Jump to content
Tuts 4 You
Arting

[UnpackMe] Private Exe Protector 4.4.2 + License ID

Recommended Posts

Arting

CyEnC2N.png


 


This target is protected by license Private Exe Protector 4.2.2 with License ID


 


Who will unpack this file please write tutorial :)


 


Valid data:


License ID: NP10-AC091DD4-1AB5FFFD-B78DDCD79F6B3217

User name: tuts4you

Activation key: 061ABBE2-CDB2B006-9ED78E20-609AA20E

 

Good luck!

 


  • Like 1

Share this post


Link to post
Share on other sites
enjon

i looking waiting for LCF-AT script


Share this post


Link to post
Share on other sites
Arting

i looking waiting for LCF-AT script

 

I too wait it :)

Share this post


Link to post
Share on other sites
kuazi GA

I too wait it :)

Don't give him too much pressure :smartass:

Share this post


Link to post
Share on other sites
White
set a hardware breakpoint at VA: 00550A73 

F9 ,3 times,EDX holds HWID string.

And you can see the stack infos.

 



$+20 > 00C686CC UNICODE "B78DDCD79F6B3217"
$+24 > 0056A8DC UNICODE "-"
$+28 > 00C68624 UNICODE "AC091DD41AB5FFFD"
$+2C > 00C7DCAC UNICODE "NP10-"

Then you can write a script to unpack.


Share this post


Link to post
Share on other sites
Arting

 

set a hardware breakpoint at VA: 00550A73 

F9 ,3 times,EDX holds HWID string.

And you can see the stack infos.

 

$+20 > 00C686CC UNICODE "B78DDCD79F6B3217"

$+24 > 0056A8DC UNICODE "-"

$+28 > 00C68624 UNICODE "AC091DD41AB5FFFD"

$+2C > 00C7DCAC UNICODE "NP10-"

Then you can write a script to unpack.

 

 

1. How you find this VA? "00550A73"

2. I change EDX to valid HWID, but when I enter valid data and click "OK" application crashed. 

 

Can you please write tutorial in more detail.

Share this post


Link to post
Share on other sites
White

1.Try more debugging.


2.Crash.Because there are more anti-checks,it will "CreateThread" and pFuntion call "ExitProcess" in that routine.


But there is a "je" command upper which you can bypass.


Share this post


Link to post
Share on other sites
LCF-AT

Hi,


 


OEP VA is 0044E22C but the code in codesection is not getting decrypted right if you change the ID so that you at OEP have just 00 bytes.



0044E22C 0000 ADD BYTE PTR DS:[EAX],AL ; OEP
0044E22E 0000 ADD BYTE PTR DS:[EAX],AL
0044E230 0000 ADD BYTE PTR DS:[EAX],AL
0044E232 0000 ADD BYTE PTR DS:[EAX],AL
0044E234 0000 ADD BYTE PTR DS:[EAX],AL
0044E236 0000 ADD BYTE PTR DS:[EAX],AL
0044E238 0000 ADD BYTE PTR DS:[EAX],AL 0012FFC4 7C817077 RETURN to kernel32.7C817077
0012FFC8 7C920228 ntdll.7C920228
0012FFCC FFFFFFFF
0012FFD0 7FFD6000
0012FFD4 8054B6ED
0012FFD8 0012FFC8
0012FFDC 897AE530
0012FFE0 FFFFFFFF End of SEH chain
0012FFE4 7C839AA8 SE handler
0012FFE8 7C817080 kernel32.7C817080
0012FFEC 00000000
0012FFF0 00000000
0012FFF4 00000000
0012FFF8 005AF54D UnPackMe.<ModuleEntryPoint>
0012FFFC 00000000


0056C3F4 MOV EAX,DWORD PTR SS:[EBP-0x5C] Stack SS:[0012FB9C]=00C3179C, (UNICODE "NP10-DC939F4C-D46B768B-EB63077B303E9C06")
EAX=0012FB3C


00567E3C PUSH EBP ; Exit Routine

So I think the ID should be changed at any other locations so the other change is only a surface visible change. :)


 


Also it looks a little like ZProtect decryption. :)



005627E0 53 PUSH EBX
005627E1 8B18 MOV EBX,DWORD PTR DS:[EAX]
005627E3 331A XOR EBX,DWORD PTR DS:[EDX]
005627E5 8919 MOV DWORD PTR DS:[ECX],EBX
005627E7 8B58 04 MOV EBX,DWORD PTR DS:[EAX+0x4]
005627EA 335A 04 XOR EBX,DWORD PTR DS:[EDX+0x4]
005627ED 8959 04 MOV DWORD PTR DS:[ECX+0x4],EBX
005627F0 8B58 08 MOV EBX,DWORD PTR DS:[EAX+0x8]
005627F3 335A 08 XOR EBX,DWORD PTR DS:[EDX+0x8]
005627F6 8959 08 MOV DWORD PTR DS:[ECX+0x8],EBX
005627F9 8B40 0C MOV EAX,DWORD PTR DS:[EAX+0xC]
005627FC 3342 0C XOR EAX,DWORD PTR DS:[EDX+0xC]
005627FF 8941 0C MOV DWORD PTR DS:[ECX+0xC],EAX
00562802 5B POP EBX
00562803 C3 RETN

Don't remember anymore exactly about ZP but there is was also possible to decrypt the code without any valid datas.


 


greetz


Share this post


Link to post
Share on other sites
kuazi GA

Unpacked

I change  HWID  Why quit?

Share this post


Link to post
Share on other sites
joseph2

 

On 8/23/2014 at 10:24 AM, SHADOW_UA said:

Unpacked

 

UnPackMe_Unpacked.zip

 

hello dear,  SHADOW_UA

I am new here and still learn

can you make a detailed tutorial for unpacking private exe protector 4.4.x (prefered video), please?

regards

Share this post


Link to post
Share on other sites
estelle970

unpacking private exe protector 4.4.x and 5.x.x video plz

Edited by estelle970 (see edit history)

Share this post


Link to post
Share on other sites
estelle970
On 8/23/2014 at 1:54 PM, SHADOW_UA said:

Unpacked

 

UnPackMe_Unpacked.zip

 

hello dear,  SHADOW_UA

I am new here and still learn

can you make a detailed tutorial for unpacking private exe protector 4.4.x (prefered video), please?

regards

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×