Borland Confuser v1.0

[Modify]

Difficulty : 3
Language : Borland
Platform : Windows
OS Version : Windows 7
Packer / Protector : Confuser, DNP Method

Description :

Hi,

Don't trust public version packer finder.

Good Luck

thanks

Screenshot :

Demo.7z
 

 

[GIV]

Hi.

After 10 minutes of tracing here is what i got:

36479550     55              PUSH EBP
36479551     89E5            MOV EBP,ESP
36479553     83EC 04         SUB ESP,0x4
36479556     895D FC         MOV DWORD PTR SS:[EBP-0x4],EBX
36479559     B8 509D4A36     MOV EAX,Demo.364A9D50
3647955E     50              PUSH EAX
3647955F     E8 0CFBFEFF     CALL Demo.36469070                                    ; JMP to kernel32.GetStartupInfoA
36479564     E8 3750FFFF     CALL Demo.3646E5A0
36479569     A0 70D34936     MOV AL,BYTE PTR DS:[0x3649D370]
3647956E     84C0            TEST AL,AL
36479570     75 05           JNZ SHORT Demo.36479577
36479572     E8 D94FFFFF     CALL Demo.3646E550
36479577     C705 A09D4A36 0>MOV DWORD PTR DS:[0x364A9DA0],0x0
36479581     A0 70D34936     MOV AL,BYTE PTR DS:[0x3649D370]
36479586     84C0            TEST AL,AL
36479588     75 0C           JNZ SHORT Demo.36479596
3647958A     6A 00           PUSH 0x0
3647958C     E8 3FFBFEFF     CALL Demo.364690D0                                    ; JMP to kernel32.GetModuleHandleA
36479591     A3 F09D4A36     MOV DWORD PTR DS:[0x364A9DF0],EAX
36479596     A1 F09D4A36     MOV EAX,DWORD PTR DS:[0x364A9DF0]
3647959B     A3 B09D4A36     MOV DWORD PTR DS:[0x364A9DB0],EAX
364795A0     B8 00000001     MOV EAX,Demo.01000000
364795A5     E8 86FFFFFF     CALL Demo.36479530
364795AA     89C3            MOV EBX,EAX
364795AC     8B15 30904A36   MOV EDX,DWORD PTR DS:[0x364A9030]
364795B2     85D2            TEST EDX,EDX
364795B4     74 09           JE SHORT Demo.364795BF
364795B6     A1 609C4A36     MOV EAX,DWORD PTR DS:[0x364A9C60]
364795BB     FFD2            CALL EDX
364795BD     EB 05           JMP SHORT Demo.364795C4
364795BF     B8 649C4A36     MOV EAX,Demo.364A9C64
364795C4     8918            MOV DWORD PTR DS:[EAX],EBX
364795C6     8B15 30904A36   MOV EDX,DWORD PTR DS:[0x364A9030]
364795CC     85D2            TEST EDX,EDX
364795CE     74 0B           JE SHORT Demo.364795DB
364795D0     A1 409C4A36     MOV EAX,DWORD PTR DS:[0x364A9C40]
364795D5     FFD2            CALL EDX
364795D7     89C3            MOV EBX,EAX
364795D9     EB 05           JMP SHORT Demo.364795E0
364795DB     BB 449C4A36     MOV EBX,Demo.364A9C44
364795E0     8B15 30904A36   MOV EDX,DWORD PTR DS:[0x364A9030]
364795E6     85D2            TEST EDX,EDX
364795E8     74 09           JE SHORT Demo.364795F3
364795EA     A1 609C4A36     MOV EAX,DWORD PTR DS:[0x364A9C60]
364795EF     FFD2            CALL EDX
364795F1     EB 05           JMP SHORT Demo.364795F8
364795F3     B8 649C4A36     MOV EAX,Demo.364A9C64
364795F8     8B1B            MOV EBX,DWORD PTR DS:[EBX]
364795FA     8B00            MOV EAX,DWORD PTR DS:[EAX]
364795FC     29C3            SUB EBX,EAX
364795FE     8B15 30904A36   MOV EDX,DWORD PTR DS:[0x364A9030]
36479604     85D2            TEST EDX,EDX
36479606     74 09           JE SHORT Demo.36479611
36479608     A1 509C4A36     MOV EAX,DWORD PTR DS:[0x364A9C50]
3647960D     FFD2            CALL EDX
3647960F     EB 05           JMP SHORT Demo.36479616
36479611     B8 549C4A36     MOV EAX,Demo.364A9C54
36479616     8918            MOV DWORD PTR DS:[EAX],EBX
36479618     0FB705 809D4A36 MOVZX EAX,WORD PTR DS:[0x364A9D80]
3647961F     A3 C09D4A36     MOV DWORD PTR DS:[0x364A9DC0],EAX
36479624     E8 07D7FFFF     CALL Demo.36476D30
36479629     E8 82B3FFFF     CALL Demo.364749B0
3647962E     E8 BD4FFFFF     CALL Demo.3646E5F0
36479633     E8 58FBFFFF     CALL Demo.36479190
36479638     E8 13F1FFFF     CALL Demo.36478750
3647963D     8B15 30904A36   MOV EDX,DWORD PTR DS:[0x364A9030]
36479643     85D2            TEST EDX,EDX
36479645     74 09           JE SHORT Demo.36479650
36479647     A1 309C4A36     MOV EAX,DWORD PTR DS:[0x364A9C30]
3647964C     FFD2            CALL EDX
3647964E     EB 05           JMP SHORT Demo.36479655
36479650     B8 349C4A36     MOV EAX,Demo.364A9C34
36479655     66:C700 0000    MOV WORD PTR DS:[EAX],0x0
3647965A     E8 41FAFEFF     CALL Demo.364690A0                                    ; JMP to kernel32.GetCurrentProcessId
3647965F     A3 E0B24A36     MOV DWORD PTR DS:[0x364AB2E0],EAX
36479664     E8 17E0FFFF     CALL Demo.36477680
36479669     8B15 30904A36   MOV EDX,DWORD PTR DS:[0x364A9030]
3647966F     85D2            TEST EDX,EDX
36479671     74 09           JE SHORT Demo.3647967C
36479673     A1 109E4A36     MOV EAX,DWORD PTR DS:[0x364A9E10]
36479678     FFD2            CALL EDX
3647967A     EB 05           JMP SHORT Demo.36479681
3647967C     B8 149E4A36     MOV EAX,Demo.364A9E14
36479681     C700 00000000   MOV DWORD PTR DS:[EAX],0x0
36479687     E8 34B7FFFF     CALL Demo.36474DC0
3647968C     E8 BF8FFFFF     CALL Demo.36472650
36479691     E8 AA9DFFFF     CALL Demo.36473440
36479696     E8 35FEFFFF     CALL Demo.364794D0

