• 0
gholam.illidan

UnpackMe by h4sh3m

Question

Difficulty : 4/10
Language : .NET
Platform : Windows
OS Version : All
Packer / Protector : Find Out

Description :

Fully unpack the the .EXE file (not the dll!!!).

Please provide details on how you managed to unpack it.

Screenshot :

ss.png

 

UnpackMe.rar

1 person likes this

Share this post


Link to post
Share on other sites

13 answers to this question

  • 1

file doesnt run for me windows 10 

Share this post


Link to post
Share on other sites
  • 1

antivirus detect VMProtect

Share this post


Link to post
Share on other sites
  • 1

RaiseException  ......................   I do't can unpack    Exception handling

 

BP [Logger.dll+EBD11]

[esp+18] *date

[esp+1c] Len

[esp+20] OLD

copy

 

00 28 3D 00 00 0A 00 16 28 3E 00 00 0A 00 73 01 00 00 06 28 3F 00 00 0A 00 2A

02 14 7D 01 00 00 04 02 28 10 00 00 0A 00 00 02 28 05 00 00 06 00 00 2A

00 02 73 20 00 00 0A 7D 02 00 00 04 02 73 21 00 00 0A 7D 03 00 00 04 02 73 22 00 00 0A 7D 04 00
00 04 02 73 21 00 00 0A 7D 05 00 00 04 02 73 22 00 00 0A 7D 06 00 00 04 02 28 23 00 00 0A 00 02
7B 02 00 00 04 1F 0C 1F 5A 73 24 00 00 0A 6F 25 00 00 0A 00 02 7B 02 00 00 04 72 4F 00 00 70 6F
26 00 00 0A 00 02 7B 02 00 00 04 1F 4B 1F 17 73 27 00 00 0A 6F 28 00 00 0A 00 02 7B 02 00 00 04
16 6F 29 00 00 0A 00 02 7B 02 00 00 04 72 5F 00 00 70 6F 2A 00 00 0A 00 02 7B 02 00 00 04 17 6F
2B 00 00 0A 00 02 7B 02 00 00 04 02 FE 06 03 00 00 06 73 2C 00 00 0A 6F 2D 00 00 0A 00 02 7B 03
00 00 04 17 6F 2E 00 00 0A 00 02 7B 03 00 00 04 1F 0C 1F 09 73 24 00 00 0A 6F 25 00 00 0A 00 02
7B 03 00 00 04 72 6B 00 00 70 6F 26 00 00 0A 00 02 7B 03 00 00 04 1F 29 1F 0D 73 27 00 00 0A 6F
28 00 00 0A 00 02 7B 03 00 00 04 17 6F 29 00 00 0A 00 02 7B 03 00 00 04 72 79 00 00 70 6F 2A 00
00 0A 00 02 7B 04 00 00 04 1F 0C 1F 19 73 24 00 00 0A 6F 25 00 00 0A 00 02 7B 04 00 00 04 72 87
00 00 70 6F 26 00 00 0A 00 02 7B 04 00 00 04 20 58 01 00 00 1F 14 73 27 00 00 0A 6F 28 00 00 0A
00 02 7B 04 00 00 04 18 6F 29 00 00 0A 00 02 7B 05 00 00 04 17 6F 2E 00 00 0A 00 02 7B 05 00 00
04 1F 0C 1F 30 73 24 00 00 0A 6F 25 00 00 0A 00 02 7B 05 00 00 04 72 99 00 00 70 6F 26 00 00 0A
00 02 7B 05 00 00 04 1F 2B 1F 0D 73 27 00 00 0A 6F 28 00 00 0A 00 02 7B 05 00 00 04 19 6F 29 00
00 0A 00 02 7B 05 00 00 04 72 A7 00 00 70 6F 2A 00 00 0A 00 02 7B 06 00 00 04 1F 0C 1F 40 73 24
00 00 0A 6F 25 00 00 0A 00 02 7B 06 00 00 04 72 BB 00 00 70 6F 26 00 00 0A 00 02 7B 06 00 00 04
20 58 01 00 00 1F 14 73 27 00 00 0A 6F 28 00 00 0A 00 02 7B 06 00 00 04 1A 6F 29 00 00 0A 00 02
22 00 00 C0 40 22 00 00 50 41 73 2F 00 00 0A 28 30 00 00 0A 00 02 17 28 31 00 00 0A 00 02 20 70
01 00 00 1F 78 73 27 00 00 0A 28 32 00 00 0A 00 02 28 33 00 00 0A 02 7B 06 00 00 04 6F 34 00 00
0A 00 02 28 33 00 00 0A 02 7B 05 00 00 04 6F 34 00 00 0A 00 02 28 33 00 00 0A 02 7B 04 00 00 04
6F 34 00 00 0A 00 02 28 33 00 00 0A 02 7B 03 00 00 04 6F 34 00 00 0A 00 02 28 33 00 00 0A 02 7B
02 00 00 04 6F 34 00 00 0A 00 02 17 28 35 00 00 0A 00 02 16 28 36 00 00 0A 00 02 16 28 37 00 00
0A 00 02 72 CD 00 00 70 28 26 00 00 0A 00 02 17 28 38 00 00 0A 00 02 72 D9 00 00 70 6F 2A 00 00
0A 00 02 16 28 39 00 00 0A 00 02 28 3A 00 00 0A 00 2A


