Jump to content
Tuts 4 You

[UnpackMe] ARTAN Protector UnpackMe


Gladiator

Recommended Posts

Hi


Please Unpack and rate it


Artan maybe be new persian protector...


 


 


 


thanks.


 


Hint : Attachment file has been changed because of my mistake ( incompatible in some windows )


UnpackMe.rar

Edited by Gladiator
Link to comment

Raham I think this is not the best method to unpack it :)


 


Dumping memory regions will blow the exe size. A better method would be fixing the resource manually but since it is Delphi app hell it is a lot of work :)


 


Also why you move the redirected addresses manually? you could just leave them unfixed and don't cut them with ImportREC.


Edited by Lostin
Link to comment

@Lostin


 


 


1.Null Terminated Record need in parsing import. so i did that because it had reason :D


2.Yes! surely thats better, and i know it! but its just a simple unpackme. and no one work a lot on a


just unpackme ( a non-comercial protector)! 


 


 


 


Kind Regards


Edited by Raham
  • Like 1
Link to comment
Hint : Attachment file has been changed because of my mistake ( incompatible in some windows )

 

 

 

and its not your?!

Edited by Raham
Link to comment

and its not your?!

No, this is not mine ; i have some unpack me from this unknown protector and upload wrong release to board...

I want to learn how to unpack it and there is not tut about unpack this so i have to make some question to know how this is strong or not and know if there are IAT redirection there is really redirection or not...

Edited by Gladiator
Link to comment
  • 1 month later...

No, this is not mine ; i have some unpack me from this unknown protector and upload wrong release to board...

I want to learn how to unpack it and there is not tut about unpack this so i have to make some question to know how this is strong or not and know if there are IAT redirection there is really redirection or not...

The OEP can be reached quite easy and the redirection can be bypassed by a simple swith from JNB to jmp.

I reached the OEP by using this method.

1. Load the exe in Olly. Run

2. Pause. Open memory map. View in dissasembler. Search for intermodular calls. BP on write on  last one.

3. Restart. Run until you see the api in register. Put a mem bp on code section on access and there will be the OEP.

For the iat redirection i have saved a hex search pattern and i found the redirection in a instant. Otherwise are 12 API's that you will need to fix by hand.

After finding OEP and canceling the IAT redirection i have been lost. I have no ideea why the dump does not run. I try to trace sometime but i have no patience and my knowledge is low so i have quit.

Link to comment

The OEP can be reached quite easy and the redirection can be bypassed by a simple swith from JNB to jmp.

I reached the OEP by using this method.

1. Load the exe in Olly. Run

2. Pause. Open memory map. View in dissasembler. Search for intermodular calls. BP on write on  last one.

3. Restart. Run until you see the api in register. Put a mem bp on code section on access and there will be the OEP.

For the iat redirection i have saved a hex search pattern and i found the redirection in a instant. Otherwise are 12 API's that you will need to fix by hand.

After finding OEP and canceling the IAT redirection i have been lost. I have no ideea why the dump does not run. I try to trace sometime but i have no patience and my knowledge is low so i have quit.

 

Thanks for your try and thanks for implementing your way to unpack

i hope you got success ;)

Edited by Gladiator
Link to comment

Did you rebuild the dump with LordPE, or similair?

Here is what i have managed to do so far.

 

P.S.

For IAT redirection i use  this search pattern:

83 3D ?? ?? ?? ?? 00 76 ?? A1

Artan.rar

  • Like 1
Link to comment

You can try to load the crashing dump in Olly and patch all the errors.

 

 

Good luck.

Thtat is what i sayd before.

That i cannot manage any furter.

:)

Link to comment

 

Here is what i have managed to do so far.

 

P.S.

For IAT redirection i use  this search pattern:


83 3D ?? ?? ?? ?? 00 76 ?? A1

 

so many thanks for tut :)

Link to comment
  • 5 weeks later...

Hi

Please Unpack and rate it

Artan maybe be new persian protector...

 

 

 

thanks.

 

Hint : Attachment file has been changed because of my mistake ( incompatible in some windows )

hi all

 

@Gladiator , i download your UnPackme and run its in windows 7 64bit but that's not working !!! and crash my OS.

Link to comment

hi all

 

@Gladiator , i download your UnPackme and run its in windows 7 64bit but that's not working !!! and crash my OS.

 

Hi

Thanks for testing but there should be no problem with windows 7 X64

but it maybe because of anti-debug routines and its fixed in version 1.2 ( new release of artan protector )

Link to comment
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...