Jump to content
Tuts 4 You

[UnpackMe][CrackMe] ARTAN Protector 1.1


Gladiator

Recommended Posts

Hi


Please Unpack it and then crack it


 


File Type:



 


Delphi XE Simple Compiled File



 


Enabled Options :



 


-Anti-Debugging


-Anti-Dumping


-Resource Protection


-OEP Protection


-IAT Protection


-Double VM Layer [Protect Password Validation Code]



 


Thx


 


UnPackMe_CrackMe.rar

Link to comment

I have made big mistake :)


There is no VM Code Translation and code is clear...


so cracking password validation will be very easy


 


Update [ 15 August 2013 ]:


 


Attached file protected with artan protector with VM Code Protection enabled


now the goal is cracking password validation routine


 


thanks


Cr4cKM3.rar

Edited by Gladiator
Link to comment

Hi


 


 


as easy as always :)


 


 


No Need To Unpack.


 


 


For Crack Just NOP this command: 0FA3D0E0


 


 


i will not post any stuff about cracking/unpacking/crackedfile/unpackedfile Your!!! Protector anymore,until i see any comercial target with that.


 


 


Good LuCk


Edited by Raham
Link to comment

Thanks for cracking , but it seems there is no cracked file and your hint doesn't work for me ; anyway thanks


and about your post Irrelevant to the discussion


there is no free stuff all around the world , if you pay you will got some thing otherwise you got nothing


post-41083-0-06545500-1376688556_thumb.p

post-41083-0-42373900-1376688568.png

Edited by Gladiator
Link to comment

Are You Kidding me?:)


 


First Run the Target in your debugger...after Target Runned...or reached OEP (i mean after BYTE is decrypted)


then NOP the command :)!


 


 


 


 


See the picture.


 


 


 


 


post-54625-0-54493100-1376689782_thumb.j

Link to comment

Thanks for reply , i think this way of patching is not same for large VM Protected area and i will try to make much more harder handlers and maybe release full crackme with large amount of code that translated to vm to show my vm how much is complex to reverse ;)

Link to comment

Yet Another VMP VM Clone 

 

 

VMP Clone?

 

i have another Idea ! Not Clone! Its The VMProtect Itself!

 

seems he had the VMProtect Source , and modified its a bit! Just It!

 

It is my code and there is no other source code or tools

feel free with your imagination :)

and i am sorry for say this , if you have some proof write it here otherwise please be silent

Edited by Gladiator
Link to comment

I am not talking about your protector stub , just the VM


your protector VM is almost a VMP VM clone, may be you have just recoded it


and no need to proof that, if someone want to give it a look just start from 0AC3CEA8 


Edited by mm10121991
  • Like 1
Link to comment

I am not talking about your protector stub , just the VM

your protector VM is almost a VMP VM clone, may be you have just recoded it

You should develop your  own not just copying other poeple hard work for commercial purpose

and no need to proof that, if someone want to give it a look just start from 0AC3CEA8 

 

Artan VM developed by myself and there is no clone, vmp or some thing else, some times age i worked hard on vmprotector vm and got some idea from it's vm to develop my own vm may be similarity of my vm and vmps vm because of this

 

 

PS: I'm waiting for cracked file :)

thanks

Edited by Gladiator
Link to comment

if i put here asm code it will be may useful for pattern searching so please get it your self


 


Delphi Source Code of Password Validation :



if StrToIntDef(edtPassword.Text, 0) mod 25=2013 then
MessageBoxA(Self.Handle,'Password is correct','',MB_ICONINFORMATION)
else
begin
MessageBoxA(Self.Handle,'Password is not correct','',MB_ICONERROR);
edtPassword.SetFocus;
end;

You should patch it :)


Thanks


Edited by Gladiator
Link to comment

What are you talking about ???
you want unpacked file so please unpack it your self :)
i don't want to force any one to believe this is my protector or not , you are Free to accept this or not
unpacked file with asm instruction did not proving that this protector in mine or not
you should analysis it yourself and compare it with known packer/protectors to know this is just a rip or some thing new

Edited by Gladiator
Link to comment
  • 1 year later...

OK.


Here is unpacked.


My OEP:



00419503 > 55 PUSH EBP
00419504 8BEC MOV EBP,ESP
00419506 83C4 F0 ADD ESP,-0x10
00419509 B8 40835A00 MOV EAX,UnPack_C.005A8340
0041950E B9 B0FF1500 MOV ECX,0x15FFB0
00419513 BA 14E5907C MOV EDX,ntdll.KiFastSystemCallRet
00419518 BB 00F0FD7F MOV EBX,0x7FFDF000
0041951D BC A8FF1500 MOV ESP,0x15FFA8
00419522 BD C0FF1500 MOV EBP,0x15FFC0
00419527 BE FFFFFFFF MOV ESI,-0x1
0041952C BF 2802917C MOV EDI,0x7C910228
00419531 E8 5A47FFFF CALL UnPack_C.0040DC90
00419536 B8 10CE620E MOV EAX,0xE62CE10
0041953B B9 58835A00 MOV ECX,UnPack_C.005A8358
00419540 BA B0FF1500 MOV EDX,0x15FFB0
00419545 BB 00B0FD7F MOV EBX,0x7FFDB000
0041954A BC ACFF1500 MOV ESP,0x15FFAC
0041954F BD C0FF1500 MOV EBP,0x15FFC0
00419554 BE FFFFFFFF MOV ESI,-0x1
00419559 BF 2802917C MOV EDI,0x7C910228
0041955E E8 11641800 CALL UnPack_C.0059F974
00419563 B8 40414C0E MOV EAX,0xE4C4140
00419568 B9 58C35B00 MOV ECX,UnPack_C.005BC358
0041956D BA F87F5A00 MOV EDX,UnPack_C.005A7FF8
00419572 E8 15641800 CALL UnPack_C.0059F98C
00419577 E8 74651800 CALL UnPack_C.0059FAF0
0041957C B8 10CE620E MOV EAX,0xE62CE10
00419581 B9 10CE620E MOV ECX,0xE62CE10
00419586 E8 15F8FEFF CALL UnPack_C.00408DA0

In the file i keep the VM OEP though.


For crack and stuff i don't have more time to spare.


Tested under XP SP3.


Not size reduced etc...


Conclusion:


API redirection is the same as PEP


Same stolen API's


Resources are stolen in same way as PEP.


OEP is in VM, quite easy to restore.


 


UnPack_CrackMe_dump_SCY.7z

Example_dump_SCY.7z

Edited by GIV
  • Like 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...