Hi

Please Unpack and rate it

Artan maybe be new persian protector...

 

 

 

thanks.

 

Hint : Attachment file has been changed because of my mistake ( incompatible in some windows )

UnpackMe.rar

Edited July 2, 201312 yr by Gladiator

Hi

 

 

Here is the unpacked file (tested on Xp, 7 & 8)

 

 

 

quite easy to unpack

 

 

 

 

 

PS: and who is author of this protector?

 

 

 

 

Kind Regards

Unpacked_By_Raham.rar

Raham I think this is not the best method to unpack it

 

Dumping memory regions will blow the exe size. A better method would be fixing the resource manually but since it is Delphi app hell it is a lot of work

 

Also why you move the redirected addresses manually? you could just leave them unfixed and don't cut them with ImportREC.

Edited July 2, 201312 yr by Lostin

@Lostin

 

 

1.Null Terminated Record need in parsing import. so i did that because it had reason

2.Yes! surely thats better, and i know it! but its just a simple unpackme. and no one work a lot on a

just unpackme ( a non-comercial protector)! 

 

 

 

Kind Regards

Edited July 2, 201312 yr by Raham

My attempt

Unpacked.rar

Nice work Jerry

 

But you have missed string tables

 

However those are only required for exceptions.

good job guys

is it possible make unpacking harder with more resources ?

!!!!!!

 

 

Its Not Private EXE Protector?!!!!

I don't know

this is not my unpackme , i just release it

Hint : Attachment file has been changed because of my mistake ( incompatible in some windows )

 

 

 

and its not your?!

Edited July 3, 201312 yr by Raham

and its not your?!

No, this is not mine ; i have some unpack me from this unknown protector and upload wrong release to board...

I want to learn how to unpack it and there is not tut about unpack this so i have to make some question to know how this is strong or not and know if there are IAT redirection there is really redirection or not...

Edited July 3, 201312 yr by Gladiator

No, this is not mine ; i have some unpack me from this unknown protector and upload wrong release to board...

I want to learn how to unpack it and there is not tut about unpack this so i have to make some question to know how this is strong or not and know if there are IAT redirection there is really redirection or not...

The OEP can be reached quite easy and the redirection can be bypassed by a simple swith from JNB to jmp.

I reached the OEP by using this method.

1. Load the exe in Olly. Run

2. Pause. Open memory map. View in dissasembler. Search for intermodular calls. BP on write on  last one.

3. Restart. Run until you see the api in register. Put a mem bp on code section on access and there will be the OEP.

For the iat redirection i have saved a hex search pattern and i found the redirection in a instant. Otherwise are 12 API's that you will need to fix by hand.

After finding OEP and canceling the IAT redirection i have been lost. I have no ideea why the dump does not run. I try to trace sometime but i have no patience and my knowledge is low so i have quit.

Did you rebuild the dump with LordPE, or similair?

No. I will try to rebuild the dump and check only Validate PE.

The OEP can be reached quite easy and the redirection can be bypassed by a simple swith from JNB to jmp.

I reached the OEP by using this method.

1. Load the exe in Olly. Run

2. Pause. Open memory map. View in dissasembler. Search for intermodular calls. BP on write on  last one.

3. Restart. Run until you see the api in register. Put a mem bp on code section on access and there will be the OEP.

For the iat redirection i have saved a hex search pattern and i found the redirection in a instant. Otherwise are 12 API's that you will need to fix by hand.

After finding OEP and canceling the IAT redirection i have been lost. I have no ideea why the dump does not run. I try to trace sometime but i have no patience and my knowledge is low so i have quit.

 

Thanks for your try and thanks for implementing your way to unpack

i hope you got success

Edited August 11, 201312 yr by Gladiator

Did you rebuild the dump with LordPE, or similair?

Here is what i have managed to do so far.

 

P.S.

For IAT redirection i use  this search pattern:

83 3D ?? ?? ?? ?? 00 76 ?? A1

Artan.rar

You can try to load the crashing dump in Olly and patch all the errors.

 

 

Good luck.

Edited August 12, 201312 yr by Blizzard

You can try to load the crashing dump in Olly and patch all the errors.

 

 

Good luck.

Thtat is what i sayd before.

That i cannot manage any furter.

Do you have a dump copy, maybe? I patched non working asprotect dumps in the past so they did run.

 

Here is what i have managed to do so far.

 

P.S.

For IAT redirection i use  this search pattern:

83 3D ?? ?? ?? ?? 00 76 ?? A1

 

so many thanks for tut

there exist a tutorial in spanish by a friend IndulgeoTutorial:
http://indulgeoeddy.orgfree.com/index.php?option=com_content&view=category&layout=blog&id=39&Itemid=56 

http://www.ricardonarvaja.info/WEB/CONCURSOS%202013/CONCURSO%208/UnPacking_ARTAN_%20v.1.0.0%20%2B%20%5BScript%5D_By_InDuLgEo.rar 

Edited September 10, 201311 yr by Apuromafo

Nice work Apuromafo

Thanks for share tuts

 

PS: it would be better to release tuts in english

Edited September 11, 201311 yr by Gladiator

Hi

Please Unpack and rate it

Artan maybe be new persian protector...

 

 

 

thanks.

 

Hint : Attachment file has been changed because of my mistake ( incompatible in some windows )

hi all

 

@Gladiator , i download your UnPackme and run its in windows 7 64bit but that's not working !!! and crash my OS.

hi all

 

@Gladiator , i download your UnPackme and run its in windows 7 64bit but that's not working !!! and crash my OS.

 

Hi

Thanks for testing but there should be no problem with windows 7 X64

but it maybe because of anti-debug routines and its fixed in version 1.2 ( new release of artan protector )

The method this packer use to delete the dephi resources is quite interesting, but it is not enough to define a good packer imho.