Gladiator Posted July 2, 2013 Posted July 2, 2013 (edited) HiPlease Unpack and rate itArtan maybe be new persian protector... thanks. Hint : Attachment file has been changed because of my mistake ( incompatible in some windows )UnpackMe.rar Edited July 2, 2013 by Gladiator
Raham Posted July 2, 2013 Posted July 2, 2013 Hi Here is the unpacked file (tested on Xp, 7 & 8) quite easy to unpack PS: and who is author of this protector? Kind Regards Unpacked_By_Raham.rar 1
Lostin Posted July 2, 2013 Posted July 2, 2013 (edited) Raham I think this is not the best method to unpack it Dumping memory regions will blow the exe size. A better method would be fixing the resource manually but since it is Delphi app hell it is a lot of work Also why you move the redirected addresses manually? you could just leave them unfixed and don't cut them with ImportREC. Edited July 2, 2013 by Lostin
Raham Posted July 2, 2013 Posted July 2, 2013 (edited) @Lostin 1.Null Terminated Record need in parsing import. so i did that because it had reason 2.Yes! surely thats better, and i know it! but its just a simple unpackme. and no one work a lot on a just unpackme ( a non-comercial protector)! Kind Regards Edited July 2, 2013 by Raham 1
Lostin Posted July 3, 2013 Posted July 3, 2013 Nice work Jerry But you have missed string tables However those are only required for exceptions. 1
Gladiator Posted July 3, 2013 Author Posted July 3, 2013 good job guys is it possible make unpacking harder with more resources ?
Gladiator Posted July 3, 2013 Author Posted July 3, 2013 I don't know this is not my unpackme , i just release it
Raham Posted July 3, 2013 Posted July 3, 2013 (edited) Hint : Attachment file has been changed because of my mistake ( incompatible in some windows ) and its not your?! Edited July 3, 2013 by Raham
Gladiator Posted July 3, 2013 Author Posted July 3, 2013 (edited) and its not your?! No, this is not mine ; i have some unpack me from this unknown protector and upload wrong release to board... I want to learn how to unpack it and there is not tut about unpack this so i have to make some question to know how this is strong or not and know if there are IAT redirection there is really redirection or not... Edited July 3, 2013 by Gladiator
GIV Posted August 10, 2013 Posted August 10, 2013 No, this is not mine ; i have some unpack me from this unknown protector and upload wrong release to board... I want to learn how to unpack it and there is not tut about unpack this so i have to make some question to know how this is strong or not and know if there are IAT redirection there is really redirection or not... The OEP can be reached quite easy and the redirection can be bypassed by a simple swith from JNB to jmp. I reached the OEP by using this method. 1. Load the exe in Olly. Run 2. Pause. Open memory map. View in dissasembler. Search for intermodular calls. BP on write on last one. 3. Restart. Run until you see the api in register. Put a mem bp on code section on access and there will be the OEP. For the iat redirection i have saved a hex search pattern and i found the redirection in a instant. Otherwise are 12 API's that you will need to fix by hand. After finding OEP and canceling the IAT redirection i have been lost. I have no ideea why the dump does not run. I try to trace sometime but i have no patience and my knowledge is low so i have quit.
grizzmo Posted August 11, 2013 Posted August 11, 2013 Did you rebuild the dump with LordPE, or similair?
GIV Posted August 11, 2013 Posted August 11, 2013 No. I will try to rebuild the dump and check only Validate PE.
Gladiator Posted August 11, 2013 Author Posted August 11, 2013 (edited) The OEP can be reached quite easy and the redirection can be bypassed by a simple swith from JNB to jmp. I reached the OEP by using this method. 1. Load the exe in Olly. Run 2. Pause. Open memory map. View in dissasembler. Search for intermodular calls. BP on write on last one. 3. Restart. Run until you see the api in register. Put a mem bp on code section on access and there will be the OEP. For the iat redirection i have saved a hex search pattern and i found the redirection in a instant. Otherwise are 12 API's that you will need to fix by hand. After finding OEP and canceling the IAT redirection i have been lost. I have no ideea why the dump does not run. I try to trace sometime but i have no patience and my knowledge is low so i have quit. Thanks for your try and thanks for implementing your way to unpack i hope you got success Edited August 11, 2013 by Gladiator
GIV Posted August 12, 2013 Posted August 12, 2013 Did you rebuild the dump with LordPE, or similair? Here is what i have managed to do so far. P.S. For IAT redirection i use this search pattern: 83 3D ?? ?? ?? ?? 00 76 ?? A1 Artan.rar 1
grizzmo Posted August 12, 2013 Posted August 12, 2013 (edited) You can try to load the crashing dump in Olly and patch all the errors. Good luck. Edited August 12, 2013 by Blizzard
GIV Posted August 12, 2013 Posted August 12, 2013 You can try to load the crashing dump in Olly and patch all the errors. Good luck. Thtat is what i sayd before. That i cannot manage any furter.
grizzmo Posted August 12, 2013 Posted August 12, 2013 Do you have a dump copy, maybe? I patched non working asprotect dumps in the past so they did run.
Gladiator Posted August 12, 2013 Author Posted August 12, 2013 Here is what i have managed to do so far. P.S. For IAT redirection i use this search pattern: 83 3D ?? ?? ?? ?? 00 76 ?? A1 so many thanks for tut
Apuromafo Posted September 10, 2013 Posted September 10, 2013 (edited) there exist a tutorial in spanish by a friend IndulgeoTutorial:http://indulgeoeddy.orgfree.com/index.php?option=com_content&view=category&layout=blog&id=39&Itemid=56 http://www.ricardonarvaja.info/WEB/CONCURSOS%202013/CONCURSO%208/UnPacking_ARTAN_%20v.1.0.0%20%2B%20%5BScript%5D_By_InDuLgEo.rar Edited September 10, 2013 by Apuromafo 1
Gladiator Posted September 11, 2013 Author Posted September 11, 2013 (edited) Nice work Apuromafo Thanks for share tuts PS: it would be better to release tuts in english Edited September 11, 2013 by Gladiator
Sam7sam7 Posted September 17, 2013 Posted September 17, 2013 Hi Please Unpack and rate it Artan maybe be new persian protector... thanks. Hint : Attachment file has been changed because of my mistake ( incompatible in some windows ) hi all @Gladiator , i download your UnPackme and run its in windows 7 64bit but that's not working !!! and crash my OS.
Gladiator Posted September 17, 2013 Author Posted September 17, 2013 hi all @Gladiator , i download your UnPackme and run its in windows 7 64bit but that's not working !!! and crash my OS. Hi Thanks for testing but there should be no problem with windows 7 X64 but it maybe because of anti-debug routines and its fixed in version 1.2 ( new release of artan protector )
EvOlUtIoN Posted November 12, 2013 Posted November 12, 2013 The method this packer use to delete the dephi resources is quite interesting, but it is not enough to define a good packer imho.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now