Imports starts at 364AD2F8  77DD7CC9  advapi32.AllocateAndInitializeSid (imagebase 400000) and size is 264.

A nice antidump is the excessive virtual size of code section.

Is that correct?

[kao]

@GIV: no, you're still somewhere in the middle of protector code.

The real OEP is standard Delphi one (find "Runtime Error at.." message and look a bit up) - boring;
It's trivial to find hardcoded password by just dumping process memory and examining strings - even more boring;
Making a proper unpacked file is not entirely trivial because the imports are redirected via few jumps - slightly entertaining.

 

However, in the unpackme description Modify claims to have used Confuser and DNP on a x86 executable... Apparently he has no idea what he's doing, so I wouldn't waste any time on this POS.

[SHADOW_UA]

It is protected with Private EXE Protector 3.x, if someone interested.

[GIV]

My fault.

I rushed to other business yesterday.

OEP:

0044F308     55              PUSH EBP
0044F309     8BEC            MOV EBP,ESP
0044F30B     83C4 F0         ADD ESP,-0x10
0044F30E     B8 28F14400     MOV EAX,Demo.0044F128
0044F313     E8 B068FBFF     CALL Demo.00405BC8
0044F318     A1 F40F4500     MOV EAX,DWORD PTR DS:[0x450FF4]
0044F31D     8B00            MOV EAX,DWORD PTR DS:[EAX]
0044F31F     E8 C0E5FFFF     CALL Demo.0044D8E4
0044F324     8B0D D0104500   MOV ECX,DWORD PTR DS:[0x4510D0]          ; Demo.00452BD0
0044F32A     A1 F40F4500     MOV EAX,DWORD PTR DS:[0x450FF4]
0044F32F     8B00            MOV EAX,DWORD PTR DS:[EAX]
0044F331     8B15 84EE4400   MOV EDX,DWORD PTR DS:[0x44EE84]          ; Demo.0044EED0
0044F337     E8 C0E5FFFF     CALL Demo.0044D8FC
0044F33C     A1 F40F4500     MOV EAX,DWORD PTR DS:[0x450FF4]
0044F341     8B00            MOV EAX,DWORD PTR DS:[EAX]
0044F343     E8 34E6FFFF     CALL Demo.0044D97C
0044F348     E8 D349FBFF     CALL Demo.00403D20

I just traced the GetModuleHandleA API ret until i have reached the correct point.

@Shadow_UA I have no idea what the protector is but that huge section VS resmbled me with the antidump used by the protector you say.

[Extreme Coders]

Here is my take

OEP is at 0x44F308 and is a standard delphi one.

Finding the OEP

In Delphi apps, the first function that is called is GetModuleHandleA. Set a HWBP, trace a few times, you will reach a position (by intuition) where you need to use the stack to find the caller. The OEP is few lines above it.

For tracing to OEP, here is an immdbg pycommand, 
https://gist.github.com/extremecoders-re/196a65bdbbbbc984a5438a1e5ca59895

Just make sure to hide the debugger proper, before running the pycommand.

Rebuilding imports

The import table is split into three parts. Further as already said imports are redirected by jumps. The original imports can be recovered by tracing. Well not all imports can be recovered by tracing as some seem to be virtualized / emulated. 

