Arting Posted August 9, 2014 Posted August 9, 2014 This target is protected by license Private Exe Protector 4.2.2 with License ID Who will unpack this file please write tutorial Valid data: License ID: NP10-AC091DD4-1AB5FFFD-B78DDCD79F6B3217 User name: tuts4you Activation key: 061ABBE2-CDB2B006-9ED78E20-609AA20E Good luck! UnPackMe Private Exe Protector 4.4.2.rar 2
Arting Posted August 9, 2014 Author Posted August 9, 2014 i looking waiting for LCF-AT script I too wait it
White Posted August 10, 2014 Posted August 10, 2014 set a hardware breakpoint at VA: 00550A73 F9 ,3 times,EDX holds HWID string.And you can see the stack infos. $+20 > 00C686CC UNICODE "B78DDCD79F6B3217" $+24 > 0056A8DC UNICODE "-" $+28 > 00C68624 UNICODE "AC091DD41AB5FFFD" $+2C > 00C7DCAC UNICODE "NP10-"Then you can write a script to unpack.
Arting Posted August 10, 2014 Author Posted August 10, 2014 set a hardware breakpoint at VA: 00550A73 F9 ,3 times,EDX holds HWID string. And you can see the stack infos. $+20 > 00C686CC UNICODE "B78DDCD79F6B3217" $+24 > 0056A8DC UNICODE "-" $+28 > 00C68624 UNICODE "AC091DD41AB5FFFD" $+2C > 00C7DCAC UNICODE "NP10-" Then you can write a script to unpack. 1. How you find this VA? "00550A73" 2. I change EDX to valid HWID, but when I enter valid data and click "OK" application crashed. Can you please write tutorial in more detail.
White Posted August 10, 2014 Posted August 10, 2014 1.Try more debugging.2.Crash.Because there are more anti-checks,it will "CreateThread" and pFuntion call "ExitProcess" in that routine.But there is a "je" command upper which you can bypass. 1
LCF-AT Posted August 10, 2014 Posted August 10, 2014 Hi, OEP VA is 0044E22C but the code in codesection is not getting decrypted right if you change the ID so that you at OEP have just 00 bytes. 0044E22C 0000 ADD BYTE PTR DS:[EAX],AL ; OEP 0044E22E 0000 ADD BYTE PTR DS:[EAX],AL 0044E230 0000 ADD BYTE PTR DS:[EAX],AL 0044E232 0000 ADD BYTE PTR DS:[EAX],AL 0044E234 0000 ADD BYTE PTR DS:[EAX],AL 0044E236 0000 ADD BYTE PTR DS:[EAX],AL 0044E238 0000 ADD BYTE PTR DS:[EAX],AL 0012FFC4 7C817077 RETURN to kernel32.7C817077 0012FFC8 7C920228 ntdll.7C920228 0012FFCC FFFFFFFF 0012FFD0 7FFD6000 0012FFD4 8054B6ED 0012FFD8 0012FFC8 0012FFDC 897AE530 0012FFE0 FFFFFFFF End of SEH chain 0012FFE4 7C839AA8 SE handler 0012FFE8 7C817080 kernel32.7C817080 0012FFEC 00000000 0012FFF0 00000000 0012FFF4 00000000 0012FFF8 005AF54D UnPackMe.<ModuleEntryPoint> 0012FFFC 00000000 0056C3F4 MOV EAX,DWORD PTR SS:[EBP-0x5C] Stack SS:[0012FB9C]=00C3179C, (UNICODE "NP10-DC939F4C-D46B768B-EB63077B303E9C06") EAX=0012FB3C 00567E3C PUSH EBP ; Exit Routine So I think the ID should be changed at any other locations so the other change is only a surface visible change. Also it looks a little like ZProtect decryption. 005627E0 53 PUSH EBX 005627E1 8B18 MOV EBX,DWORD PTR DS:[EAX] 005627E3 331A XOR EBX,DWORD PTR DS:[EDX] 005627E5 8919 MOV DWORD PTR DS:[ECX],EBX 005627E7 8B58 04 MOV EBX,DWORD PTR DS:[EAX+0x4] 005627EA 335A 04 XOR EBX,DWORD PTR DS:[EDX+0x4] 005627ED 8959 04 MOV DWORD PTR DS:[ECX+0x4],EBX 005627F0 8B58 08 MOV EBX,DWORD PTR DS:[EAX+0x8] 005627F3 335A 08 XOR EBX,DWORD PTR DS:[EDX+0x8] 005627F6 8959 08 MOV DWORD PTR DS:[ECX+0x8],EBX 005627F9 8B40 0C MOV EAX,DWORD PTR DS:[EAX+0xC] 005627FC 3342 0C XOR EAX,DWORD PTR DS:[EDX+0xC] 005627FF 8941 0C MOV DWORD PTR DS:[ECX+0xC],EAX 00562802 5B POP EBX 00562803 C3 RETN Don't remember anymore exactly about ZP but there is was also possible to decrypt the code without any valid datas. greetz
joseph2 Posted October 29, 2017 Posted October 29, 2017 On 8/23/2014 at 10:24 AM, SHADOW_UA said: Unpacked UnPackMe_Unpacked.zip hello dear, SHADOW_UA I am new here and still learn can you make a detailed tutorial for unpacking private exe protector 4.4.x (prefered video), please? regards
estelle970 Posted October 18, 2018 Posted October 18, 2018 (edited) unpacking private exe protector 4.4.x and 5.x.x video plz Edited October 18, 2018 by estelle970
estelle970 Posted November 3, 2018 Posted November 3, 2018 On 8/23/2014 at 1:54 PM, SHADOW_UA said: Unpacked UnPackMe_Unpacked.zip hello dear, SHADOW_UA I am new here and still learn can you make a detailed tutorial for unpacking private exe protector 4.4.x (prefered video), please? regards
jim27greeceroki Posted February 11 Posted February 11 was able anyone to bypass registration and decrypt code changing the HWID? i have found where HWID is created piece by piece and i change them but it doesnt affect the app. When i change it at the exe with the working license.bin it still runs. So it is somewhere else that the exe needs to be patched. Was able anyone to find what need to be done so that pep protected files can be run? i know its an old protector and maybe outdated but some may manage to defeat it in the past.i downloaded the protector and protect some apps and debbuged them but wan not able to see where i have to patch it so it works.
jim27greeceroki Posted February 12 Posted February 12 (edited) Let me refer to another detail I have noticed. Protector creates 3 parts of the license id. The first is always Ns10 if I recall right. And then other 2 parts. When I even use the registered app and I change the hwid then nothing change and app is still registered. Why so? Also I have noticed that there are like 3 more threads running but even if I kill them the same thing happens. Why could this happen like changing the hwid doesn’t affect registration??? Edited February 12 by jim27greeceroki
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now