Reasen Posted December 27, 2015 Posted December 27, 2015 Simple Unpackme maded by Safengine Shielden v2.3.7.0 Options: Default Target file: Delphi 7 Good luck. UnpackMe_Safengine.rar 1
man of the war Posted December 27, 2015 Posted December 27, 2015 (edited) Easy http://up.dev-point.com/uploads1/09f4365bdc591.png Thanks Unpacked.rar Edited December 27, 2015 by man of the war
Reasen Posted December 27, 2015 Author Posted December 27, 2015 (edited) You JUST dumped it? Not worked. Tested in win7 x64 and winXP x86 Edited December 27, 2015 by reasen 3
Apuromafo Posted December 28, 2015 Posted December 28, 2015 (edited) only was to see the unpacked from man of the war, there is not restored the stolen oep, there not have permiss in header sections(for that say error), when fix the permiss, will see there will try to run some code outside of exe, or maybe there are some stolen code from apis in resources Near oep is a delphi: CPU Disasm Address Hex dump Command Comments 0044E215 8BEC MOV EBP,ESP 0044E217 83C4 F0 ADD ESP,-10 0044E21A B8 8CE04400 MOV EAX,44E08C 0044E21F E8 587EFBFF CALL 0040607C 0044E224 A1 4CFF4400 MOV EAX,DWORD PTR DS:[44FF4C] 0044E229 8B00 MOV EAX,DWORD PTR DS:[EAX] 0044E22B E8 08E6FFFF CALL 0044C838 0044E230 8B0D 28004500 MOV ECX,DWORD PTR DS:[450028] 0044E236 A1 4CFF4400 MOV EAX,DWORD PTR DS:[44FF4C] 0044E23B 8B00 MOV EAX,DWORD PTR DS:[EAX] 0044E23D 8B15 ACDE4400 MOV EDX,DWORD PTR DS:[44DEAC] 0044E243 E8 08E6FFFF CALL 0044C850 0044E248 A1 4CFF4400 MOV EAX,DWORD PTR DS:[44FF4C] 0044E24D 8B00 MOV EAX,DWORD PTR DS:[EAX] 0044E24F E8 7CE6FFFF CALL 0044C8D0 0044E254 E8 8F5EFBFF CALL 004040E8 0044E259 8D40 00 LEA EAX,[EAX]there are apis without resolution in splicies code: CPU Disasm Address Hex dump Command Comments 005198B9 68 078C2A02 PUSH 22A8C07 maybe by struct is GetModuleHandleA, when fix as that api, run normal, but will land here antidump: CPU Disasm Address Hex dump Command Comments 00401D54 3B05 14164500 CMP EAX,DWORD PTR DS:[451614] 00401D5A 75 09 JNE SHORT 00401D65 00401D5C 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4] 00401D5F 8915 14164500 MOV DWORD PTR DS:[451614],EDX 00401D65 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4] 00401D68 891424 MOV DWORD PTR SS:[ESP],EDX 00401D6B 8B50 08 MOV EDX,DWORD PTR DS:[EAX+8] 00401D6E 81FA 00100000 CMP EDX,1000 where must validy the pe header...maybe have more..but not was checked for unpack... best regards Apuromafo Edited December 28, 2015 by Apuromafo 2
GIV Posted December 28, 2015 Posted December 28, 2015 The OEP: Quote 0044E214 55 PUSH EBP 0044E215 8BEC MOV EBP,ESP 0044E217 83C4 F0 ADD ESP,-0x10 0044E21A B8 8CE04400 MOV EAX,UnpackMe.0044E08C 0044E21F E8 587EFBFF CALL UnpackMe.0040607C 0044E224 A1 4CFF4400 MOV EAX,DWORD PTR DS:[0x44FF4C] 0044E229 8B00 MOV EAX,DWORD PTR DS:[EAX] 0044E22B E8 08E6FFFF CALL UnpackMe.0044C838 0044E230 8B0D 28004500 MOV ECX,DWORD PTR DS:[0x450028] ; UnpackMe.00451B64 0044E236 A1 4CFF4400 MOV EAX,DWORD PTR DS:[0x44FF4C] 0044E23B 8B00 MOV EAX,DWORD PTR DS:[EAX] 0044E23D 8B15 ACDE4400 MOV EDX,DWORD PTR DS:[0x44DEAC] ; UnpackMe.0044DEF8 0044E243 E8 08E6FFFF CALL UnpackMe.0044C850 0044E248 A1 4CFF4400 MOV EAX,DWORD PTR DS:[0x44FF4C] 0044E24D 8B00 MOV EAX,DWORD PTR DS:[EAX] 0044E24F E8 7CE6FFFF CALL UnpackMe.0044C8D0 0044E254 E8 8F5EFBFF CALL UnpackMe.004040E8 I guess the only thing to fix is the imports. 1
White Posted December 29, 2015 Posted December 29, 2015 Hi, Here is my unpacked file, just let me know it works or not. UnpackMe_237_Fixed.rar 3
Reasen Posted December 29, 2015 Author Posted December 29, 2015 34 minutes ago, White、、 said: Hi, Here is my unpacked file, just let me know it works or not. UnpackMe_237_Fixed.rar Yeah, you Unpacked it correctly!