For recovering the imports, here is another pycommand. This simply follows the jumps. Run it after OEP is reached.
https://gist.github.com/extremecoders-re/0a178e211974f34ba949915217fa8de3

Running the script, you should get a log like this

Spoiler

77C00000  Modules C:\WINDOWS\system32\version.dll
            CRC changed, discarding .udd data
0BADF00D  [*] Rebuilding imports...
004011F4  [.] 004011F4 -> kernel32.GetStdHandle (7C812CA9)
004011FC  [.] 004011FC -> kernel32.RaiseException (7C81EAE1)
00401204  [.] 00401204 -> ntdll.RtlUnwind (7C937A40)
0040120C  [.] 0040120C -> kernel32.UnhandledExceptionFilter (7C862B8A)
00401214  [.] 00401214 -> kernel32.WriteFile (7C810F9F)
0040121C  [.] 0040121C -> USER32.CharNextA (77D6EC40)
00401224  [.] 00401224 -> kernel32.ExitProcess (7C81CAA2)
0040122C  [.] 0040122C -> USER32.MessageBoxA (77D8050B)
00401234  [.] 00401234 -> kernel32.FindClose (7C80EFD7)
0040123C  [.] 0040123C -> kernel32.FindFirstFileA (7C813559)
00401244  [.] 00401244 -> kernel32.FreeLibrary (7C80AA66)
0040124C  [.] 0040124C -> kernel32.GetCommandLineA (7C812C8D)
00401254  [.] 00401254 -> kernel32.GetLocaleInfoA (7C80D47E)
0040125C  [.] 0040125C -> kernel32.GetModuleFileNameA (7C80B357)
00401264  [.] 00401264 -> kernel32.GetModuleHandleA (7C80B529)
0040126C  [!] 0040126C -> TRACING FAILED...
00401274  [.] 00401274 -> kernel32.GetStartupInfoA (7C801EEE)
0040127C  [.] 0040127C -> kernel32.GetThreadLocale (7C80A405)
00401284  [.] 00401284 -> kernel32.LoadLibraryExA (7C801D4F)
0040128C  [!] 0040128C -> TRACING FAILED...
00401294  [.] 00401294 -> kernel32.lstrcpynA (7C810311)
0040129C  [.] 0040129C -> kernel32.lstrlenA (7C80C6E0)
004012A4  [.] 004012A4 -> kernel32.MultiByteToWideChar (7C809CAD)
004012AC  [.] 004012AC -> advapi32.RegCloseKey (77DD6BF0)
004012B4  [.] 004012B4 -> advapi32.RegOpenKeyExA (77DD761B)
004012BC  [.] 004012BC -> advapi32.RegQueryValueExA (77DD7883)
004012C4  [.] 004012C4 -> kernel32.WideCharToMultiByte (7C80A0C7)
004012CC  [.] 004012CC -> kernel32.VirtualQuery (7C80B859)
004012D4  [.] 004012D4 -> oleaut32.SysAllocStringLen (77124B59)
004012DC  [.] 004012DC -> oleaut32.SysReAllocStringLen (7714C99D)
004012E4  [.] 004012E4 -> oleaut32.SysFreeString (77124850)
004012EC  [.] 004012EC -> kernel32.InterlockedIncrement (7C80977B)
004012F4  [.] 004012F4 -> kernel32.InterlockedDecrement (7C809794)
004012FC  [.] 004012FC -> kernel32.GetCurrentThreadId (7C809737)
00401304  [.] 00401304 -> kernel32.GetVersion (7C8114AB)
0BADF00D  
00401330  [.] 00401330 -> kernel32.LocalAlloc (7C8099BD)
00401338  [.] 00401338 -> kernel32.LocalFree (7C80995D)
00401340  [.] 00401340 -> kernel32.VirtualAlloc (7C809A81)
00401348  [.] 00401348 -> kernel32.VirtualFree (7C809B14)
00401350  [.] 00401350 -> kernel32.InitializeCriticalSection (7C809FA1)
00401358  [.] 00401358 -> ntdll.RtlEnterCriticalSection (7C901005)
00401360  [.] 00401360 -> ntdll.RtlLeaveCriticalSection (7C9010ED)
00401368  [.] 00401368 -> ntdll.RtlDeleteCriticalSection (7C91188A)
0BADF00D  
00405D88  [.] 00405D88 -> advapi32.RegCloseKey (77DD6BF0)
00405D90  [.] 00405D90 -> advapi32.RegOpenKeyExA (77DD761B)
00405D98  [.] 00405D98 -> advapi32.RegQueryValueExA (77DD7883)
00405DA0  [.] 00405DA0 -> kernel32.CloseHandle (7C809B77)
00405DA8  [.] 00405DA8 -> kernel32.CompareStringA (7C80D293)
00405DB0  [.] 00405DB0 -> kernel32.CreateEventA (7C81E4BD)
