Gladiator Posted August 14, 2013 Posted August 14, 2013 HiPlease Unpack it and then crack it File Type: Delphi XE Simple Compiled File Enabled Options : -Anti-Debugging-Anti-Dumping-Resource Protection-OEP Protection-IAT Protection-Double VM Layer [Protect Password Validation Code] Thx UnPackMe_CrackMe.rar
Raham Posted August 14, 2013 Posted August 14, 2013 (edited) Unpacked & Cracked. (Clean & Minimized)Unpacked_Cracked_By_Raham.rar Edited August 15, 2013 by Raham 1
SReg Posted August 15, 2013 Posted August 15, 2013 keygen Serial.Text := IntToStr(Random($FFFFFF) * 17 + 13);
Gladiator Posted August 15, 2013 Author Posted August 15, 2013 (edited) I have made big mistake There is no VM Code Translation and code is clear... so cracking password validation will be very easy Update [ 15 August 2013 ]: Attached file protected with artan protector with VM Code Protection enabled now the goal is cracking password validation routine thanks Cr4cKM3.rar Edited August 15, 2013 by Gladiator
Raham Posted August 16, 2013 Posted August 16, 2013 (edited) Hi as easy as always No Need To Unpack. For Crack Just NOP this command: 0FA3D0E0 i will not post any stuff about cracking/unpacking/crackedfile/unpackedfile Your!!! Protector anymore,until i see any comercial target with that. Good LuCk Edited August 16, 2013 by Raham
Gladiator Posted August 16, 2013 Author Posted August 16, 2013 (edited) Thanks for cracking , but it seems there is no cracked file and your hint doesn't work for me ; anyway thanks and about your post Irrelevant to the discussion there is no free stuff all around the world , if you pay you will got some thing otherwise you got nothing Edited August 16, 2013 by Gladiator
Raham Posted August 16, 2013 Posted August 16, 2013 Are You Kidding me? First Run the Target in your debugger...after Target Runned...or reached OEP (i mean after BYTE is decrypted) then NOP the command ! See the picture.
Gladiator Posted August 16, 2013 Author Posted August 16, 2013 Thanks for reply , i think this way of patching is not same for large VM Protected area and i will try to make much more harder handlers and maybe release full crackme with large amount of code that translated to vm to show my vm how much is complex to reverse
Sh4DoVV Posted August 16, 2013 Posted August 16, 2013 Hi friendsJust CrackedGood LuckCr4cKM3 Inlined By Sh4DoVV.rar 2
Gladiator Posted August 17, 2013 Author Posted August 17, 2013 Thanks Dear Sh4DoVVNew File updated with this features : -VM Handler More Obfuscation-Control Flow Obfuscation-Metamorphic Code Replacement Thanks Example.rar
mm10121991 Posted August 17, 2013 Posted August 17, 2013 (edited) Yet Another VMP VM Clone Edited August 17, 2013 by mm10121991
Raham Posted August 17, 2013 Posted August 17, 2013 (edited) Yet Another VMP VM Clone Edited: i have nothing to say! Edited September 16, 2013 by Raham
Gladiator Posted August 18, 2013 Author Posted August 18, 2013 (edited) Yet Another VMP VM Clone VMP Clone? i have another Idea ! Not Clone! Its The VMProtect Itself! seems he had the VMProtect Source , and modified its a bit! Just It! It is my code and there is no other source code or tools feel free with your imagination and i am sorry for say this , if you have some proof write it here otherwise please be silent Edited August 18, 2013 by Gladiator
mm10121991 Posted August 18, 2013 Posted August 18, 2013 (edited) I am not talking about your protector stub , just the VMyour protector VM is almost a VMP VM clone, may be you have just recoded itand no need to proof that, if someone want to give it a look just start from 0AC3CEA8 Edited August 18, 2013 by mm10121991 1
