Jump to content
Tuts 4 You

[unpackme] UnPackMe Safengine Shielden 2.2.4.0


converse

Recommended Posts

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment
Share on other sites

Hi,

 

ok here my unpacked file. :) Just test and tell whether all is working so I have not test it now on other OS.

 

greetz

Can u make a video tutorial to us? thanx

Link to comment
Share on other sites

Hi Lostin,


 


thanks for testing. :)


 


@ tutsdzzb


 


What you wanna know?How to find OEP?



00461B9D MOV CL,DL
-------------------------------
005B3F92 MOV ESP,EBP
005B3F94 POPFD
005B3F95 JMP 005B3E2D
005B3E2D POPAD
005B3E2E RETN
0044E215 MOV EBP,ESP ; OEP 2. command

Also if you force to run the file twice from TLS / EP then you can trace very quick to OEP.This you can do if you don't know how to find the OEP but this I told already in any other topic.A good idea is it to check the PE Header so most protectors using some direct static commands to read first datas from Header.



CMP WORD PTR DS:[EAX],5A4D ; MZ = Base
MOVZX EBX,WORD PTR DS:[EAX+3C] ; Offset to PE
ADD EBX,EAX ; Offset + Base = PE start
CMP WORD PTR DS:[EBX],4550 ; PE PUSH EAX ; Base
CALL 005B40BF
POP EAX ; 005B40BF
SUB EAX,5B40BF ; 005B40BF
CMP DWORD PTR DS:[EAX+460010],0 ; 0+460010 = 460010
INC DWORD PTR DS:[EAX+460010] ; 0 = Way1 not 0 = Way2 =short way to OEP This is just a marker so just use it to find quickly the OEP
Only working if Way 1 was already executed of course!

About DLL Emulation you should check the Heaps there you can find a created log table by safengine to store infos into.If you do manipulate it correctly then the DLL EMU is prevent.


 


Imports can you find via little tracing + stopping at each call to API then read stack to know which API command is used [call / jmp / call to jump / mov etc].So for this you should create any script or better write a auto tracer code to save much time.


 


greetz


  • Like 1
Link to comment
Share on other sites

Hi Lostin,

 

thanks for testing. :)

 

@ tutsdzzb

 

What you wanna know?How to find OEP?


00461B9D MOV CL,DL

-------------------------------

005B3F92 MOV ESP,EBP

005B3F94 POPFD

005B3F95 JMP 005B3E2D

005B3E2D POPAD

005B3E2E RETN

0044E215 MOV EBP,ESP ; OEP 2. command

Also if you force to run the file twice from TLS / EP then you can trace very quick to OEP.This you can do if you don't know how to find the OEP but this I told already in any other topic.A good idea is it to check the PE Header so most protectors using some direct static commands to read first datas from Header.


CMP WORD PTR DS:[EAX],5A4D ; MZ = Base

MOVZX EBX,WORD PTR DS:[EAX+3C] ; Offset to PE

ADD EBX,EAX ; Offset + Base = PE start

CMP WORD PTR DS:[EBX],4550 ; PE

PUSH EAX ; Base

CALL 005B40BF

POP EAX ; 005B40BF

SUB EAX,5B40BF ; 005B40BF

CMP DWORD PTR DS:[EAX+460010],0 ; 0+460010 = 460010

INC DWORD PTR DS:[EAX+460010] ; 0 = Way1 not 0 = Way2 =short way to OEP

This is just a marker so just use it to find quickly the OEP

Only working if Way 1 was already executed of course!

About DLL Emulation you should check the Heaps there you can find a created log table by safengine to store infos into.If you do manipulate it correctly then the DLL EMU is prevent.

 

Imports can you find via little tracing + stopping at each call to API then read stack to know which API command is used [call / jmp / call to jump / mov etc].So for this you should create any script or better write a auto tracer code to save much time.

 

greetz

OK i understand some.. thanks for your Detailed description。。。很荣幸与大牛近距离交流^^

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...