4
loc_00407AEB: call 00401256h ; __vbaVarDup
loc_00407AF0: mov var_DC, 00402A7Ch ; "Yeah! It's done!! Success!"
loc_00407AFA: mov var_E4, ebx
loc_00407B00: lea edx, var_E4
loc_00407B06: lea ecx, var_A4
loc_00407B0C: call 00401256h ; __vbaVarDup
loc_00407B11: lea eax, var_D4
loc_00407B17: push eax
loc_00407B18: lea eax, var_C4
loc_00407B1E: push eax
loc_00407B1F: lea eax, var_B4
loc_00407B25: push eax
loc_00407B26: push 00000040h
loc_00407B28: jmp 00407C09h
loc_00407B2D: push var_7C
loc_00407B30: push var_44
loc_00407B33: call 00401262h ; __vbaStrCmp
loc_00407B38: test eax, eax
loc_00407B3A: jz 00407C3Bh
loc_00407B40: mov ecx, 80020004h
loc_00407B45: mov var_CC, ecx
loc_00407B4B: push 0000000Ah
loc_00407B4D: pop eax
loc_00407B4E: mov var_D4, eax
loc_00407B54: mov var_BC, ecx
loc_00407B5A: mov var_C4, eax
loc_00407B60: mov var_EC, 00402AF0h ; "No..."
loc_00407B6A: mov var_F4, ebx
loc_00407B70: lea edx, var_F4
loc_00407B76: lea ecx, var_B4
loc_00407B7C: call 00401256h ; __vbaVarDup
loc_00407B81: mov var_DC, 00402ACCh ; "Hmmm, no away!!"




Link to comment
Share on other sites

Asian Dragon

Thank you Raham and simple

The level of this crackme seems harder than you eh?

Edited by xuan khanh
Link to comment
Share on other sites


whats this? :) Your target is not protected. :)

Just enter this command and save as new file then set EP to 1334 and save.No Unpack needed.

00401334  PUSH 40198CLCF-AT6408350
  • Like 1
Link to comment
Share on other sites

Yes LCF You Are Right...



Its Not Protected by right option...



Pack Code Section = Disabled

Import Protection = Disabled


Just a bit Anti Debug & Resource Protection .... But Actually Resource Anti Dump for this particular target is Useless.




Kind Regards

  • Like 1
Link to comment
Share on other sites

Teddy Rogers

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...