Gladiator Posted February 19, 2014 Posted February 19, 2014 HiPlease Unpack and write small tut Enabled Options : .Anti Debug and Anti Trace.Anti Dump.Stolen Resource Protected with Private Exe Protector 4.3.0 Full version Thanks UnpackMe.rar
GIV Posted February 20, 2014 Posted February 20, 2014 (edited) So far i get this: OEP: 005B0268 IAT: 005BD1A4 Size: 0000108C 5BD1CC - user32.LoadStringW - 7E419E36 5BD3B4 - user32.LoadStringW - 7E419E36 5BD750 - kernel32.SizeofResource - 7C80BD09 5BD790 - kernel32.LoadResource - 7C80A055 5BD834 - kernel32.FreeResource - 7C8277EA 5BD848 - kernel32.FindResourceW - 7C80BC6E 5BD9E8 - rehlpic-x32.pll.ppiProtectionStatus 5BDA18 - user32.LoadStringW - 7E419E36 5BDC00 - user32.LoadStringW - 7E419E36 5BDF9C - kernel32.SizeofResource - 7C80BD09 5BDFDC - kernel32.LoadResource - 7C80A055 5BE080 - kernel32.FreeResource - 7C8277EA 5BE094 - kernel32.FindResourceW - 7C80BC6E 5BE234 - rehlpic-x32.pll.ppiProtectionStatus Edited February 20, 2014 by GIV
EvOlUtIoN Posted February 20, 2014 Posted February 20, 2014 Nice one Here's my unpacked: http://www.sendspace.com/file/wuc2ow 1
Gladiator Posted February 20, 2014 Author Posted February 20, 2014 Nice one Here's my unpacked: http://www.sendspace.com/file/wuc2ow Thanks How about it's difficulty ? would you mind make a little tut to describe how to unpack ?
EvOlUtIoN Posted February 20, 2014 Posted February 20, 2014 Sorry but i won't make a tut for it due to loss of time.Anyway, it is quite easy except for the resource protection.I dumped the main form resource manually, but it will be harder when there are lots of resources to dump. Anyway maybe the problem can be bypassed dumping the packer section in a right way, but i didn't try.Import protection is only for the few resources API, and from sdk of protector, nothing hard indeed.Sections need to be dumped manually to obtain a reasonable dump size, otherwise it will be hundreds of MB. 3
EvOlUtIoN Posted February 20, 2014 Posted February 20, 2014 Can i post this one on my forum? Mentioning at you of course.
deepzero Posted February 20, 2014 Posted February 20, 2014 @evo what's your forum? @gladiator i'll shamelessly point to a tutorial i wrote on version 3: http://www.accessroot.com/arteam/site/download.php?view.330 There were now major changes to version 4.0, and i doubt they whipped them out for 4.30. I'll take a look at this when i get home. 1
Gladiator Posted February 20, 2014 Author Posted February 20, 2014 Can i post this one on my forum? Mentioning at you of course. Yes of course , what is your forum address ? i'm interested in @gladiator i'll shamelessly point to a tutorial i wrote on version 3: http://www.accessroot.com/arteam/site/download.php?view.330 There were now major changes to version 4.0, and i doubt they whipped them out for 4.30. I'll take a look at this when i get home. Yes i have seen your very good tut about pep , it was very good in implementing protections i really be happy with new tut from you Thanks for spending your time on this unpackme
EvOlUtIoN Posted February 20, 2014 Posted February 20, 2014 I mean italian forums. I have moderation role for two:www.inforge.netwww.ogmdevelopment.com I'm trying to teach some RE in the first one, so i would like to post this one on there. I'm sure nobody will solve woithout some hints (for now is anewbies bay) but imho it is a good learning.
Gladiator Posted February 20, 2014 Author Posted February 20, 2014 It will really good to have some tutorial about unpacking this target , i know it may be time consuming but it will be in reversing history like deepzero paper that talks about Previous version of pep
Nacho_dj Posted February 21, 2014 Posted February 21, 2014 Sorry for the offtopic... Evolution, is there any Italian forum similar as quequero was?
EvOlUtIoN Posted February 21, 2014 Posted February 21, 2014 @Nacho_dj Not yet @all If anybody interested, i made a clean unpacked: http://www.sendspace.com/file/33vfuw Emulated protection check API directly into the code section as this: MOV EAX,1 XOR EDX,EDX RETN 8 Restored sections, now them are almost as original. Packers sections entirely removed. PE rebuilt to save some disk space. rsrc section can also be redirected but too lazy today. 2
kuazi GA Posted August 11, 2014 Posted August 11, 2014 @Nacho_dj Not yet @all If anybody interested, i made a clean unpacked: http://www.sendspace.com/file/33vfuw Emulated protection check API directly into the code section as this: MOV EAX,1 XOR EDX,EDX RETN 8 Restored sections, now them are almost as original. Packers sections entirely removed. PE rebuilt to save some disk space. rsrc section can also be redirected but too lazy today. : http://www.sendspace.com/file/33vfuw Did not see the tutorial!!
GIV Posted December 24, 2014 Posted December 24, 2014 Hi. Sorry to revive an old post. Here is my dump. Conclusion: 1. Resource API'S are hooked You can write a script witch can speed things a lot. 2. Resources are stolen. You can Dump them and add to dump. Total time to unpack from 0 to finish ~1,5 +/- hrs with script writing, testing, see what the protector does out there etc. Trial and error etc. Is my second time i encounter this protector so my knowledge about him is almost 0. Unpacked and tested under XP SP3 X86. See ya! Unpacked - giv.7z
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now