00405DB8  [.] 00405DB8 -> kernel32.CreateFileA (7C801A24)
00405DC0  [.] 00405DC0 -> kernel32.CreateThread (7C81082F)
00405DC8  [.] 00405DC8 -> ntdll.RtlDeleteCriticalSection (7C91188A)
00405DD0  [.] 00405DD0 -> ntdll.RtlEnterCriticalSection (7C901005)
00405DD8  [.] 00405DD8 -> kernel32.EnumCalendarInfoA (7C83761C)
00405DE0  [!] 00405DE0 -> TRACING FAILED...
00405DE8  [.] 00405DE8 -> kernel32.FormatMessageA (7C825F62)
00405DF0  [.] 00405DF0 -> kernel32.FreeLibrary (7C80AA66)
00405DF8  [.] 00405DF8 -> kernel32.InterlockedExchange (7C8097AD)
00405E00  [!] 00405E00 -> TRACING FAILED...
00405E08  [.] 00405E08 -> kernel32.GetACP (7C809943)
00405E10  [.] 00405E10 -> kernel32.GetCPInfo (7C812BE6)
00405E18  [.] 00405E18 -> kernel32.GetCurrentProcessId (7C80994E)
00405E20  [.] 00405E20 -> kernel32.GetCurrentThreadId (7C809737)
00405E28  [.] 00405E28 -> kernel32.GetDateFormatA (7C826E0C)
00405E30  [.] 00405E30 -> kernel32.GetDiskFreeSpaceA (7C827373)
00405E38  [.] 00405E38 -> kernel32.GetFullPathNameA (7C81367C)
00405E40  [.] 00405E40 -> ntdll.RtlGetLastWin32Error (7C910331)
00405E48  [.] 00405E48 -> kernel32.GetLocalTime (7C80C9C1)
00405E50  [.] 00405E50 -> kernel32.GetLocaleInfoA (7C80D47E)
00405E58  [.] 00405E58 -> kernel32.GetModuleFileNameA (7C80B357)
00405E60  [.] 00405E60 -> kernel32.GetModuleHandleA (7C80B529)
00405E68  [!] 00405E68 -> TRACING FAILED...
00405E70  [.] 00405E70 -> kernel32.GetStdHandle (7C812CA9)
00405E78  [.] 00405E78 -> kernel32.GetStringTypeExA (7C875D7F)
00405E80  [.] 00405E80 -> kernel32.GetSystemInfo (7C812AC6)
00405E88  [.] 00405E88 -> kernel32.GetThreadLocale (7C80A405)
00405E90  [.] 00405E90 -> kernel32.GetTickCount (7C8092AC)
00405E98  [.] 00405E98 -> kernel32.GetVersion (7C8114AB)
00405EA0  [.] 00405EA0 -> kernel32.GetVersionExA (7C812851)
00405EA8  [.] 00405EA8 -> kernel32.GlobalAddAtomA (7C823039)
00405EB0  [.] 00405EB0 -> kernel32.GlobalAlloc (7C80FF2D)
00405EB8  [.] 00405EB8 -> kernel32.GlobalDeleteAtom (7C81E19A)
00405EC0  [.] 00405EC0 -> kernel32.GlobalFindAtomA (7C823094)
00405EC8  [.] 00405EC8 -> kernel32.GlobalFree (7C80FE2F)
00405ED0  [.] 00405ED0 -> kernel32.GlobalLock (7C810119)
00405ED8  [.] 00405ED8 -> kernel32.GlobalHandle (7C838F36)
00405EE0  [.] 00405EE0 -> kernel32.GlobalReAlloc (7C8125C9)
00405EE8  [.] 00405EE8 -> kernel32.GlobalUnlock (7C810082)
00405EF0  [.] 00405EF0 -> kernel32.InitializeCriticalSection (7C809FA1)
00405EF8  [.] 00405EF8 -> ntdll.RtlLeaveCriticalSection (7C9010ED)
00405F00  [.] 00405F00 -> kernel32.LoadLibraryA (7C801D77)
00405F08  [!] 00405F08 -> TRACING FAILED...
00405F10  [.] 00405F10 -> kernel32.SetHandleCount (7C80C6CF)
00405F18  [.] 00405F18 -> kernel32.MulDiv (7C8097F4)
00405F20  [.] 00405F20 -> kernel32.ReadFile (7C80180E)
00405F28  [.] 00405F28 -> kernel32.ResetEvent (7C809C4C)
00405F30  [.] 00405F30 -> kernel32.SetEndOfFile (7C81F850)
00405F38  [.] 00405F38 -> kernel32.SetErrorMode (7C80AA97)
00405F40  [.] 00405F40 -> kernel32.SetEvent (7C809C28)
00405F48  [.] 00405F48 -> kernel32.SetFilePointer (7C810DA6)
00405F50  [.] 00405F50 -> kernel32.SetThreadLocale (7C81B882)
00405F58  [!] 00405F58 -> TRACING FAILED...
00405F60  [.] 00405F60 -> kernel32.Sleep (7C802442)
00405F68  [.] 00405F68 -> kernel32.VirtualAlloc (7C809A81)
00405F70  [.] 00405F70 -> kernel32.VirtualQuery (7C80B859)
00405F78  [.] 00405F78 -> kernel32.WaitForSingleObject (7C802530)
00405F80  [.] 00405F80 -> kernel32.WriteFile (7C810F9F)
