Jump to content
Tuts 4 You

[UnpackMe] Private Exe Protector 4.4.2 + License ID


Arting

Recommended Posts

set a hardware breakpoint at VA: 00550A73 

F9 ,3 times,EDX holds HWID string.

And you can see the stack infos.

 



$+20 > 00C686CC UNICODE "B78DDCD79F6B3217"
$+24 > 0056A8DC UNICODE "-"
$+28 > 00C68624 UNICODE "AC091DD41AB5FFFD"
$+2C > 00C7DCAC UNICODE "NP10-"

Then you can write a script to unpack.


Link to comment

 

set a hardware breakpoint at VA: 00550A73 

F9 ,3 times,EDX holds HWID string.

And you can see the stack infos.

 

$+20 > 00C686CC UNICODE "B78DDCD79F6B3217"

$+24 > 0056A8DC UNICODE "-"

$+28 > 00C68624 UNICODE "AC091DD41AB5FFFD"

$+2C > 00C7DCAC UNICODE "NP10-"

Then you can write a script to unpack.

 

 

1. How you find this VA? "00550A73"

2. I change EDX to valid HWID, but when I enter valid data and click "OK" application crashed. 

 

Can you please write tutorial in more detail.

Link to comment

1.Try more debugging.


2.Crash.Because there are more anti-checks,it will "CreateThread" and pFuntion call "ExitProcess" in that routine.


But there is a "je" command upper which you can bypass.


Link to comment

Hi,


 


OEP VA is 0044E22C but the code in codesection is not getting decrypted right if you change the ID so that you at OEP have just 00 bytes.



0044E22C 0000 ADD BYTE PTR DS:[EAX],AL ; OEP
0044E22E 0000 ADD BYTE PTR DS:[EAX],AL
0044E230 0000 ADD BYTE PTR DS:[EAX],AL
0044E232 0000 ADD BYTE PTR DS:[EAX],AL
0044E234 0000 ADD BYTE PTR DS:[EAX],AL
0044E236 0000 ADD BYTE PTR DS:[EAX],AL
0044E238 0000 ADD BYTE PTR DS:[EAX],AL 0012FFC4 7C817077 RETURN to kernel32.7C817077
0012FFC8 7C920228 ntdll.7C920228
0012FFCC FFFFFFFF
0012FFD0 7FFD6000
0012FFD4 8054B6ED
0012FFD8 0012FFC8
0012FFDC 897AE530
0012FFE0 FFFFFFFF End of SEH chain
0012FFE4 7C839AA8 SE handler
0012FFE8 7C817080 kernel32.7C817080
0012FFEC 00000000
0012FFF0 00000000
0012FFF4 00000000
0012FFF8 005AF54D UnPackMe.<ModuleEntryPoint>
0012FFFC 00000000


0056C3F4 MOV EAX,DWORD PTR SS:[EBP-0x5C] Stack SS:[0012FB9C]=00C3179C, (UNICODE "NP10-DC939F4C-D46B768B-EB63077B303E9C06")
EAX=0012FB3C


00567E3C PUSH EBP ; Exit Routine

So I think the ID should be changed at any other locations so the other change is only a surface visible change. :)


 


Also it looks a little like ZProtect decryption. :)



005627E0 53 PUSH EBX
005627E1 8B18 MOV EBX,DWORD PTR DS:[EAX]
005627E3 331A XOR EBX,DWORD PTR DS:[EDX]
005627E5 8919 MOV DWORD PTR DS:[ECX],EBX
005627E7 8B58 04 MOV EBX,DWORD PTR DS:[EAX+0x4]
005627EA 335A 04 XOR EBX,DWORD PTR DS:[EDX+0x4]
005627ED 8959 04 MOV DWORD PTR DS:[ECX+0x4],EBX
005627F0 8B58 08 MOV EBX,DWORD PTR DS:[EAX+0x8]
005627F3 335A 08 XOR EBX,DWORD PTR DS:[EDX+0x8]
005627F6 8959 08 MOV DWORD PTR DS:[ECX+0x8],EBX
005627F9 8B40 0C MOV EAX,DWORD PTR DS:[EAX+0xC]
005627FC 3342 0C XOR EAX,DWORD PTR DS:[EDX+0xC]
005627FF 8941 0C MOV DWORD PTR DS:[ECX+0xC],EAX
00562802 5B POP EBX
00562803 C3 RETN

Don't remember anymore exactly about ZP but there is was also possible to decrypt the code without any valid datas.


 


greetz


Link to comment
  • 2 weeks later...
  • 3 years later...
  • 11 months later...
  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...