Jump to content
Tuts 4 You

[unpackme] UnPackMe Safengine Shielden 2.2.4.0

converse

By converse
in UnPackMe

 Share

Recommended Posts

mrexodia

mrexodia

Posted
Posted (edited)

whats the password?

edit: it's '123'

Edited by Mr. eXoDia
converse

converse

Posted
  • Author
Posted

whats the password?

edit: it's '123'

 

sorry

pass - 123

Lostin

Lostin

Posted
Posted

Works fine. Nicely fixed imports too, well done LCF-AT z9D4QB9.gif


Teddy Rogers

Teddy Rogers

Posted
Posted

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

tutsdzzb

tutsdzzb

Posted
Posted

Hi,

 

ok here my unpacked file. :) Just test and tell whether all is working so I have not test it now on other OS.

 

greetz

Can u make a video tutorial to us? thanx

LCF-AT

LCF-AT

Posted
Posted

Hi Lostin,


 


thanks for testing. :)


 


@ tutsdzzb


 


What you wanna know?How to find OEP?




00461B9D  MOV CL,DL

-------------------------------

005B3F92  MOV ESP,EBP

005B3F94  POPFD

005B3F95  JMP 005B3E2D

005B3E2D  POPAD

005B3E2E  RETN

0044E215  MOV EBP,ESP   ; OEP 2. command

Also if you force to run the file twice from TLS / EP then you can trace very quick to OEP.This you can do if you don't know how to find the OEP but this I told already in any other topic.A good idea is it to check the PE Header so most protectors using some direct static commands to read first datas from Header.




CMP WORD PTR DS:[EAX],5A4D       ; MZ = Base

MOVZX EBX,WORD PTR DS:[EAX+3C]   ; Offset to PE

ADD EBX,EAX                      ; Offset + Base = PE start

CMP WORD PTR DS:[EBX],4550       ; PE
PUSH EAX                         ; Base

CALL 005B40BF

POP EAX                          ; 005B40BF

SUB EAX,5B40BF                   ; 005B40BF

CMP DWORD PTR DS:[EAX+460010],0  ; 0+460010 = 460010 

INC DWORD PTR DS:[EAX+460010]    ; 0 = Way1 not 0 = Way2 =short way to OEP
This is just a marker so just use it to find quickly the OEP

Only working if Way 1 was already executed of course!

About DLL Emulation you should check the Heaps there you can find a created log table by safengine to store infos into.If you do manipulate it correctly then the DLL EMU is prevent.


 


Imports can you find via little tracing + stopping at each call to API then read stack to know which API command is used [call / jmp / call to jump / mov etc].So for this you should create any script or better write a auto tracer code to save much time.


 


greetz


  • Like 1
tutsdzzb

tutsdzzb

Posted
Posted

Hi Lostin,

 

thanks for testing. :)

 

@ tutsdzzb

 

What you wanna know?How to find OEP?




00461B9D  MOV CL,DL



-------------------------------



005B3F92  MOV ESP,EBP



005B3F94  POPFD



005B3F95  JMP 005B3E2D



005B3E2D  POPAD



005B3E2E  RETN



0044E215  MOV EBP,ESP   ; OEP 2. command










Also if you force to run the file twice from TLS / EP then you can trace very quick to OEP.This you can do if you don't know how to find the OEP but this I told already in any other topic.A good idea is it to check the PE Header so most protectors using some direct static commands to read first datas from Header.









CMP WORD PTR DS:[EAX],5A4D       ; MZ = Base



MOVZX EBX,WORD PTR DS:[EAX+3C]   ; Offset to PE



ADD EBX,EAX                      ; Offset + Base = PE start



CMP WORD PTR DS:[EBX],4550       ; PE







PUSH EAX                         ; Base



CALL 005B40BF



POP EAX                          ; 005B40BF



SUB EAX,5B40BF                   ; 005B40BF



CMP DWORD PTR DS:[EAX+460010],0  ; 0+460010 = 460010 



INC DWORD PTR DS:[EAX+460010]    ; 0 = Way1 not 0 = Way2 =short way to OEP







This is just a marker so just use it to find quickly the OEP



Only working if Way 1 was already executed of course!










About DLL Emulation you should check the Heaps there you can find a created log table by safengine to store infos into.If you do manipulate it correctly then the DLL EMU is prevent.






 






Imports can you find via little tracing + stopping at each call to API then read stack to know which API command is used [call / jmp / call to jump / mov etc].So for this you should create any script or better write a auto tracer code to save much time.






 






greetz


















OK i understand some.. thanks for your Detailed description。。。很荣幸与大牛近距离交流^^



			
		


		

		
	


	
    


	



					
					
					
				
			
			



		

	


	
	
	
	
	
		
	

			
				
				



	
	
		

			
				
Create an account or sign in to comment

				
You need to be a member in order to leave a comment

			
	
			

				

					

						
Create an account

						
Sign up for a new account in our community. It's easy!

						
							
						
						Register a new account
					

					

						
Sign in

						
Already have an account? Sign in here.

						Sign In Now
					

				

			

		

	


			
		

	

	
		

			

				
					


    
          Share
    

    

				
				
                

                


				
			

		

	







	

		
			
				Go to topic listing
			
		
	

	




						


	

		
    
			
				
					
					
  • 
				
			
		

	


					

					


					

				

			

			
		

		
		


	

		×
		

			
				

					
				

			

			

			

			
		

	






	

		×
		

			
    
				
  • Create New...
    •