00405F88  [.] 00405F88 -> kernel32.lstrcpyA (7C80C729)
00405F90  [.] 00405F90 -> version.GetFileVersionInfoA (77C01A50)
00405F98  [.] 00405F98 -> version.GetFileVersionInfoSizeA (77C019FF)
00405FA0  [.] 00405FA0 -> version.VerQueryValueA (77C018BA)
00405FA8  [.] 00405FA8 -> gdi32.BitBlt (77F16DC0)
00405FB0  [.] 00405FB0 -> gdi32.CreateBitmap (77F1601F)
00405FB8  [.] 00405FB8 -> gdi32.CreateBrushIndirect (77F1AA29)
00405FC0  [.] 00405FC0 -> gdi32.CreateCompatibleBitmap (77F16E51)
00405FC8  [.] 00405FC8 -> gdi32.CreateCompatibleDC (77F15E10)
00405FD0  [.] 00405FD0 -> gdi32.CreateDIBSection (77F19610)
00405FD8  [.] 00405FD8 -> gdi32.CreateDIBitmap (77F1B52C)
00405FE0  [.] 00405FE0 -> gdi32.CreateFontIndirectA (77F1D10C)
00405FE8  [.] 00405FE8 -> gdi32.CreateHalftonePalette (77F1D547)
00405FF0  [.] 00405FF0 -> gdi32.CreatePalette (77F18DD7)
00405FF8  [.] 00405FF8 -> gdi32.CreatePenIndirect (77F2E923)
00406000  [.] 00406000 -> gdi32.CreateSolidBrush (77F15FD5)
00406008  [.] 00406008 -> gdi32.DeleteDC (77F16CA6)
00406010  [.] 00406010 -> gdi32.DeleteObject (77F16A3B)
00406018  [.] 00406018 -> gdi32.ExcludeClipRect (77F18665)
00406020  [.] 00406020 -> gdi32.GetBitmapBits (77F18DB8)
00406028  [.] 00406028 -> gdi32.GetBrushOrgEx (77F1A6A5)
00406030  [.] 00406030 -> gdi32.GetClipBox (77F168E4)
00406038  [.] 00406038 -> gdi32.GetCurrentPositionEx (77F2FB94)
00406040  [.] 00406040 -> gdi32.GetDCOrgEx (77F19C31)
00406048  [.] 00406048 -> gdi32.GetDIBColorTable (77F1A147)
00406050  [.] 00406050 -> gdi32.GetDIBits (77F19FC5)
00406058  [.] 00406058 -> gdi32.GetDeviceCaps (77F158A2)
00406060  [.] 00406060 -> gdi32.GetObjectA (77F19A82)
00406068  [.] 00406068 -> gdi32.GetPaletteEntries (77F1CDEF)
00406070  [.] 00406070 -> gdi32.GetPixel (77F1D35B)
00406078  [.] 00406078 -> gdi32.GetStockObject (77F15FF1)
00406080  [.] 00406080 -> gdi32.GetSystemPaletteEntries (77F1D55B)
00406088  [.] 00406088 -> gdi32.GetTextExtentPoint32A (77F1D73B)
00406090  [.] 00406090 -> gdi32.GetTextMetricsA (77F1A821)
00406098  [.] 00406098 -> gdi32.GetWindowOrgEx (77F1ABC8)
004060A0  [.] 004060A0 -> gdi32.IntersectClipRect (77F16899)
004060A8  [.] 004060A8 -> gdi32.LineTo (77F19D07)
004060B0  [.] 004060B0 -> gdi32.MaskBlt (77F1A174)
004060B8  [.] 004060B8 -> gdi32.MoveToEx (77F19C60)
004060C0  [.] 004060C0 -> gdi32.PatBlt (77F186B0)
004060C8  [.] 004060C8 -> gdi32.RealizePalette (77F1BD89)
004060D0  [.] 004060D0 -> gdi32.RectVisible (77F18070)
004060D8  [.] 004060D8 -> gdi32.RestoreDC (77F197BE)
004060E0  [.] 004060E0 -> gdi32.SaveDC (77F19884)
004060E8  [.] 004060E8 -> gdi32.SelectObject (77F159A0)
004060F0  [.] 004060F0 -> gdi32.SelectPalette (77F182DE)
004060F8  [.] 004060F8 -> gdi32.SetBkColor (77F15C59)
00406100  [.] 00406100 -> gdi32.SetBkMode (77F15D0B)
00406108  [.] 00406108 -> gdi32.SetBrushOrgEx (77F18834)
00406110  [.] 00406110 -> gdi32.SetDIBColorTable (77F1D6AC)
00406118  [.] 00406118 -> gdi32.SetPixel (77F1D3E1)
00406120  [.] 00406120 -> gdi32.SetROP2 (77F1A990)
00406128  [.] 00406128 -> gdi32.SetStretchBltMode (77F19D5F)
00406130  [.] 00406130 -> gdi32.SetTextColor (77F15BA7)
00406138  [.] 00406138 -> gdi32.SetViewportOrgEx (77F17988)
00406140  [.] 00406140 -> gdi32.SetWindowOrgEx (77F194AD)
00406148  [.] 00406148 -> gdi32.StretchBlt (77F1C6FC)
00406150  [.] 00406150 -> gdi32.UnrealizeObject (77F189AF)
00406158  [.] 00406158 -> USER32.ActivateKeyboardLayout (77D6F794)
