Jump to content
Tuts 4 You

[UnPackMe] Safengine Shielden 2.2.8.0


_or_75

Recommended Posts

Hi _or_75,


 


ah ok again a new SE UnpackMe. :)


So I see this time it used more selfchecks (also in memory hohoho not with me baby! :)) to prevent patching which makes it a bit harder to unpack.Anyway,so here my unpacked file.


 


greetz


Project1_se_Unpacked.rar

  • Like 3
Link to comment
Share on other sites

@LCF-AT


Hi LCF-AT


I find a small iat mistake in your unpack file.


In the address at 0044C46F


 




0044C45C . /75 1B jnz short Project1.0044C479 ; |
0044C45E . |54 push esp ; |CreationFlags
0044C45F . |6A 00 push 0x0 ; |InheritHandles = FALSE
0044C461 . |6A 00 push 0x0 ; |pThreadSecurity = NULL
0044C463 . |68 68C34400 push Project1.0044C368 ; |pProcessSecurity = Project1.0044C368
0044C468 . |68 E8030000 push 0x3E8 ; |CommandLine = 000003E8 ???
0044C46D . |6A 00 push 0x0 ; |ModuleFileName = NULL
0044C46F . |E8 54A0FBFF call <jmp.&kernel32.CreateProcessA> ; \CreateProcessA

you fix this iat as call CreateProcessA.


But I think this real api is CreateThread



I find the CreateThread code in the shadow memory ,set cc and run it.

It breaks at  CreateThread's shadow not at CreateProcessA's shadow and the argments may also says this is CreateThread.

Edited by L4Nce
Link to comment
Share on other sites

Hi L4Nce


 


yes you are right so I see it now. :) Just fixed this two APIs reversed manually the rest is fixed in autofix modus. :)My mistake but anyway so this code at 0044C46F will not executet = luck for me.



00453308 7C831EAD kernel32.DeleteFileA
0045330C 7C9213B1 ntdll.RtlDeleteCriticalSection
00453310 0046FD25 Project1.0046FD25 = addr to CreateThread EMU code
00453314 7C80236B kernel32.CreateProcessA
00453318 7C801A28 kernel32.CreateFileA
0045331C 7C830885 kernel32.CreateEventA
00453320 7C80D117 kernel32.CompareStringA
00453324 7C809BE7 kernel32.CloseHandle

greetz


  • Like 1
Link to comment
Share on other sites

@LCF-AT


hi LCF-AT


I try to find some way to  auto finding CreateThread.


 


after these codes:


 


cmp [],0  ;checking save api


jnz ;return


je  ;get api address


 


SE deals with it in special way:Not saving this api for next calling.So there is some error codes in normal return way.


way1:(use script's GCI to get type and check some special code type)


When this call is call CreateThread.SE not use SE_GetModuleHandle and SE_GetProcessAddress in direct way and code next je will check cc for some address.


way2:(find checking code..)


Do you have other good ideas?  :smilie3:


 


greetz


Edited by L4Nce
Link to comment
Share on other sites

@ L4Nce


 


So the CreateThread API get handled in special way (CreateProcess too in some cases) which you can get short before you reach the OEP if it will written into IAT block only.If you now let execute the call to which should be CreateThread (has other SE address) then it will crash (only one + CreateProcess too = 2x possible crashs) and here its a good idea to hook the KI API to prevent the crashs and log the addresses and at the end you only have to fix 2 calls manually which are CreateThread & CreateProcess and the CreateThread EMU code you get already before = 0046FD25 in this unpackme for exsample.So this way you can use to find / fix it simple without big tracings etc.


 


greetz


Link to comment
Share on other sites

Yes KI should be always hooked. :)


Also good idea is to hook the CreateThread / EMU API to find and patch the protection thread to prevent different patch detections and playing with the code later to prevent internal error trash of SE. :)


 


greetz


Link to comment
Share on other sites

Hello , GIV , I saw you that you quickly unpacked hostid. exe packed with vmprotect  (title is "My first unpackme with vmprotect") ^ - ^ .
But now ?

Link to comment
Share on other sites

  :)  . i saw your website and read good stuffs .  that is all ? if you are one of specialists , then you'd better to show how to unpack SE or even hint , since nothing last forever . if i succeed , i post . if you succeed , you post . Thanks


Edited by kgh0701
Link to comment
Share on other sites

You mistake here.


LCF-AT is the only i know that is adviced to do such things.


If you can believe i don't aproach Shielden until now.


I know only the settings to run under debugger.


We are specialised people. Each individual can do better one kind of stuff. Unpacking, keygenning, GFX etc.


I do my best in Visual Fox Pro so these kind of jobs are kinda nasty for me....


:)


Link to comment
Share on other sites

@ kgh0701


 


1.) Does not look like a UnpackMe!


2.) NetFrameWork target


3.) Unpack on the way how you have to unpack NetFrameWork targets


4.) Fix Net table stuff (I am no expert for Net targets)


 


EDIT: Why you edit your post now + removing your file?Did you got cold feets? :)


 


greetz


  • Like 2
Link to comment
Share on other sites

Hello , LCF-AT .  Thanks for your remembering me and quick response .


If you might handle all SE versions including .Net target , that would 'be perfect .  :)

Link to comment
Share on other sites

Not so far from now , i  learned a lot of stuffs from you (if you remember , themida unpacker :) ) . thanks for that .


PS: No , i am not nervous .  i am here to keep the forum rules :)


Edited by kgh0701
Link to comment
Share on other sites

Hello , LCF-AT , if you are not experiened with it , it is okay . Is there a way to unpack .net target ?  or even small hint ?

Link to comment
Share on other sites

Here a video of your unpacked file.


I do not post this because is not your file.


It seems to be a gameserver or else.


It seems to be Shieleden+VMProtect from what R.D.G. Packer Detector says.


 


P.S.


Unpacked under 30 seconds.


Video.7z

  • Like 2
Link to comment
Share on other sites

Unpacked under 30 seconds.

 

Excellent , so surprise .

i want to be one of members or to be friends .

If you don't want to post the file , then could you guide me how to unpack or something ?

 

only want to learn how to unpack .net target packed with SE :please:

Edited by kgh0701
Link to comment
Share on other sites

Hi again,


 


hmmmm "themida unpacker"?Sorry but I don't remember so mabye you could help to tell a little more so that I do remeber again. :) Sorry if can't remember now but mostly I never remember anything what happend in the past (as always).


 


Ah ok I understand,yes the forum rules are important to follow them.So on that way you got your head in the right moment out of the sling (very good). :)


 


So as I said I have normaly nothing to do with NetFrameWork targets but for these there are many tools to get as reflector and tons of other Net tools where also I have no idea how to use them and also don't have them or use them etc.The only thing what I can tell is that you can dump your Net target if its running (so this way does differ from normal PE files) and then you need to fix the NET table pointer things etc.So here you could check any Net tools which could do this for you in automodus or just check the Net topics (tools / unpacking etc) to find a manually explanation.Just check this out a little.


 


@ GIV


:punk::bunny:


>http://www.youtube.com/watch?v=RDjd_ZjyTno


 


  • Like 1
Link to comment
Share on other sites

Thanks for your kind answer . I will learn about .net target from GIV , about normal targets , maybe from you  :phone:


 


anyway , you two guys are excellent .


Edited by kgh0701
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...