Sound Posted December 29, 2015 Posted December 29, 2015 (edited) Oep: Code set memory write breakpoint Run, Decode. Can Get Oep. Fix imports: Oep >> Step into and step over. Shielden protection program for the input table to obtain the current encryption API's DLL base by LoadLibraryA Then the API stack, the base stack and call a Anti GetProcAddress to obtain Api address Write an address to the execution entry With Api to obtain GetModuleHandle Simulation API With Api to obtain GetProcAddress Get Api address 00518615 E8 00000000 CALL 0051861A GetModuleHandle 0051861A E9 DB120000 JMP 005198FA Simulation of the API stack is stored in the EAX 005198CF 50 PUSH EAX 005198D0 E8 5B26F5FF CALL 0046BF30 005198D5 ^ E9 3BEDFFFF JMP 00518615 The current value is the redirection of the API 00DDB199 8BFF MOV EDI,EDI 00DDB19B 55 PUSH EBP 00DDB19C 8BEC MOV EBP,ESP 00DDB19E 837D 08 00 CMP DWORD PTR SS:[EBP+0x8],0x0 00DDB1A2 74 18 JE SHORT 00DDB1BC 00DDB1A4 FF75 08 PUSH DWORD PTR SS:[EBP+0x8] 00DDB1A7 E8 C0290000 CALL 00DDDB6C 00DDB1AC 85C0 TEST EAX,EAX 00DDB1AE 74 08 JE SHORT 00DDB1B8 00DDB1B0 FF70 04 PUSH DWORD PTR DS:[EAX+0x4] 00DDB1B3 E8 7D2D0000 CALL 00DDDF35 00DDB1B8 5D POP EBP 00DDB1B9 C2 0400 RETN 0x4 ======================= 7C80B741 > 8BFF MOV EDI,EDI 7C80B743 55 PUSH EBP 7C80B744 8BEC MOV EBP,ESP 7C80B746 837D 08 00 CMP DWORD PTR SS:[EBP+0x8],0x0 7C80B74A 74 18 JE SHORT 7C80B764 7C80B74C FF75 08 PUSH DWORD PTR SS:[EBP+0x8] 7C80B74F E8 C0290000 CALL 7C80E114 7C80B754 85C0 TEST EAX,EAX 7C80B756 74 08 JE SHORT 7C80B760 7C80B758 FF70 04 PUSH DWORD PTR DS:[EAX+0x4] 7C80B75B E8 7D2D0000 CALL GetModuleHandleW 7C80B760 5D POP EBP 7C80B761 C2 0400 RETN 0x4 Res: Direct move, then point it to. Cross-platform: Generally can Cross-Platform . If the above can not be Cross-platform. Sedate section is set to Writeable can be written to save ========================== Best regards Sound. Edited December 29, 2015 by Sound 4 1
Sound Posted December 29, 2015 Posted December 29, 2015 Supplement, at the right opportunity. can get Complete imports table.. Best regards Sound. 1
converse Posted May 5, 2016 Posted May 5, 2016 On 28.12.2015 at 11:15 AM, Sound said: With Api to obtain GetProcAddress Get Api address 00518615 E8 00000000 CALL 0051861A GetModuleHandle How did you find this address? It is very interesting, tell me
Sound Posted May 9, 2016 Posted May 9, 2016 On 2016/5/5 at 2:59 AM, converse said: How did you find this address? It is very interesting, tell me use set into and seover in ollydbg., Best regards Sound
converse Posted May 9, 2016 Posted May 9, 2016 7 minutes ago, Sound said: use set into and seover in ollydbg., Best regards Sound a little more please down the F7 I did not find the call, or I did not too long did it?
Sound Posted May 10, 2016 Posted May 10, 2016 23 hours ago, converse said: a little more please down the F7 I did not find the call, or I did not too long did it? distinguish VM CALL and APICALL Use F7 and F8 you will find this place.
oldscool Posted October 1, 2022 Posted October 1, 2022 Hello, I need help to unpack a SafeEngine file, anyone here willing to assist?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now