00406160  [.] 00406160 -> USER32.AdjustWindowRectEx (77D520A2)
00406168  [.] 00406168 -> USER32.CharLowerA (77D6EED5)
00406170  [.] 00406170 -> USER32.BeginPaint (77D4B4B1)
00406178  [.] 00406178 -> USER32.CallNextHookEx (77D4ED6E)
00406180  [.] 00406180 -> USER32.CallWindowProcA (77D4E34B)
00406188  [.] 00406188 -> USER32.CharNextA (77D6EC40)
00406190  [.] 00406190 -> USER32.CharToOemA (77D4AD9B)
00406198  [.] 00406198 -> USER32.CheckMenuItem (77D5711B)
004061A0  [.] 004061A0 -> USER32.ClientToScreen (77D4BF2C)
004061A8  [.] 004061A8 -> USER32.CreateIcon (77D86C4F)
004061B0  [.] 004061B0 -> USER32.CreateMenu (77D5363F)
004061B8  [.] 004061B8 -> USER32.CreatePopupMenu (77D67138)
004061C0  [.] 004061C0 -> USER32.DefFrameProcA (77D7F685)
004061C8  [.] 004061C8 -> USER32.DefMDIChildProcA (77D7F6D4)
004061D0  [.] 004061D0 -> USER32.DefWindowProcA (77D4DF6B)
004061D8  [.] 004061D8 -> USER32.DeleteMenu (77D4E87B)
004061E0  [.] 004061E0 -> USER32.DestroyIcon (77D4E8CE)
004061E8  [.] 004061E8 -> USER32.DestroyIcon (77D4E8CE)
004061F0  [.] 004061F0 -> USER32.DestroyMenu (77D4E3A1)
004061F8  [.] 004061F8 -> USER32.DestroyWindow (77D4E666)
00406200  [.] 00406200 -> USER32.DispatchMessageA (77D4BCBD)
00406208  [.] 00406208 -> USER32.DrawEdge (77D4F807)
00406210  [.] 00406210 -> USER32.DrawFrameControl (77D62420)
00406218  [.] 00406218 -> USER32.DrawIcon (77D601EF)
00406220  [.] 00406220 -> USER32.DrawIconEx (77D4F38A)
00406228  [.] 00406228 -> USER32.DrawMenuBar (77D7F3BC)
00406230  [.] 00406230 -> USER32.DrawTextA (77D65D61)
00406238  [.] 00406238 -> USER32.EnableMenuItem (77D4FC3C)
00406240  [.] 00406240 -> USER32.EnableScrollBar (77D97BAD)
00406248  [.] 00406248 -> USER32.EnableWindow (77D4C4D4)
00406250  [.] 00406250 -> USER32.EndPaint (77D4B4C5)
00406258  [.] 00406258 -> USER32.EnumThreadWindows (77D4FACD)
00406260  [.] 00406260 -> USER32.EnumWindows (77D4D935)
00406268  [.] 00406268 -> USER32.EqualRect (77D4BDD1)
00406270  [.] 00406270 -> USER32.FillRect (77D4D3C5)
00406278  [.] 00406278 -> USER32.FindWindowA (77D6F3C6)
00406280  [.] 00406280 -> USER32.FrameRect (77D4F5FE)
00406288  [.] 00406288 -> USER32.GetActiveWindow (77D4DF1E)
00406290  [.] 00406290 -> USER32.GetCapture (77D494FF)
00406298  [.] 00406298 -> USER32.GetClassInfoA (77D64D4A)
004062A0  [.] 004062A0 -> USER32.GetClassNameA (77D4E032)
004062A8  [.] 004062A8 -> USER32.GetClientRect (77D4B556)
004062B0  [.] 004062B0 -> USER32.GetCursor (77D4CECD)
004062B8  [.] 004062B8 -> USER32.GetCursorPos (77D4C566)
004062C0  [.] 004062C0 -> USER32.GetDC (77D48697)
004062C8  [.] 004062C8 -> USER32.GetDCEx (77D4F21D)
004062D0  [.] 004062D0 -> USER32.GetDesktopWindow (77D4D7BB)
004062D8  [.] 004062D8 -> USER32.GetFocus (77D4C640)
004062E0  [.] 004062E0 -> USER32.GetForegroundWindow (77D4C4AE)
004062E8  [.] 004062E8 -> USER32.GetIconInfo (77D4E9A1)
004062F0  [.] 004062F0 -> USER32.GetKeyNameTextA (77D7F3D4)
004062F8  [.] 004062F8 -> USER32.GetKeyState (77D4C379)
00406300  [.] 00406300 -> USER32.GetKeyboardLayout (77D4C43C)
00406308  [.] 00406308 -> USER32.GetKeyboardLayoutList (77D4BF8B)
00406310  [.] 00406310 -> USER32.GetKeyboardState (77D4EF35)
00406318  [.] 00406318 -> USER32.GetLastActivePopup (77D64E3E)
00406320  [.] 00406320 -> USER32.GetMenu (77D6EABE)
00406328  [.] 00406328 -> USER32.GetMenuItemCount (77D5375B)
00406330  [.] 00406330 -> USER32.GetMenuItemID (77D7EEE8)
