[UnpackMe] Private Exe Protector 4.4.2 + License ID

[Arting]

 

This target is protected by license Private Exe Protector 4.2.2 with License ID

 

Who will unpack this file please write tutorial

 

Valid data:

License ID: NP10-AC091DD4-1AB5FFFD-B78DDCD79F6B3217

User name: tuts4you

Activation key: 061ABBE2-CDB2B006-9ED78E20-609AA20E

 

Good luck!

 

UnPackMe Private Exe Protector 4.4.2.rar

[enjon]

i looking waiting for LCF-AT script

[Arting]

i looking waiting for LCF-AT script

 

I too wait it

[kuazi GA]

I too wait it

Don't give him too much pressure

[White]

set a hardware breakpoint at VA: 00550A73 

F9 ,3 times,EDX holds HWID string.

And you can see the stack infos.

 

$+20     > 00C686CC  UNICODE "B78DDCD79F6B3217"

$+24     > 0056A8DC  UNICODE "-"

$+28     > 00C68624  UNICODE "AC091DD41AB5FFFD"

$+2C     > 00C7DCAC  UNICODE "NP10-"

Then you can write a script to unpack.

[Arting]

 

set a hardware breakpoint at VA: 00550A73 

F9 ,3 times,EDX holds HWID string.

And you can see the stack infos.

 

$+20 > 00C686CC UNICODE "B78DDCD79F6B3217"

$+24 > 0056A8DC UNICODE "-"

$+28 > 00C68624 UNICODE "AC091DD41AB5FFFD"

$+2C > 00C7DCAC UNICODE "NP10-"

Then you can write a script to unpack.

 

 

1. How you find this VA? "00550A73"

2. I change EDX to valid HWID, but when I enter valid data and click "OK" application crashed. 

 

Can you please write tutorial in more detail.

[White]

1.Try more debugging.

2.Crash.Because there are more anti-checks,it will "CreateThread" and pFuntion call "ExitProcess" in that routine.

But there is a "je" command upper which you can bypass.

[LCF-AT]

Hi,

 

OEP VA is 0044E22C but the code in codesection is not getting decrypted right if you change the ID so that you at OEP have just 00 bytes.

0044E22C    0000    ADD BYTE PTR DS:[EAX],AL    ; OEP

0044E22E    0000    ADD BYTE PTR DS:[EAX],AL

0044E230    0000    ADD BYTE PTR DS:[EAX],AL

0044E232    0000    ADD BYTE PTR DS:[EAX],AL

0044E234    0000    ADD BYTE PTR DS:[EAX],AL

0044E236    0000    ADD BYTE PTR DS:[EAX],AL

0044E238    0000    ADD BYTE PTR DS:[EAX],AL
0012FFC4    7C817077  RETURN to kernel32.7C817077

0012FFC8    7C920228  ntdll.7C920228

0012FFCC    FFFFFFFF

0012FFD0    7FFD6000

0012FFD4    8054B6ED

0012FFD8    0012FFC8

0012FFDC    897AE530

0012FFE0    FFFFFFFF  End of SEH chain

0012FFE4    7C839AA8  SE handler

0012FFE8    7C817080  kernel32.7C817080

0012FFEC    00000000

0012FFF0    00000000

0012FFF4    00000000

0012FFF8    005AF54D  UnPackMe.<ModuleEntryPoint>

0012FFFC    00000000

0056C3F4  MOV EAX,DWORD PTR SS:[EBP-0x5C]
Stack SS:[0012FB9C]=00C3179C, (UNICODE "NP10-DC939F4C-D46B768B-EB63077B303E9C06")

EAX=0012FB3C

00567E3C  PUSH EBP  ; Exit Routine

So I think the ID should be changed at any other locations so the other change is only a surface visible change.

 

Also it looks a little like ZProtect decryption.

005627E0    53                PUSH EBX

005627E1    8B18              MOV EBX,DWORD PTR DS:[EAX]

005627E3    331A              XOR EBX,DWORD PTR DS:[EDX]

005627E5    8919              MOV DWORD PTR DS:[ECX],EBX

005627E7    8B58 04           MOV EBX,DWORD PTR DS:[EAX+0x4]

005627EA    335A 04           XOR EBX,DWORD PTR DS:[EDX+0x4]

005627ED    8959 04           MOV DWORD PTR DS:[ECX+0x4],EBX

005627F0    8B58 08           MOV EBX,DWORD PTR DS:[EAX+0x8]

005627F3    335A 08           XOR EBX,DWORD PTR DS:[EDX+0x8]

005627F6    8959 08           MOV DWORD PTR DS:[ECX+0x8],EBX

005627F9    8B40 0C           MOV EAX,DWORD PTR DS:[EAX+0xC]

005627FC    3342 0C           XOR EAX,DWORD PTR DS:[EDX+0xC]

005627FF    8941 0C           MOV DWORD PTR DS:[ECX+0xC],EAX 

00562802    5B                POP EBX                                       

00562803    C3                RETN

Don't remember anymore exactly about ZP but there is was also possible to decrypt the code without any valid datas.

 

greetz

[SHADOW_UA]

Unpacked

UnPackMe_Unpacked.zip

[kuazi GA]

Unpacked

I change  HWID  Why quit?

[joseph2]

 

On 8/23/2014 at 10:24 AM, SHADOW_UA said:

Unpacked

 

UnPackMe_Unpacked.zip

 

hello dear,  SHADOW_UA

I am new here and still learn

can you make a detailed tutorial for unpacking private exe protector 4.4.x (prefered video), please?

regards

[estelle970]

unpacking private exe protector 4.4.x and 5.x.x video plz

Edited October 18, 2018 by estelle970

[estelle970]

On 8/23/2014 at 1:54 PM, SHADOW_UA said:

Unpacked

 

UnPackMe_Unpacked.zip

 

hello dear,  SHADOW_UA

I am new here and still learn

can you make a detailed tutorial for unpacking private exe protector 4.4.x (prefered video), please?

regards

[jim27greeceroki]

was able anyone to bypass registration and decrypt code changing the HWID?

i have found where HWID is created piece by piece and i change them but it doesnt affect the app. When i change it at the exe with the working license.bin it still runs. So it is somewhere else that the exe needs to be patched. Was able anyone to find what need to be done so that pep protected files can be run? i know its an old protector and maybe outdated but some may manage to defeat it in the past.i downloaded the protector and protect some apps and debbuged them but wan not able to see where i have to patch it so it works.

[jim27greeceroki]

Let me refer to another detail I have noticed. Protector  creates 3 parts of the license id. The first is always Ns10 if I recall right. And then other 2 parts. When I even use the registered app and I change the hwid then nothing change and app is still registered. Why so? Also I have noticed that there are like 3 more threads running but even if I kill them the same thing happens. Why could this happen like changing the hwid doesn’t affect registration??? 

Edited February 12 by jim27greeceroki