[UnPackMe] Safengine Shielden 2.2.8.0

[_or_75]

 

Project1_se.rar

[LCF-AT]

Hi _or_75,

 

ah ok again a new SE UnpackMe.

So I see this time it used more selfchecks (also in memory hohoho not with me baby! ) to prevent patching which makes it a bit harder to unpack.Anyway,so here my unpacked file.

 

greetz

Project1_se_Unpacked.rar

[Dragon Palace]

don't test, but surely it is a quality unpacked.

[L4Nce]

@LCF-AT

Hi LCF-AT

I find a small iat mistake in your unpack file.

In the address at 0044C46F

 

0044C45C   . /75 1B         jnz short Project1.0044C479              ; |

0044C45E   . |54            push esp                                 ; |CreationFlags

0044C45F   . |6A 00         push 0x0                                 ; |InheritHandles = FALSE

0044C461   . |6A 00         push 0x0                                 ; |pThreadSecurity = NULL

0044C463   . |68 68C34400   push Project1.0044C368                   ; |pProcessSecurity = Project1.0044C368

0044C468   . |68 E8030000   push 0x3E8                               ; |CommandLine = 000003E8 ???

0044C46D   . |6A 00         push 0x0                                 ; |ModuleFileName = NULL

0044C46F   . |E8 54A0FBFF   call <jmp.&kernel32.CreateProcessA>      ; \CreateProcessA

you fix this iat as call CreateProcessA.

But I think this real api is CreateThread

I find the CreateThread code in the shadow memory ,set cc and run it.

It breaks at  CreateThread's shadow not at CreateProcessA's shadow and the argments may also says this is CreateThread.

Edited March 3, 2014 by L4Nce

[LCF-AT]

Hi L4Nce

 

yes you are right so I see it now. Just fixed this two APIs reversed manually the rest is fixed in autofix modus. My mistake but anyway so this code at 0044C46F will not executet = luck for me.

00453308  7C831EAD  kernel32.DeleteFileA

0045330C  7C9213B1  ntdll.RtlDeleteCriticalSection

00453310  0046FD25  Project1.0046FD25 = addr to CreateThread EMU code 

00453314  7C80236B  kernel32.CreateProcessA

00453318  7C801A28  kernel32.CreateFileA

0045331C  7C830885  kernel32.CreateEventA

00453320  7C80D117  kernel32.CompareStringA

00453324  7C809BE7  kernel32.CloseHandle

greetz

[L4Nce]

@LCF-AT

hi LCF-AT

I try to find some way to  auto finding CreateThread.

 

after these codes:

 

cmp [],0  ;checking save api

jnz ;return

je  ;get api address

 

SE deals with it in special way:Not saving this api for next calling.So there is some error codes in normal return way.

way1:(use script's GCI to get type and check some special code type)

When this call is call CreateThread.SE not use SE_GetModuleHandle and SE_GetProcessAddress in direct way and code next je will check cc for some address.

way2:(find checking code..)

Do you have other good ideas? 

 

greetz

Edited March 3, 2014 by L4Nce

[LCF-AT]

@ L4Nce

 

So the CreateThread API get handled in special way (CreateProcess too in some cases) which you can get short before you reach the OEP if it will written into IAT block only.If you now let execute the call to which should be CreateThread (has other SE address) then it will crash (only one + CreateProcess too = 2x possible crashs) and here its a good idea to hook the KI API to prevent the crashs and log the addresses and at the end you only have to fix 2 calls manually which are CreateThread & CreateProcess and the CreateThread EMU code you get already before = 0046FD25 in this unpackme for exsample.So this way you can use to find / fix it simple without big tracings etc.

 

greetz

[L4Nce]

@LCF-AT

very nice advise! Hook KiUserExceptionDispatcher can solve many problems.Thank you!

[LCF-AT]

Yes KI should be always hooked.

