Jump to content
Tuts 4 You

[UnpackMe]Safengine Licensor v2.2.2.0 UnpackMe

Hmily

By Hmily
in UnPackMe

 Share

Recommended Posts

LCF-AT

LCF-AT

Posted
Posted

Hi,


 


nice to see a new UnpackMe but this time I can't check / unpack it at the moment. :(


Maybe anybody else is faster to post the unpacked file. :)


 


greetz


Link to comment
Share on other sites
Raham

Raham

Posted
Posted (edited)

Hi


 


 


here is the unpacked file.


 


Import Patched + CPUID Fixed.


 


 


 


Note: its not hard to recover the import...but because of time lake...i prefered to just do a quick unpack instead of perfect unpack.


Quick_Unpacked.rar

Edited by Raham
  • Like 2
Link to comment
Share on other sites
Raham

Raham

Posted
Posted

Hi Guys


 


Thanks for Interest! But...


 


i dont agree with Case-Study.... i mean:


seeing a tutorial for vmp...safengine...themida or other top protector will not learn you unpacking... just you will memorize some step for unpacking...


its not good method...better way is first trying to unpack some lower level protector...and understand the mechanism of protection and increase your experience/skill step by step... then you can unpack a protection even without knowing what is it! because its not important! you can do everything by yourself... just trust yourself ;)


 


 


 


Good LuCk


  • Like 6
Link to comment
Share on other sites
HACKAL

HACKAL

Posted
Posted

@Raham : Hi Raham, I have a couple of questions, and i hope you can clarify these doubts, as you said, seen tutorials about unpacking, maybe just only teach you some pre defined steps to follow, however, not all the packers use the same methods or proccess, ...my question, how an intermediate level reverser(maybe and advanced reverser) can deal with a new packer?, ...i.e, imagine for a second, there's no tutorial about unpacking Armadillo, ok, just an example, all we know there's thousands of tutorials about it, just imagine. Armadillo, uses, some protections like Debug Blocker, IAT Elimination and a very popular option called Nanomites, How a reverser can deal with Nanomites?., as far as i know, to deal with nanomites we need a tool (You know, Arminline a tool made by Admiral), if you don't have such a tool like this, you will unavailable to reverse the protection, i guess, maybe i'm wrong, don't know.


It's enough our dumping from memory, fixing it using ImpREC?? ...Finding the OEP?, our BP, will be these things enough?. I'm not sure if im very clear with my question, but i hope you will understand what i'm trying to say.


Thanks for your review in advanced.


Best Regards.


  • Like 2
Link to comment
Share on other sites
The Trooper

The Trooper

Posted
Posted

@Raham


I respect your decision, but not agree with you, you and lcf-at didn't need in any day of any tutorial to learn? Am I wrong?. "Write this Words" I don't want to share this knowledge to unpack this protector(safengine) in all unpackme-crackme posted by you and LCF-AT, would be the correct way IMHO.

  • Like 1
Link to comment
Share on other sites
Raham

Raham

Posted
Posted (edited)

@The Trooper


 


Hey! i didnt told im not agree with tutorial or unpacking! i told i don't agree with Case-Study...


about Case-Study i mean some tutorial like this:


For Example VMProtector Anti Dump:


1.BP on LocalAlloc


2.Redirect The Memory to a suitable place


3.Patch the CPUID


 


Bang! VMP Defeated!


 


you think its knowledge? most of people can do it easily... because they know the steps... im not agree with this kind of tutorial...because:


benefit of this tutorial will be just UNPACKING/CRACKING! not Knowledge! and etc.


instead try to find out whats exactly inside of VMProtect anti dump...whats that Memory...whats the Calculation... how check will done...and go in-depth on it.


its the knowledge!


 


if you do this...also you will be successful on unpacking Safengine or other ones.


 


 


PS: its just MY OPINION...nothing more!


PS2: actually i saw tutorial when i was starting... i saw LENA tutorials til part 2X if i remember correctly...they are very nice one..because they gave me some idea.


 


 


 


You can do anything...view everything... that was just a person's idea.