00 28 16 00 00 0A 0A 72 07 00 00 70 02 7B 04 00 00 04 6F 17 00 00 0A 28 18 00 00 0A 0B 28 19 00
00 0A 07 6F 1A 00 00 0A 0C 02 7B 06 00 00 04 6F 17 00 00 0A 06 08 6F 1B 00 00 0A 28 02 00 00 06
28 1C 00 00 0A 16 FE 01 0D 09 2D 0B 72 1B 00 00 70 28 1D 00 00 0A 26 2A


00 02 14 FE 01 16 FE 01 0D 09 2D 04 14 0C 2B 5A 02 8E 69 16 FE 01 16 FE 01 0D 09 2D 08 7E 11 00
00 0A 0C 2B 45 73 12 00 00 0A 0A 00 02 13 04 16 13 05 2B 21 11 04 11 05 91 0B 00 06 12 01 72 01
00 00 70 28 13 00 00 0A 6F 14 00 00 0A 26 00 11 05 17 58 13 05 11 05 11 04 8E 69 FE 04 0D 09 2D
D3 06 6F 15 00 00 0A 0C 2B 00 08 2A


PATCH  CrackMe   2A2A2A2A2........

 

CrackMe_unpack.7z

my poor english...

用中国话叙述一遍.  对[Logger.dll+EBD11] 的地方下断点.观察堆栈..发现 可疑地址.偏移上边给了 前两个是新的数据. 后边+20的地址是 调用原始地址的指针.结构同前两个.. 都保存出来 然后跑完 粘贴回去..就是正常代码了..  

1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Also did not run my side.

Share this post


Link to post
Share on other sites
  • 0
Just now, Perplex said:

Also did not run my side.

+++

Share this post


Link to post
Share on other sites
  • 0
2 hours ago, cawk said:

file doesnt run for me windows 10 

the obfuscator is not yet compatible with all windows versions (it definitely works in Win XP)

 

1 hour ago, converse said:

antivirus detect VMProtect

the dll is protected with VMP, but its not important since the target is the EXE file

Share this post


Link to post
Share on other sites
  • 0
2 hours ago, gholam.illidan said:

the obfuscator is not yet compatible with all windows versions (it definitely works in Win XP)

 

the dll is protected with VMP, but its not important since the target is the EXE file

ah okay im out then since i have no desire to set up a vm in xp

Share this post


Link to post
Share on other sites
  • 0

Hi

@gholam.illidan, I don't know you but according your posts you should be @safengine with duplicate account !!!

and about unpack me : file tested on win xp x86 and win7 x64 and work correctly, incompatibilities (in win 10 and/or win8) is just because of VMP 2.x (improved version + vmp 3 works on win 10 too).

 

 

Best Regards,

h4sh3m

Share this post


Link to post
Share on other sites
  • 0

I've tried on Win7 x86/x64 not work.

Share this post


Link to post
Share on other sites
  • 0
4 minutes ago, Perplex said:

I've tried on Win7 x86/x64 not work.

under debugger or ...

tested on 4 ~ 5 system and works on all of them !!!

you can try this one if you like (client coded in 2 day just for test code protector and it's not final version :D ):

http://www.mediafire.com/file/x4bw6dzkw32i1kk/BlueIrisClient_CSharp.rar

pass : h4sh3m

 

 

Best Regards,

h4sh3m

Edited by h4sh3m

Share this post


Link to post
Share on other sites
  • 0

RaiseException  ......................   I do't can unpack    Exception handling

Share this post


Link to post
Share on other sites
  • 0

Hi

Thanks dear @BambooQJ, But I haven't access to your unpacked file so please upload it to other place!

 

 

Best Regards,

h4sh3m

Share this post


Link to post
Share on other sites
  • 0
2 hours ago, h4sh3m said:

谢谢亲爱的  @BambooQJ,但我没有访问您的解压缩文件,所以请上传到其他地方!

 

 

最好的祝福,

h4sh3m

https://mega.nz/#!YwUEEAiK!_PoBQvzWJb8ckcweXuHBH4puhatHF_nisoSRg4qUPOA

 

1 person likes this

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now