00406338  [.] 00406338 -> USER32.GetMenuItemInfoA (77D538EC)
00406340  [.] 00406340 -> USER32.GetMenuState (77D6749F)
00406348  [.] 00406348 -> USER32.GetMenuStringA (77D7EF6E)
00406350  [.] 00406350 -> USER32.GetWindow (77D4C298)
00406358  [.] 00406358 -> USER32.GetParent (77D4B5D7)
00406360  [.] 00406360 -> USER32.GetPropA (77D4EE3C)
00406368  [.] 00406368 -> USER32.GetScrollInfo (77D53A2F)
00406370  [.] 00406370 -> USER32.GetScrollPos (77D4F66F)
00406378  [.] 00406378 -> USER32.GetScrollRange (77D4F7B7)
00406380  [.] 00406380 -> USER32.GetSubMenu (77D5355A)
00406388  [.] 00406388 -> USER32.GetSysColor (77D48E50)
00406390  [.] 00406390 -> USER32.GetSysColorBrush (77D48E83)
00406398  [.] 00406398 -> USER32.GetSystemMenu (77D4E7B8)
004063A0  [.] 004063A0 -> USER32.GetSystemMetrics (77D48F75)
004063A8  [.] 004063A8 -> USER32.GetTopWindow (77D4D16F)
004063B0  [.] 004063B0 -> USER32.GetWindow (77D4C298)
004063B8  [.] 004063B8 -> USER32.GetWindowDC (77D48FF9)
004063C0  [.] 004063C0 -> USER32.GetWindowLongA (77D4947C)
004063C8  [.] 004063C8 -> USER32.GetWindowPlacement (77D4EB14)
004063D0  [.] 004063D0 -> USER32.GetWindowRect (77D4B57C)
004063D8  [.] 004063D8 -> USER32.GetWindowTextA (77D6F82E)
004063E0  [.] 004063E0 -> USER32.GetWindowThreadProcessId (77D48A58)
004063E8  [.] 004063E8 -> USER32.GetWindowThreadProcessId (77D48A58)
004063F0  [.] 004063F0 -> USER32.InflateRect (77D4C64D)
004063F8  [.] 004063F8 -> USER32.InsertMenuA (77D64F9A)
00406400  [.] 00406400 -> USER32.InsertMenuItemA (77D7F430)
00406408  [.] 00406408 -> USER32.IntersectRect (77D4B3E7)
00406410  [.] 00406410 -> USER32.InvalidateRect (77D4B49D)
00406418  [.] 00406418 -> USER32.IsChild (77D4BEF3)
00406420  [.] 00406420 -> USER32.IsDialogMessageA (77D65C98)
00406428  [.] 00406428 -> USER32.IsIconic (77D4C48A)
00406430  [.] 00406430 -> USER32.IsRectEmpty (77D4C676)
00406438  [.] 00406438 -> USER32.IsWindow (77D4B7DB)
00406440  [.] 00406440 -> USER32.IsWindowEnabled (77D4C592)
00406448  [.] 00406448 -> USER32.IsWindowVisible (77D4BD8E)
00406450  [.] 00406450 -> USER32.IsZoomed (77D4D420)
00406458  [.] 00406458 -> USER32.KillTimer (77D48C1A)
00406460  [.] 00406460 -> USER32.LoadBitmapA (77D567A8)
00406468  [.] 00406468 -> USER32.LoadCursorA (77D4E8FA)
00406470  [.] 00406470 -> USER32.LoadIconA (77D521AE)
00406478  [.] 00406478 -> USER32.LoadKeyboardLayoutA (77D85F3B)
00406480  [!] 00406480 -> TRACING FAILED...
00406488  [.] 00406488 -> USER32.MapVirtualKeyA (77D503E9)
00406490  [.] 00406490 -> USER32.MapWindowPoints (77D4B9D7)
00406498  [.] 00406498 -> USER32.MessageBoxA (77D8050B)
004064A0  [.] 004064A0 -> USER32.OemToCharA (77D6ECF2)
004064A8  [.] 004064A8 -> USER32.OffsetRect (77D4B4D9)
004064B0  [.] 004064B0 -> USER32.PeekMessageA (77D4CEFD)
004064B8  [.] 004064B8 -> USER32.PostMessageA (77D4DB62)
004064C0  [.] 004064C0 -> USER32.PostQuitMessage (77D6EDEB)
004064C8  [.] 004064C8 -> USER32.PtInRect (77D4C531)
004064D0  [.] 004064D0 -> USER32.RedrawWindow (77D4C6BC)
004064D8  [.] 004064D8 -> USER32.RegisterClassA (77D52316)
004064E0  [.] 004064E0 -> USER32.RegisterWindowMessageA (77D48E00)
004064E8  [.] 004064E8 -> USER32.RegisterWindowMessageA (77D48E00)
004064F0  [.] 004064F0 -> USER32.ReleaseCapture (77D4C9A4)
004064F8  [.] 004064F8 -> USER32.ReleaseDC (77D4866D)
00406500  [.] 00406500 -> USER32.RemoveMenu (77D6724D)
00406508  [.] 00406508 -> USER32.RemovePropA (77D4EEA2)