 


 


Good LuCk


Edited by Raham
  • Like 6
Link to comment
Share on other sites
Max2

Max2

Posted
Posted

Thanks for your advice Dear Raham

it is very important to know how to study any protection
but it is also good for us how you are Unpacking this protection
to get an idea

Link to comment
Share on other sites
Nael

Nael

Posted
Posted

dear  : Raham
i 've seen most of people encluding me have a big problem with safe engine . and i really hope little bit of your time to devote it for a small tut for safe engine .

beleave me , no one ever tried to make a tut for this protection before , all we got it just disarrayed little info. from china 's website...

i hope u to reconsider the matter and discover our mistery....

regards

Link to comment
Share on other sites
Dragon Palace

Dragon Palace

Posted
Posted (edited)

@LCF-AT


@Raham


 


your are both are unpacking Master in the REC World, We all admire your are all.


 


BTW, How to learn Strong Packer Unpacking?


 


Are you try to anynise VMProtect.exe and go deep inside have a look it's source code (maybe disassemble code or maybe C++ Code), or are you direct F8, F8, F8 step over debugging a exe protected by VMProect?


 


But A strong debuger can bypass Anti-Debugging check is a must, I think. Otherwise, a Messagebox Prompt that for you is "A debugger found in your Operating System, Please Unload it and Restart Again."


 


But here, We all want to know, are you use your own debugger code by yourself, or are you use Stronger OllyDBG Modified by yourself?


 


Thanks for Answer.


Edited by chixiaojie
Link to comment
Share on other sites
Raham

Raham

Posted
Posted (edited)

HI


 


 


i just noticed vmpr as an example....


anyway for that...i just used Debugger (OllyDBG) to analyze its VM...Protections...and etc


NOT SOURCE or etc!


the key of success is just a bit of Windows Knowledge and strong EFFORT


 


first question:


why most of people have problem with Anti-Debug?


Answer:


Because they dont  want to know Anti-Debug mechanism! they just prefer using some Plugin like StrongOD-Phantom and etc for bypass Anti-Debug.


so when on some situation (custom or modded anti debug) when the StrongOD fail = they fail!


because they couldnt analyze anti-debug... they just relay on Plugin/Tutorial/Script and etc!


 


 


PS: i just use "Olly 2 Final Without ANY PLUGIN just with PEB Patch"


 


 


 


 


Edited by Raham
  • Like 1
Link to comment
Share on other sites
LCF-AT

LCF-AT

Posted
Posted

Hi,


 


maybe you should start and try to analyse this protection for a while and find out how it works and make notes of all important things you found.If you then stuck somewhere then post what you got so far and ask for some help etc and then lets see what you get. :) The easiest way is it just to start with something so in your case I would pick any UnpackMe of these protection and then if you really come not forward after a while then create a new topic and keep working on it till you got it.Of course its possible to handle this protection like others too and its also possible to write scripts and codes for it and its also possible to handle and fix the Emulation / IAT / APIs on diffrent ways.


 


PS: Maybe you do remember the song by NKOTB -"Step by Step" :) Just start to make the first step.


 


@ chixiaojie


 


Nice question.


So the main thing is to spend much time till you did lern the basics how a protector does work.So "almost" all do work on the same basic ways.Here a small steplist how you can start.




- AntiDebug / Exceptions + Handling

- OEP

- IAT / IAT RD API commands etc

- VM optional

- AntiDump stuff / checks / Resources

- etc

So in the most cases you can use some hide plugins who do case about the ADs in the best case if you don't wanna handle this by yourself to get your target run.Also for this you don't need any special Olly modding etc.The next step which I choose is to find the OEP / Near OEP location and for this you just need to studdy the program languages and diffrent compiler versions codes.So mostly its enough to know the first routines and possible APIs which are used + a little overview about the whole code etc and after a while you have it in your mind and you will reconize automatically the code without to use any scanner [also the same with the protection code itself].Now its also possible to rebuild stolen OEP bytes without big problems or to find the first called API / Emu or RD API to check the stack and register and to create a tiny OEP.


