Jump to content
Tuts 4 You

[unpackme] UnpackMe (Crackme) Safengine Shielden V2.0.1.0


Asian Dragon

Recommended Posts

If you have a lot of time you can load the app in Olly, put a mem breakpnt on shell32.dll on 4f2050 and you can step to system beep/MessageBox to patch the anti routine. Probably more checks too.

 

Could be a deceptive trick, but I think your algorythm (and the vb6 IAT), strings, etc are all easily viewed. 

 

loc_004078DF: call 004012B0h ; Len(arg_1)
loc_004078E4: mov var_DC, eax
loc_004078EA: mov var_E4, edi
loc_004078F0: lea edx, var_E4
loc_004078F6: lea ecx, var_78
loc_004078F9: call 004012B6h ; __vbaVarMove
loc_004078FE: push 00000001h
loc_00407900: pop eax
loc_00407901: mov var_DC, eax
loc_00407907: push 00000002h
loc_00407909: pop edi
loc_0040790A: mov var_E4, edi
loc_00407910: mov var_EC, eax
loc_00407916: mov var_F4, edi
loc_0040791C: lea eax, var_E4
loc_00407922: push eax
loc_00407923: lea eax, var_54
loc_00407926: push eax
loc_00407927: lea eax, var_F4
loc_0040792D: push eax
loc_0040792E: lea eax, var_13C
loc_00407934: push eax
loc_00407935: lea eax, var_12C
loc_0040793B: push eax
loc_0040793C: lea eax, var_2C
loc_0040793F: push eax
loc_00407940: call 004012AAh ; For
loc_00407945: cmp eax, esi
loc_00407947: jz 004079FCh
loc_0040794D: mov eax, arg_C
loc_00407950: mov var_DC, eax
loc_00407956: mov var_E4, 00004008h
loc_00407960: lea eax, var_2C
loc_00407963: push eax
loc_00407964: call 0040128Ch ; __vbaI4Var
loc_00407969: push eax
loc_0040796A: lea eax, var_E4
loc_00407970: push eax
loc_00407971: lea eax, var_A4
loc_00407977: push eax
loc_00407978: call 00401292h ; Right(arg_1, arg_2)
loc_0040797D: lea eax, var_A4
loc_00407983: push eax
loc_00407984: lea eax, var_90
loc_0040798A: push eax
loc_0040798B: call 00401298h ; __vbaStrVarVal
loc_00407990: push eax
loc_00407991: call 0040129Eh ; Asc(arg_1)
loc_00407996: mov var_EC, ax
loc_0040799D: mov var_F4, edi
loc_004079A3: lea eax, var_8C
loc_004079A9: push eax
loc_004079AA: lea eax, var_F4
loc_004079B0: push eax
loc_004079B1: lea eax, var_B4
loc_004079B7: push eax
loc_004079B8: call 004012A4h ; __vbaVarAdd
loc_004079BD: mov edx, eax
loc_004079BF: lea ecx, var_8C
loc_004079C5: call 004012B6h ; __vbaVarMove
loc_004079CA: lea ecx, var_90
loc_004079D0: call 004012F2h ; __vbaFreeStr
loc_004079D5: lea ecx, var_A4
loc_004079DB: call 00401286h ; __vbaFreeVar
loc_004079E0: lea eax, var_13C
loc_004079E6: push eax
loc_004079E7: lea eax, var_12C
loc_004079ED: push eax
loc_004079EE: lea eax, var_2C
loc_004079F1: push eax
loc_004079F2: call 00401280h ; Next
loc_004079F7: jmp 00407945h
loc_004079FC: push 00000001h
loc_004079FE: call 0040127Ah ; On Error ...
loc_00407A03: mov var_DC, 0000B884h
loc_00407A0D: mov var_E4, 00000003h
loc_00407A17: fld real8 ptr [00401198h] ;
loc_00407A1D: fstp real8 ptr var_EC
loc_00407A23: mov var_F4, 00000005h
loc_00407A2D: mov var_FC, 00000006h
loc_00407A37: mov var_104, edi
loc_00407A3D: lea eax, var_8C
loc_00407A43: push eax
loc_00407A44: lea eax, var_E4
loc_00407A4A: push eax
loc_00407A4B: lea eax, var_A4
