Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

Hi


Please Unpack and rate it


Artan maybe be new persian protector...


 


 


 


thanks.


 


Hint : Attachment file has been changed because of my mistake ( incompatible in some windows )


UnpackMe.rar

Edited by Gladiator

Hi


 


 


Here is the unpacked file (tested on Xp, 7 & 8)


 


 


 


quite easy to unpack ;)


 


 


 


 


 


PS: and who is author of this protector?:)


 


 


 


 


Kind Regards


Unpacked_By_Raham.rar

Raham I think this is not the best method to unpack it :)


 


Dumping memory regions will blow the exe size. A better method would be fixing the resource manually but since it is Delphi app hell it is a lot of work :)


 


Also why you move the redirected addresses manually? you could just leave them unfixed and don't cut them with ImportREC.


Edited by Lostin

@Lostin


 


 


1.Null Terminated Record need in parsing import. so i did that because it had reason :D


2.Yes! surely thats better, and i know it! but its just a simple unpackme. and no one work a lot on a


just unpackme ( a non-comercial protector)! 


 


 


 


Kind Regards


Edited by Raham

My attempt


Unpacked.rar

Nice work Jerry :)


 


But you have missed string tables ;)


 


However those are only required for exceptions.


  • Author

good job guys :)


is it possible make unpacking harder with more resources ?


!!!!!!


 


 


Its Not Private EXE Protector?!!!!


  • Author

I don't know :ermm:


this is not my unpackme , i just release it

Hint : Attachment file has been changed because of my mistake ( incompatible in some windows )

 

 

 

and its not your?!

Edited by Raham

  • Author

and its not your?!

No, this is not mine ; i have some unpack me from this unknown protector and upload wrong release to board...

I want to learn how to unpack it and there is not tut about unpack this so i have to make some question to know how this is strong or not and know if there are IAT redirection there is really redirection or not...

Edited by Gladiator

  • 1 month later...

No, this is not mine ; i have some unpack me from this unknown protector and upload wrong release to board...

I want to learn how to unpack it and there is not tut about unpack this so i have to make some question to know how this is strong or not and know if there are IAT redirection there is really redirection or not...

The OEP can be reached quite easy and the redirection can be bypassed by a simple swith from JNB to jmp.

I reached the OEP by using this method.

1. Load the exe in Olly. Run

2. Pause. Open memory map. View in dissasembler. Search for intermodular calls. BP on write on  last one.

3. Restart. Run until you see the api in register. Put a mem bp on code section on access and there will be the OEP.

For the iat redirection i have saved a hex search pattern and i found the redirection in a instant. Otherwise are 12 API's that you will need to fix by hand.

After finding OEP and canceling the IAT redirection i have been lost. I have no ideea why the dump does not run. I try to trace sometime but i have no patience and my knowledge is low so i have quit.

Did you rebuild the dump with LordPE, or similair?

No. I will try to rebuild the dump and check only Validate PE.


  • Author

The OEP can be reached quite easy and the redirection can be bypassed by a simple swith from JNB to jmp.

I reached the OEP by using this method.

1. Load the exe in Olly. Run

2. Pause. Open memory map. View in dissasembler. Search for intermodular calls. BP on write on  last one.

3. Restart. Run until you see the api in register. Put a mem bp on code section on access and there will be the OEP.

For the iat redirection i have saved a hex search pattern and i found the redirection in a instant. Otherwise are 12 API's that you will need to fix by hand.

After finding OEP and canceling the IAT redirection i have been lost. I have no ideea why the dump does not run. I try to trace sometime but i have no patience and my knowledge is low so i have quit.

 

Thanks for your try and thanks for implementing your way to unpack

i hope you got success ;)

Edited by Gladiator

Did you rebuild the dump with LordPE, or similair?

Here is what i have managed to do so far.

 

P.S.

For IAT redirection i use  this search pattern:

83 3D ?? ?? ?? ?? 00 76 ?? A1

Artan.rar

You can try to load the crashing dump in Olly and patch all the errors.


 


 


Good luck.


Edited by Blizzard

You can try to load the crashing dump in Olly and patch all the errors.

 

 

Good luck.

Thtat is what i sayd before.

That i cannot manage any furter.

:)

Do you have a dump copy, maybe? I patched non working asprotect dumps in the past so they did run.


  • Author

 

Here is what i have managed to do so far.

 

P.S.

For IAT redirection i use  this search pattern:


83 3D ?? ?? ?? ?? 00 76 ?? A1

 

so many thanks for tut :)

  • 5 weeks later...
  • Author

Nice work Apuromafo


Thanks for share tuts ;)


 


PS: it would be better to release tuts in english


Edited by Gladiator

Hi

Please Unpack and rate it

Artan maybe be new persian protector...

 

 

 

thanks.

 

Hint : Attachment file has been changed because of my mistake ( incompatible in some windows )

hi all

 

@Gladiator , i download your UnPackme and run its in windows 7 64bit but that's not working !!! and crash my OS.

  • Author

hi all

 

@Gladiator , i download your UnPackme and run its in windows 7 64bit but that's not working !!! and crash my OS.

 

Hi

Thanks for testing but there should be no problem with windows 7 X64

but it maybe because of anti-debug routines and its fixed in version 1.2 ( new release of artan protector )

  • 1 month later...

The method this packer use to delete the dephi resources is quite interesting, but it is not enough to define a good packer imho.


Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.