 


As next I do care about the IAT - RD / API command etc all about the imports fixing what is necessary for your target and in this case you can first start to find a way to prevent the IAT RD / dll emulation in the protector code itself.So if there is no way for you to find or handle this feature then you have also the chance to handle the problem on a other way from OEP.So its some kind of after-analysing & fixing method.So if you did handle these both steps about OEP and IAT / APIs then you got already finished the half way and the rest is just a optional thing.


 


OEP & IAT / API commands = Main functions which you can handle and also fix separately.


 


Now you can care about the other used optional stuff.


 


Also do not forget to lern the whole list and opportunities of all ASM commands itself.So if you don't know what the commands are doing then you chance to analyse the code you are trace is very small.So you need to know what the commands are doing to follow how the code works.So for this you can get a lot infos on the NET with many exsamples.Also there is a tool called opcode table who does list all opcodes and "single" [not combined commands] commands + short description.Get this in your head and test the commands also by yourself on diffrent exsamples.


 


Someday you are then maybe in the position where you will see all by yourself if you do check any xy unknown protection for the first time [some kind of matrix view :) ] and then you also see what you have to do to handle this protection or your mind give you diffrent ideas what you can do to find / handle problem reasons etc but this is also just a question of your own experience status which you get and expand automatically and thats the price you got someday after xy years.


 


So for me is unpacking a lot fun and also my main theme on the RCE field.No idea why.So if you ask me about other themes like keygen or others etc then I have "0" ideas about it you know. :)


 


greetz


  • Like 2
Link to comment
Share on other sites
HACKAL

HACKAL

Posted
Posted

@Everybody, ...As i said before, it's just a question, but, as LCF-AT show us, there exist some common steps to unpack any packer or protector. But again, my doubt, it is possible unpack succesfully, e.g : Armadillo, with special features enables (like nanomites) without 3rd party special tools??? ...or maybe another packer with a VM, with a VM opcodes restoring tool, or maybe just THEMIDA, using, CODE VIRTUALIZER, without UNCODE VIRTUALIZER Tool, or plugin??... If it's possible, or we need to code some special tools by force.


 


Thanks and best regards to all of You.


Link to comment
Share on other sites
Dragon Palace

Dragon Palace

Posted
Posted (edited)

@Hackal


 


I'm not sure are all unpacker Talent here can unpack each packer or not, Maybe they are unicversal, or maybe not.


 


but I know for Armadillo Packer, Mr. eXoDia is ace on it


Edited by chixiaojie
Link to comment
Share on other sites
HACKAL

HACKAL

Posted
Posted

@chixiaojie : Thanks my friend for your comment, ... i really appreciated it, but, i'm still have this doubt, maybe i'm was not so clear with my question, (also i know Mr. eXoDia it's one of the experts when we're talking about Armadillo). My doubt falls in this scenary. For a second imagine you are trying to unpack Armadillo(Just for the example purpose, nothing else) and there´s no exist any 3rd party tool like Arminline(By Admiral), ArmaDetach(By RES), even Armageddon(By CondZero - ARTeam), You only have, OllyDbg, some Plugins like Phantom, Poison, etc, - ImpREC, PeID, Some Hex Editor, and that's all... So you will be able to unpack succesfully a protected target, with special features?, as i said before Nanomites?. Probably you will be stuck in this part or am i wrong?. I hope make my question so clear as i can, ...In this point, you will be forced to analize in depht how armadillo nanomites work and code(by force) a tool to restore them. am i right?. The same scenary with THEMIDA and CODE Virtualizer, ...we know there are some tools to restore the opcodes in the VM, To make it readable, but, if this tool were unavailable. You, (or me) will be able to unpack Themida? I guess no. But i might be wrong of course. So feel free to let me know :). but as i see i think will be in a dead end road. So, there's no enought with the basic steps to unpack a strong packer, there are some case which demands another weapons to kill the b!TcH. ...Am i Right?. So you think it's true?. Are you Agree? Please let me Know.


 


Best Regards to all of You.


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...