Gladiator Posted August 18, 2013 Author Posted August 18, 2013 (edited) I am not talking about your protector stub , just the VM your protector VM is almost a VMP VM clone, may be you have just recoded it You should develop your own not just copying other poeple hard work for commercial purpose and no need to proof that, if someone want to give it a look just start from 0AC3CEA8 Artan VM developed by myself and there is no clone, vmp or some thing else, some times age i worked hard on vmprotector vm and got some idea from it's vm to develop my own vm may be similarity of my vm and vmps vm because of this PS: I'm waiting for cracked file thanks Edited August 18, 2013 by Gladiator
SReg Posted August 19, 2013 Posted August 19, 2013 Gladiator, we wait too )if it you protector then upload full unpacked file from you post (Update[ 15 August 2013 ] - http://forum.tuts4you.com/topic/32928-unpackmecrackme-artan-protector-11/#entry153155 )and show restored original ASM code
Gladiator Posted August 19, 2013 Author Posted August 19, 2013 (edited) if i put here asm code it will be may useful for pattern searching so please get it your self Delphi Source Code of Password Validation : if StrToIntDef(edtPassword.Text, 0) mod 25=2013 then MessageBoxA(Self.Handle,'Password is correct','',MB_ICONINFORMATION) else begin MessageBoxA(Self.Handle,'Password is not correct','',MB_ICONERROR); edtPassword.SetFocus; end; You should patch it Thanks Edited August 19, 2013 by Gladiator
SReg Posted August 19, 2013 Posted August 19, 2013 (edited) lol If it you protector, I want to look unpacked file with restored original ASM instructions Edited August 19, 2013 by SReg
Gladiator Posted August 19, 2013 Author Posted August 19, 2013 (edited) What are you talking about ???you want unpacked file so please unpack it your self i don't want to force any one to believe this is my protector or not , you are Free to accept this or notunpacked file with asm instruction did not proving that this protector in mine or notyou should analysis it yourself and compare it with known packer/protectors to know this is just a rip or some thing new Edited August 19, 2013 by Gladiator
GIV Posted January 4, 2015 Posted January 4, 2015 (edited) OK.Here is unpacked.My OEP: 00419503 > 55 PUSH EBP 00419504 8BEC MOV EBP,ESP 00419506 83C4 F0 ADD ESP,-0x10 00419509 B8 40835A00 MOV EAX,UnPack_C.005A8340 0041950E B9 B0FF1500 MOV ECX,0x15FFB0 00419513 BA 14E5907C MOV EDX,ntdll.KiFastSystemCallRet 00419518 BB 00F0FD7F MOV EBX,0x7FFDF000 0041951D BC A8FF1500 MOV ESP,0x15FFA8 00419522 BD C0FF1500 MOV EBP,0x15FFC0 00419527 BE FFFFFFFF MOV ESI,-0x1 0041952C BF 2802917C MOV EDI,0x7C910228 00419531 E8 5A47FFFF CALL UnPack_C.0040DC90 00419536 B8 10CE620E MOV EAX,0xE62CE10 0041953B B9 58835A00 MOV ECX,UnPack_C.005A8358 00419540 BA B0FF1500 MOV EDX,0x15FFB0 00419545 BB 00B0FD7F MOV EBX,0x7FFDB000 0041954A BC ACFF1500 MOV ESP,0x15FFAC 0041954F BD C0FF1500 MOV EBP,0x15FFC0 00419554 BE FFFFFFFF MOV ESI,-0x1 00419559 BF 2802917C MOV EDI,0x7C910228 0041955E E8 11641800 CALL UnPack_C.0059F974 00419563 B8 40414C0E MOV EAX,0xE4C4140 00419568 B9 58C35B00 MOV ECX,UnPack_C.005BC358 0041956D BA F87F5A00 MOV EDX,UnPack_C.005A7FF8 00419572 E8 15641800 CALL UnPack_C.0059F98C 00419577 E8 74651800 CALL UnPack_C.0059FAF0 0041957C B8 10CE620E MOV EAX,0xE62CE10 00419581 B9 10CE620E MOV ECX,0xE62CE10 00419586 E8 15F8FEFF CALL UnPack_C.00408DA0In the file i keep the VM OEP though.For crack and stuff i don't have more time to spare.Tested under XP SP3.Not size reduced etc...Conclusion:API redirection is the same as PEPSame stolen API'sResources are stolen in same way as PEP.OEP is in VM, quite easy to restore. UnPack_CrackMe_dump_SCY.7zExample_dump_SCY.7z Edited January 4, 2015 by GIV 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now