Jump to content
Tuts 4 You

[Unpackme] PeP 5.x UnpackMe


Recommended Posts

Unpacked. Tutorial: F7 -> CTRL+F9 -> F8. You are on OEP. Dump with Scylla through Menu -> Dump Section (Change BIG section size to 0). Fix Imports. File is runnable. Now you can fix sections manually through CFF Explorer.


  • Like 4
Link to comment

The first file is a joke:

00401080 - FF25 20104000 JMP DWORD PTR DS:[0x401020] ; msvbvm60.__vbaChkstk
00401086 - FF25 38104000 JMP DWORD PTR DS:[0x401038] ; msvbvm60.__vbaExceptHandler
0040108C - FF25 44104000 JMP DWORD PTR DS:[0x401044] ; msvbvm60.__vbaFPException
00401092 - FF25 14104000 JMP DWORD PTR DS:[0x401014] ; msvbvm60._adj_fdiv_m16i
00401098 - FF25 10104000 JMP DWORD PTR DS:[0x401010] ; msvbvm60._adj_fdiv_m32
0040109E - FF25 4C104000 JMP DWORD PTR DS:[0x40104C] ; msvbvm60._adj_fdiv_m32i
004010A4 - FF25 08104000 JMP DWORD PTR DS:[0x401008] ; msvbvm60._adj_fdiv_m64
004010AA - FF25 58104000 JMP DWORD PTR DS:[0x401058] ; msvbvm60._adj_fdiv_r
004010B0 - FF25 18104000 JMP DWORD PTR DS:[0x401018] ; msvbvm60._adj_fdivr_m16i
004010B6 - FF25 54104000 JMP DWORD PTR DS:[0x401054] ; msvbvm60._adj_fdivr_m32
004010BC - FF25 50104000 JMP DWORD PTR DS:[0x401050] ; msvbvm60._adj_fdivr_m32i
004010C2 - FF25 40104000 JMP DWORD PTR DS:[0x401040] ; msvbvm60._adj_fdivr_m64
004010C8 - FF25 28104000 JMP DWORD PTR DS:[0x401028] ; msvbvm60._adj_fpatan
004010CE - FF25 3C104000 JMP DWORD PTR DS:[0x40103C] ; msvbvm60._adj_fprem
004010D4 - FF25 0C104000 JMP DWORD PTR DS:[0x40100C] ; msvbvm60._adj_fprem1
004010DA - FF25 04104000 JMP DWORD PTR DS:[0x401004] ; msvbvm60._adj_fptan
004010E0 - FF25 60104000 JMP DWORD PTR DS:[0x401060] ; msvbvm60._CIatan
004010E6 - FF25 00104000 JMP DWORD PTR DS:[0x401000] ; msvbvm60._CIcos
004010EC - FF25 6C104000 JMP DWORD PTR DS:[0x40106C] ; msvbvm60._CIexp
004010F2 - FF25 48104000 JMP DWORD PTR DS:[0x401048] ; msvbvm60._CIlog
004010F8 - FF25 1C104000 JMP DWORD PTR DS:[0x40101C] ; msvbvm60._CIsin
004010FE - FF25 30104000 JMP DWORD PTR DS:[0x401030] ; msvbvm60._CIsqrt
00401104 - FF25 68104000 JMP DWORD PTR DS:[0x401068] ; msvbvm60._CItan
0040110A - FF25 64104000 JMP DWORD PTR DS:[0x401064] ; msvbvm60._allmul
00401110 - FF25 34104000 JMP DWORD PTR DS:[0x401034] ; msvbvm60.EVENT_SINK_QueryInterface
00401116 - FF25 24104000 JMP DWORD PTR DS:[0x401024] ; msvbvm60.EVENT_SINK_AddRef
0040111C - FF25 2C104000 JMP DWORD PTR DS:[0x40102C] ; msvbvm60.EVENT_SINK_Release
00401122 - FF25 5C104000 JMP DWORD PTR DS:[0x40105C] ; msvbvm60.ThunRTMain
00401128 <ModuleEntryPo> 68 00134000 PUSH Project1.00401300
0040112D E8 F0FFFFFF CALL Project1.00401122 ; JMP to msvbvm60.ThunRTMain
Link to comment

The only thing new is this let me say strange (at least) ideea to give resources a strange name.

In this case:



This is no solution.

Edited by GIV
  • Like 1
Link to comment

The only thing new is this let me say strange (at least) ideea to give resources a strange name.

In this case:

This is no solution.


That is my idea and not pep developer

at all i think there will be some one to solve this problem also


Thanks for spending time

  • Like 1
Link to comment
  • 6 years later...
On 12/24/2014 at 11:32 AM, Gladiator said:



Attached file is simple VB6 File was protected with PeP latest Version so please try to unpack and then identify the way you used to beak it's protection.

















salm #

how can i do unpack  plz show any video 


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...