00406510  [.] 00406510 -> USER32.ScreenToClient (77D4C5B8)
00406518  [.] 00406518 -> USER32.ScrollWindow (77D50438)
00406520  [.] 00406520 -> USER32.SendMessageA (77D4E2AE)
00406528  [.] 00406528 -> USER32.SetActiveWindow (77D55380)
00406530  [.] 00406530 -> USER32.SetCapture (77D4C988)
00406538  [.] 00406538 -> USER32.SetClassLongA (77D501DB)
00406540  [.] 00406540 -> USER32.SetCursor (77D4C6A8)
00406548  [.] 00406548 -> USER32.SetFocus (77D4E5DC)
00406550  [.] 00406550 -> USER32.SetForegroundWindow (77D566A7)
00406558  [.] 00406558 -> USER32.SetMenu (77D7F116)
00406560  [.] 00406560 -> USER32.SetMenuItemInfoA (77D9AA06)
00406568  [.] 00406568 -> USER32.SetParent (77D4FDAE)
00406570  [.] 00406570 -> USER32.SetPropA (77D4EDFA)
00406578  [.] 00406578 -> USER32.SetRect (77D4B46E)
00406580  [.] 00406580 -> USER32.SetScrollInfo (77D4902C)
00406588  [.] 00406588 -> USER32.SetScrollPos (77D4F780)
00406590  [.] 00406590 -> USER32.SetScrollRange (77D4F6BB)
00406598  [.] 00406598 -> USER32.SetTimer (77D48C06)
004065A0  [.] 004065A0 -> USER32.SetWindowLongA (77D4DED3)
004065A8  [.] 004065A8 -> USER32.SetWindowPlacement (77D6FBEA)
004065B0  [.] 004065B0 -> USER32.SetWindowPos (77D4C78E)
004065B8  [.] 004065B8 -> USER32.SetWindowTextA (77D4DC5A)
004065C0  [.] 004065C0 -> USER32.SetWindowsHookExA (77D702B2)
004065C8  [.] 004065C8 -> USER32.ShowCursor (77D4D787)
004065D0  [.] 004065D0 -> USER32.ShowOwnedPopups (77D85EBF)
004065D8  [.] 004065D8 -> USER32.ShowScrollBar (77D50142)
004065E0  [.] 004065E0 -> USER32.ShowWindow (77D4D4DE)
004065E8  [.] 004065E8 -> USER32.SystemParametersInfoA (77D50554)
004065F0  [.] 004065F0 -> USER32.TrackPopupMenu (77D94F16)
004065F8  [.] 004065F8 -> USER32.TranslateMDISysAccel (77D4FE8E)
00406600  [.] 00406600 -> USER32.TranslateMessage (77D48BCE)
00406608  [.] 00406608 -> USER32.UnhookWindowsHookEx (77D6F29F)
00406610  [.] 00406610 -> USER32.UnregisterClassA (77D6E438)
00406618  [.] 00406618 -> USER32.UpdateWindow (77D4C064)
00406620  [.] 00406620 -> USER32.WaitMessage (77D493E9)
00406628  [.] 00406628 -> USER32.WinHelpA (77D650CF)
00406630  [.] 00406630 -> USER32.WindowFromPoint (77D4C57E)
          Done

 

Tracing failed for 8 imports. I have checked them and those imports are all emulated. These must be recovered manually and  this is where I decided to stop.

For the final step, we can add a new section to the exe. Another script would write the imported function addresses there. Next, we can use scylla, to create a new IAT, dump & fix and that should hopefully be the end.

Edited March 31, 2016 by Extreme Coders

[GIV]

For imports a good start point is GetProcAddress API.

A nice feature of this protector is stolen resources. I don't know if this file use that feature. I haven't checked yet and i don't know if i will (i go on a short vacation ATM).

[SHADOW_UA]

@Extreme Coders

Nice job. But you forgot about resources. They're stolen by protector.

Basically you need to stop on emulated LoadResource, run till return of the function and dump the contents of EAX pointer. You can get size of resource by breaking on emulated SizeofResource.

Attached unpacked file.

Demo_unpacked.zip

[cob_258]

@Extreme Coders : for the final step, after recovering correct API's and added a new section or found a code cave, use Universal Import Fixer, it will convert direct jump to jmp dword ptr[xxxx]