loc_00407A51: push eax
loc_00407A52: call 0040126Eh ; __vbaVarMul
loc_00407A57: push eax
loc_00407A58: lea eax, var_54
loc_00407A5B: push eax
loc_00407A5C: lea eax, var_F4
loc_00407A62: push eax
loc_00407A63: lea eax, var_B4
loc_00407A69: push eax
loc_00407A6A: call 0040126Eh ; __vbaVarMul
loc_00407A6F: push eax
loc_00407A70: lea eax, var_104
loc_00407A76: push eax
loc_00407A77: lea eax, var_C4
loc_00407A7D: push eax
loc_00407A7E: call 00401268h ; __vbaVarDiv
loc_00407A83: push eax
loc_00407A84: lea eax, var_D4
loc_00407A8A: push eax
loc_00407A8B: call 00401274h ; __vbaVarIdiv
loc_00407A90: push eax
loc_00407A91: call 00401304h ; __vbaStrVarMove
loc_00407A96: mov edx, eax
loc_00407A98: lea ecx, var_44
loc_00407A9B: call 0040130Ah ; __vbaStrMove
loc_00407AA0: push var_7C
loc_00407AA3: push var_44
loc_00407AA6: call 00401262h ; __vbaStrCmp
loc_00407AAB: test eax, eax
loc_00407AAD: jnz 407A2Dh
loc_00407AAF: mov ecx, 80020004h
loc_00407AB4: mov var_CC, ecx
loc_00407ABA: push 0000000Ah
loc_00407ABC: pop eax
loc_00407ABD: mov var_D4, eax
loc_00407AC3: mov var_BC, ecx
loc_00407AC9: mov var_C4, eax
loc_00407ACF: mov var_EC, 00402AB8h ; "Kool!!"
loc_00407AD9: mov var_F4, ebx
loc_00407ADF: lea edx, var_F4
loc_00407AE5: lea ecx, var_B4
loc_00407AEB: call 00401256h ; __vbaVarDup
loc_00407AF0: mov var_DC, 00402A7Ch ; "Yeah! It's done!! Success!"
loc_00407AFA: mov var_E4, ebx
loc_00407B00: lea edx, var_E4
loc_00407B06: lea ecx, var_A4
loc_00407B0C: call 00401256h ; __vbaVarDup
loc_00407B11: lea eax, var_D4
loc_00407B17: push eax
loc_00407B18: lea eax, var_C4
loc_00407B1E: push eax
loc_00407B1F: lea eax, var_B4
loc_00407B25: push eax
loc_00407B26: push 00000040h
loc_00407B28: jmp 00407C09h
loc_00407B2D: push var_7C
loc_00407B30: push var_44
loc_00407B33: call 00401262h ; __vbaStrCmp
loc_00407B38: test eax, eax
loc_00407B3A: jz 00407C3Bh
loc_00407B40: mov ecx, 80020004h
loc_00407B45: mov var_CC, ecx
loc_00407B4B: push 0000000Ah
loc_00407B4D: pop eax
loc_00407B4E: mov var_D4, eax
loc_00407B54: mov var_BC, ecx
loc_00407B5A: mov var_C4, eax
loc_00407B60: mov var_EC, 00402AF0h ; "No..."
loc_00407B6A: mov var_F4, ebx
loc_00407B70: lea edx, var_F4
loc_00407B76: lea ecx, var_B4
loc_00407B7C: call 00401256h ; __vbaVarDup
loc_00407B81: mov var_DC, 00402ACCh ; "Hmmm, no away!!"

 

 

 

Link to comment
Asian Dragon

Thank you Raham and simple


The level of this crackme seems harder than you eh?


Edited by xuan khanh
Link to comment

Hi,

whats this? :) Your target is not protected. :)

Just enter this command and save as new file then set EP to 1334 and save.No Unpack needed.

00401334  PUSH 40198CLCF-AT6408350
greetz
  • Like 1
Link to comment

Yes LCF You Are Right...


 


 


Its Not Protected by right option...


 


 


Pack Code Section = Disabled


Import Protection = Disabled


 


Just a bit Anti Debug & Resource Protection .... But Actually Resource Anti Dump for this particular target is Useless.


 


 


 


Kind Regards


  • Like 1
Link to comment
Teddy Rogers

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...