Posted July 2, 201312 yr HiPlease Unpack and rate itArtan maybe be new persian protector... thanks. Hint : Attachment file has been changed because of my mistake ( incompatible in some windows )UnpackMe.rar Edited July 2, 201312 yr by Gladiator
July 2, 201312 yr Hi Here is the unpacked file (tested on Xp, 7 & 8) quite easy to unpack PS: and who is author of this protector? Kind Regards Unpacked_By_Raham.rar
July 2, 201312 yr Raham I think this is not the best method to unpack it Dumping memory regions will blow the exe size. A better method would be fixing the resource manually but since it is Delphi app hell it is a lot of work Also why you move the redirected addresses manually? you could just leave them unfixed and don't cut them with ImportREC. Edited July 2, 201312 yr by Lostin
July 2, 201312 yr @Lostin 1.Null Terminated Record need in parsing import. so i did that because it had reason 2.Yes! surely thats better, and i know it! but its just a simple unpackme. and no one work a lot on a just unpackme ( a non-comercial protector)! Kind Regards Edited July 2, 201312 yr by Raham
July 3, 201312 yr Nice work Jerry But you have missed string tables However those are only required for exceptions.
July 3, 201312 yr Hint : Attachment file has been changed because of my mistake ( incompatible in some windows ) and its not your?! Edited July 3, 201312 yr by Raham
July 3, 201312 yr Author and its not your?! No, this is not mine ; i have some unpack me from this unknown protector and upload wrong release to board... I want to learn how to unpack it and there is not tut about unpack this so i have to make some question to know how this is strong or not and know if there are IAT redirection there is really redirection or not... Edited July 3, 201312 yr by Gladiator
August 10, 201312 yr No, this is not mine ; i have some unpack me from this unknown protector and upload wrong release to board... I want to learn how to unpack it and there is not tut about unpack this so i have to make some question to know how this is strong or not and know if there are IAT redirection there is really redirection or not... The OEP can be reached quite easy and the redirection can be bypassed by a simple swith from JNB to jmp. I reached the OEP by using this method. 1. Load the exe in Olly. Run 2. Pause. Open memory map. View in dissasembler. Search for intermodular calls. BP on write on last one. 3. Restart. Run until you see the api in register. Put a mem bp on code section on access and there will be the OEP. For the iat redirection i have saved a hex search pattern and i found the redirection in a instant. Otherwise are 12 API's that you will need to fix by hand. After finding OEP and canceling the IAT redirection i have been lost. I have no ideea why the dump does not run. I try to trace sometime but i have no patience and my knowledge is low so i have quit.
August 11, 201312 yr Author The OEP can be reached quite easy and the redirection can be bypassed by a simple swith from JNB to jmp. I reached the OEP by using this method. 1. Load the exe in Olly. Run 2. Pause. Open memory map. View in dissasembler. Search for intermodular calls. BP on write on last one. 3. Restart. Run until you see the api in register. Put a mem bp on code section on access and there will be the OEP. For the iat redirection i have saved a hex search pattern and i found the redirection in a instant. Otherwise are 12 API's that you will need to fix by hand. After finding OEP and canceling the IAT redirection i have been lost. I have no ideea why the dump does not run. I try to trace sometime but i have no patience and my knowledge is low so i have quit. Thanks for your try and thanks for implementing your way to unpack i hope you got success Edited August 11, 201312 yr by Gladiator
August 12, 201312 yr Did you rebuild the dump with LordPE, or similair? Here is what i have managed to do so far. P.S. For IAT redirection i use this search pattern: 83 3D ?? ?? ?? ?? 00 76 ?? A1 Artan.rar
August 12, 201312 yr You can try to load the crashing dump in Olly and patch all the errors. Good luck. Edited August 12, 201312 yr by Blizzard
August 12, 201312 yr You can try to load the crashing dump in Olly and patch all the errors. Good luck. Thtat is what i sayd before. That i cannot manage any furter.
August 12, 201312 yr Do you have a dump copy, maybe? I patched non working asprotect dumps in the past so they did run.
August 12, 201312 yr Author Here is what i have managed to do so far. P.S. For IAT redirection i use this search pattern: 83 3D ?? ?? ?? ?? 00 76 ?? A1 so many thanks for tut
September 10, 201311 yr there exist a tutorial in spanish by a friend IndulgeoTutorial:http://indulgeoeddy.orgfree.com/index.php?option=com_content&view=category&layout=blog&id=39&Itemid=56 http://www.ricardonarvaja.info/WEB/CONCURSOS%202013/CONCURSO%208/UnPacking_ARTAN_%20v.1.0.0%20%2B%20%5BScript%5D_By_InDuLgEo.rar Edited September 10, 201311 yr by Apuromafo
September 11, 201311 yr Author Nice work Apuromafo Thanks for share tuts PS: it would be better to release tuts in english Edited September 11, 201311 yr by Gladiator
September 17, 201311 yr Hi Please Unpack and rate it Artan maybe be new persian protector... thanks. Hint : Attachment file has been changed because of my mistake ( incompatible in some windows ) hi all @Gladiator , i download your UnPackme and run its in windows 7 64bit but that's not working !!! and crash my OS.
September 17, 201311 yr Author hi all @Gladiator , i download your UnPackme and run its in windows 7 64bit but that's not working !!! and crash my OS. Hi Thanks for testing but there should be no problem with windows 7 X64 but it maybe because of anti-debug routines and its fixed in version 1.2 ( new release of artan protector )
November 12, 201311 yr The method this packer use to delete the dephi resources is quite interesting, but it is not enough to define a good packer imho.
Create an account or sign in to comment