[unpackme] UnPackMe Safengine v2.2.1

[White]

Hi, All.

Here are three unpackmes Protected by Safengine v2.2.1 From 'JC'.

 

 

Some information about these UnpackMes.

 

"default.exe" is Protected by Safengine 2.2.1 default options.

 

"Middle.exe" is the Secondary protection options (somebody chose) Protected.

 

"LOL.exe"    is the Maximum protection options (somebody chose) Protected.

 

Then,you will see some new tricks in this version ('JC' said)...

 

Thanks to 'JC'  for the sample he provided. Anyway hope All you will like it.

 

You can grade for the three samples.

 

SE2.2.1.rar

Edited September 13, 2013 by White、、

[Teddy Rogers]

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

[LCF-AT]

Hi,

"default.exe" - Unpacked.The other files I will check tomorrow.

greetz

default_Unpacked.rar

[converse]

Hi LCF-AT

when at last will have even used a short tutorial on how to unpack?

previous version even as it unpacked, but what exactly is the latest in a stupor set

I will be grateful for any Old

thank you

 

with respect

[LCF-AT]

Hi again,

"Middle.exe" - Unpacked.The other file I will check again tomorrow.

@ converse

No idea whether someone want to create any tutorial or script or code about this protection and also I see not really some important changes between the diffrent versions.

greetz

Middle_Unpacked.rar

[converse]

Hi LCF-AT

how to hide the debugger from detection?

when there will be something out of a tutorial from you on this defense??

thank you

[LCF-AT]

Hi converse,

just use normal basic hide setup of StrongOD and just disable protect DRx in PhantOm plugin and now you can run both files "default & middle" in Olly.The LOL.exe has some more AD checks which I need to find later so at the moment I get this not starting in Olly1 & 2 and can't unpack it. No idea,maybe someday I will make a tuto about it.

greetz

[converse]

Hi converse,

No idea,maybe someday I will make a tuto about it.

greetz

 

hi LCF-AT

preferably as quickly as possible

I tried to unpack with different settings plug-ins that run starts, but fails to unpack

[LCF-AT]

Hi converse,

if it starts now then its ok already.The other stuff like Mem/HWBP/BP detection etc you have to handle by yourself.

greetz

[White]

@LCF-AT

 

Well done.I will check your unpacked file in my OS.

[Conquest]

I cant even bypass the hwbp checks. It runs properly in my olly and then if i put a hwbp at the oep or anywhere it detects it pretty easily or it crashes. Any suggestion about how to bypass the hwbp detection will be welcome

[converse]

@ Conquest

I used to do a breakpoint in memory to read a section of code, well then, put a breakpoint on OEP and everything was wonderful

Well, now there was a new version and it's all firing

Any suggestions how to overcome it

thanks

[Conquest]

 

@ Conquest

I used to do a breakpoint in memory to read a section of code, well then, put a breakpoint on OEP and everything was wonderful

Well, now there was a new version and it's all firing

Any suggestions how to overcome it

thanks

 

same happened to me. It was running properly inside my olly and now after a few restarts my olly is detected. I cant even read whats is written in the chinese words.

[converse]

same happened to me. It was running properly inside my olly and now after a few restarts my olly is detected. I cant even read whats is written in the chinese words.

Well then wait until someone (LCF-AT) does not clarify the situation with breakpoints

[White]

Hi,all.

Here is some my suggestion about unpacking safeinge Protected file.If the file is packed and again protected by safengine.Just like one file is packed by Winlicense and then Packed again by Safengine .You only need to pay attention to this address"VirtualProtect" ,it will rewrite the ImageBase (like 401000) values,like section name,PE header etc.

[Conquest]

Hi,all.

Here is some my suggestion about unpacking safeinge Protected file.If the file is packed and again protected by safengine.Just like one file is packed by Winlicense and then Packed again by Safengine .You only need to pay attention to this address"VirtualProtect" ,it will rewrite the ImageBase (like 401000) values,like section name,PE header etc.

And what if it doesnt let us take a look at ,whats it writing, at all? Just looking at the stack i can find the oep but this sick protection system is detecting my hwbps after certain instructions are processed. moreover i can smell vm inside it.(1st time with noobyprotect)

[LCF-AT]

Hi,

1. Use SoftBPs at right places for easy handlings only!Disable DRx.

2. Patch ThreadFunction!See EMU code for APIstop if you don't patch the EMU.

Ok here I made a very tiny script which brings you to the Pre OEP / Near OEP only.Use this also only for the "LOL.exe" file.Now figure out why I stop at this places. If you want to know more then you have to trace a lot.

