Jump to content
Tuts 4 You

[UnpackMe] PEP 4.3.0 UnpackMe


Gladiator

Recommended Posts

So far i get this:



OEP: 005B0268
IAT: 005BD1A4
Size: 0000108C 5BD1CC - user32.LoadStringW - 7E419E36
5BD3B4 - user32.LoadStringW - 7E419E36
5BD750 - kernel32.SizeofResource - 7C80BD09
5BD790 - kernel32.LoadResource - 7C80A055
5BD834 - kernel32.FreeResource - 7C8277EA
5BD848 - kernel32.FindResourceW - 7C80BC6E
5BD9E8 - rehlpic-x32.pll.ppiProtectionStatus
5BDA18 - user32.LoadStringW - 7E419E36
5BDC00 - user32.LoadStringW - 7E419E36
5BDF9C - kernel32.SizeofResource - 7C80BD09
5BDFDC - kernel32.LoadResource - 7C80A055
5BE080 - kernel32.FreeResource - 7C8277EA
5BE094 - kernel32.FindResourceW - 7C80BC6E
5BE234 - rehlpic-x32.pll.ppiProtectionStatus

Edited by GIV
Link to comment
Share on other sites

Sorry but i won't make a tut for it due to loss of time.


Anyway, it is quite easy except for the resource protection.


I dumped the main form resource manually, but it will be harder when there are lots of resources to dump. Anyway maybe the problem can be bypassed dumping the packer section in a right way, but i didn't try.


Import protection is only for the few resources API, and from sdk of protector, nothing hard indeed.


Sections need to be dumped manually to obtain a reasonable dump size, otherwise it will be hundreds of MB.


  • Like 3
Link to comment
Share on other sites

Can i post this one on my forum? Mentioning at you of course.

Yes of course :) , what is your forum address ? i'm interested in

 

@gladiator

 

i'll shamelessly point to a tutorial i wrote on version 3:

 

http://www.accessroot.com/arteam/site/download.php?view.330

 

There were now major changes to version 4.0, and i doubt they whipped them out for 4.30. I'll take a look at this when i get home. :)

Yes i have seen your very good tut about pep , it was very good in implementing protections

i really be happy with new tut from you :)

 

Thanks for spending your time on this unpackme

Link to comment
Share on other sites

I mean italian forums. I have moderation role for two:


www.inforge.net


www.ogmdevelopment.com


 


I'm trying to teach some RE in the first one, so i would like to post this one on there. I'm sure nobody will solve woithout some hints (for now is anewbies bay)  but imho it is a good learning.


Link to comment
Share on other sites

It will really good to have some tutorial about unpacking this target , i know it may be time consuming but it will be in reversing history like deepzero paper that talks about Previous version of pep

Link to comment
Share on other sites

@Nacho_dj


Not yet :)


 


 


@all


If anybody interested, i made a clean unpacked: http://www.sendspace.com/file/33vfuw


Emulated protection check API directly into the code section as this:


MOV EAX,1


XOR EDX,EDX


RETN 8


 


Restored sections, now them are almost as original.


 


Packers sections entirely removed.


 


PE rebuilt to save some disk space.


 


rsrc section can also be redirected but too lazy today.

  • Like 2
Link to comment
Share on other sites

  • 5 months later...

@Nacho_dj

Not yet :)

 

 

@all

If anybody interested, i made a clean unpacked: http://www.sendspace.com/file/33vfuw

Emulated protection check API directly into the code section as this:

MOV EAX,1

XOR EDX,EDX

RETN 8

 

Restored sections, now them are almost as original.

 

Packers sections entirely removed.

 

PE rebuilt to save some disk space.

 

rsrc section can also be redirected but too lazy today.

: http://www.sendspace.com/file/33vfuw

Did not see the tutorial!!

Link to comment
Share on other sites

  • 4 months later...

Hi.


Sorry to revive an old post.


:)


Here is my dump.


Conclusion:


1. Resource API'S are hooked


You can write a script witch can speed things a lot.


2. Resources are stolen.


You can Dump them and add to dump.


 


Total time to unpack from 0 to finish ~1,5 +/- hrs with script writing, testing, see what the protector does out there etc. Trial and error etc.


Is my second time i encounter this protector so my knowledge about him is almost 0.


 


Unpacked and tested under XP SP3 X86.


 


See ya!


 


Unpacked - giv.7z

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...