Also good idea is to hook the CreateThread / EMU API to find and patch the protection thread to prevent different patch detections and playing with the code later to prevent internal error trash of SE.

 

greetz

[kgh0701]

Try another Safengine Shielden unpackme .

unpacke_me.rar

[GIV]

Lol.

There is Safengine unpackme inflation these days?

[kgh0701]

Hello , GIV , I saw you that you quickly unpacked hostid. exe packed with vmprotect  (title is "My first unpackme with vmprotect") ^ - ^ .
But now ?

[GIV]

Im not as good as you may think.

[kgh0701]

    . i saw your website and read good stuffs .  that is all ? if you are one of specialists , then you'd better to show how to unpack SE or even hint , since nothing last forever . if i succeed , i post . if you succeed , you post . Thanks

Edited March 11, 2014 by kgh0701

[GIV]

You mistake here.

LCF-AT is the only i know that is adviced to do such things.

If you can believe i don't aproach Shielden until now.

I know only the settings to run under debugger.

We are specialised people. Each individual can do better one kind of stuff. Unpacking, keygenning, GFX etc.

I do my best in Visual Fox Pro so these kind of jobs are kinda nasty for me....

[LCF-AT]

@ kgh0701

 

1.) Does not look like a UnpackMe!

2.) NetFrameWork target

3.) Unpack on the way how you have to unpack NetFrameWork targets

4.) Fix Net table stuff (I am no expert for Net targets)

 

EDIT: Why you edit your post now + removing your file?Did you got cold feets?

 

greetz

[kgh0701]

Hello , LCF-AT .  Thanks for your remembering me and quick response .

If you might handle all SE versions including .Net target , that would 'be perfect . 

[GIV]

@ kgh0701

Did you got cold feets?

 

 

 

+1

lol

[kgh0701]

Not so far from now , i  learned a lot of stuffs from you (if you remember , themida unpacker ) . thanks for that .

PS: No , i am not nervous .  i am here to keep the forum rules

Edited March 11, 2014 by kgh0701

[kgh0701]

Hello , LCF-AT , if you are not experiened with it , it is okay . Is there a way to unpack .net target ?  or even small hint ?

[GIV]

Here a video of your unpacked file.

I do not post this because is not your file.

It seems to be a gameserver or else.

It seems to be Shieleden+VMProtect from what R.D.G. Packer Detector says.

 

P.S.

Unpacked under 30 seconds.

Video.7z

[kgh0701]

+1

lol

in the past , i asked LCF-AT to help unpack that file

[kgh0701]

Unpacked under 30 seconds.

 

Excellent , so surprise .

i want to be one of members or to be friends .

If you don't want to post the file , then could you guide me how to unpack or something ?

 

only want to learn how to unpack .net target packed with SE

Edited March 11, 2014 by kgh0701

[LCF-AT]

Hi again,

 

hmmmm "themida unpacker"?Sorry but I don't remember so mabye you could help to tell a little more so that I do remeber again. Sorry if can't remember now but mostly I never remember anything what happend in the past (as always).

 

Ah ok I understand,yes the forum rules are important to follow them.So on that way you got your head in the right moment out of the sling (very good).

 

So as I said I have normaly nothing to do with NetFrameWork targets but for these there are many tools to get as reflector and tons of other Net tools where also I have no idea how to use them and also don't have them or use them etc.The only thing what I can tell is that you can dump your Net target if its running (so this way does differ from normal PE files) and then you need to fix the NET table pointer things etc.So here you could check any Net tools which could do this for you in automodus or just check the Net topics (tools / unpacking etc) to find a manually explanation.Just check this out a little.

 

@ GIV

>http://www.youtube.com/watch?v=RDjd_ZjyTno

 

[kgh0701]

Thanks for your kind answer . I will learn about .net target from GIV , about normal targets , maybe from you 

 

anyway , you two guys are excellent .

Edited March 11, 2014 by kgh0701