Posted May 14, 20169 yr Difficulty : 5Language : DelphiPlatform : Windows X86OS Version : XP and abovePacker / Protector : Safengine Licensor 2.3.7.0 Description : We need to do a patch HWID or unpack. Password - unpackme Screenshot : unpackme Safengine Licensor 2.3.7.0.rar Edited May 22, 20169 yr by converse
May 16, 20169 yr OEP: 44ca99 Also need to add "push ebp" on 44ca98 and set new origin on it before dumping. To fix iat, use script from here by L4Nce. But we need to fix it for our target (correct addresses). Note that CreateThread you must handle manually. To dump resource (RCDATA), just stop on LoadResource and dump it. SizeOfResource just after it will tell you its size. To patch HWID, we need to stop on emulated RegQueryValueExA (string SystemBiosVersion will be in eax). After that before second break you can find hwid in memory (byte representation of base64 hwid). Just search for it. We need to patch it BEFORE second break. Restart target and after first break, place hwbp on write on last byte of where it was located in memory and replace with valid one. Unpacked file attached project1_se_dump_.zip
May 16, 20169 yr Author 8 hours ago, SHADOW_UA said: To fix iat, use script from here by L4Nce. Details please
May 18, 20169 yr An easy way to obtain all valid iat. trace into its vm shell and stop at va:004C2D67, eax holds just got api address. 004C2D67 /EB 45 jmp short 004C2DAE ; --< Real majic jmp at va:004C1F7B modify the !ZF value to 1 or just patch it to "jmp" 004C1F7B ^\0F84 7216FBFF je 004735F3 ; --<majic jump alternative way, api emulation address at va:004C2157 , nop this command if you prefer. 004C2157 03C6 add eax,esi So this is your answer about that PM.
May 21, 20169 yr magic jump Can be seen to write and to be simulated by the API, a large part of the IAT table , To deal with it, to repair the IAT will become very little.
April 8, 20178 yr On 2016/5/16 at 4:54 PM, SHADOW_UA said: OEP: 44ca99 Also need to add "push ebp" on 44ca98 and set new origin on it before dumping. To fix iat, use script from here by L4Nce. But we need to fix it for our target (correct addresses). Note that CreateThread you must handle manually. To dump resource (RCDATA), just stop on LoadResource and dump it. SizeOfResource just after it will tell you its size. To patch HWID, we need to stop on emulated RegQueryValueExA (string SystemBiosVersion will be in eax). After that before second break you can find hwid in memory (byte representation of base64 hwid). Just search for it. We need to patch it BEFORE second break. Restart target and after first break, place hwbp on write on last byte of where it was located in memory and replace with valid one. Unpacked file attached project1_se_dump_.zip @SHADOW_UA File link of project1_se_dump_.zip seems broken. Can you resend file again? and can you give me the script for fix iat? Thank you.
Create an account or sign in to comment