// Run till OEP script only for LOL.exe!// Disable Protect DRx and restart Olly!// Use Basic StringOD Settings!// Now run this script from EP!//// LCF-ATpausebphwcbcgmi eip, MODULEBASEmov BASE, $RESULTmov [BASE+0006EE2F], #C20400#  // ThreadFunctionPatch!bp BASE+0011DD28call ESTOcall BCbp BASE+00194C25call ESTOcall BCbp BASE+0004E26Bcall ESTOcall BCrtrstobprm BASE+001000, 00062000call ESTObpmccmt eip, "Near OEP GMHA Routine!"pauseret/////////////////ESTO:estoret/////////////////BC:bc eipret

After using this script you can also use bps on the section addrs etc without to get the safe NAG anymore etc.Just try and test it.

greetz

[White]

@Conquest,

Sometimes just "ret 18" at CreateThread function at its Routine will be nice before the app start to run.And this method will  disable its bprm check tricks Sometimes.

Then undo the mod after reaching its OEP.

[LCF-AT]

Hi,

"LOL.exe" - Unpacked.The last and final file.

greetz

LOL_Unpacked.rar

[converse]

Hi LCF-AT

Writing a script is given sample is nice, but I would like to have a way of being within univesal OEP. Well, or clear all the same with breakpoints, how to bypass the detection?

[kuazi GA]

Can't the breakpoint!

[kuazi GA]

 

Hi LCF-AT

how to hide the debugger from detection?

when there will be something out of a tutorial from you on this defense??

thank you

 

http://bbs.pediy.com/showthread.php?t=130066&highlight=Safengine

[converse]

hi kuazi GA

thanks of course, but I do not understand Chinese, you can translate it into English or write the most important thing here

thank you

[Conquest]

What i have figured out till now is that it uses similar api emulation like themida etc. may be more aggressively. This is why the usual hwbp detection patch doesnt work

[LCF-AT]

Hi,

don't care about the HWBP stuff if you don't need it.

Did you already debug the protection a little more?

Here now a special trick which I found which you can use to find the OEP/Near OEP so just use it if you come not clear etc.

Just load target in Olly and run it and now if it runs set a mem BP on codesection [or somewhere to make it stop normal without to press pause].Now if you stop the main protector code was written into protector section.Now set the EIP again back on EP where you did start the file set mem BP access on codesection and run = OEP / Near stop.Now you know the OEP address.Now you can do the same again and set EIP on EP back and set soft BP at OEP and now start a trace from EP till OEP [its short this time of course] and check the trace log at the end to see the last commands popfd / popad /ret.Restart target and set BP there [codes is already there at EP] run + trace the rest = stop at OEP and code is clean.Now you can start to find / fix all APIs etc.

Quick OEP Stop for Shielden2030.Sample.exe

Here a direct DL link I found and you don't need to register.

54658.rar

005345D0 CALL 005345F1   ; EP005312C6   CMP DWORD PTR DS:[EAX+41038C],0  // Check005312CD   JE 0052F881                      // jump if 0 nomral on first run0052F881   INC DWORD PTR DS:[EAX+41038C]    // Is set to 1 normal0041038C  00000001 // Is 1 on 2. or more runs from EP and JE does not jump anymore.End of trace log...---------------------------0053133A   POPAD  // BP here after loading------------------------------------------------------0052E574   MOV ESP,EBP // Then BP here0052E576   JMP 0052E7970052E797   POPFD0052E798   POPAD0052E799   JMP 0052E5230052E523   RETN004016D1   MOV EBP,ESP   // OEP 2. command

So on the other hand you can also use BPs on VirtualProtect API.Just find the EMU VirtualProtect API and patch this to jmp VirtualProtect and you stop also at the real VirtualProtect API.Just start stopping after the whole EMU dll / API set protectings [check after Resource Table address changes in PE].Now if you stop at the VP API then you see your target sections...

0012FBF0   004177AC  /CALL to VirtualProtect0012FBF4   00401000  |Address = Shielden.004010000012FBF8   00001000  |Size = 1000 (4096.)0012FBFC   00000040  |NewProtect = PAGE_EXECUTE_READWRITE0012FC00   0012FCC8  \pOldProtect = 0012FCC80012FBF0   00497CA9  /CALL to VirtualProtect0012FBF4   00401000  |Address = Shielden.004010000012FBF8   00001000  |Size = 1000 (4096.)0012FBFC   00000040  |NewProtect = PAGE_EXECUTE_READWRITE0012FC00   0012FCC8  \pOldProtect = 0012FCC8

...now set mem BP on codesection to see what happend so before reaching the OEP [some API stuff + checkings] or just set BP on OEP or Pre if you know already.No detection nothing etc if you do it right.

greetz