Exetools
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   private exe protector unpacking? (https://forum.exetools.com/showthread.php?t=19446)

evlncrn8 03-04-2020 03:25
and whats the value of the byte @ ebp-1.. that seems somewhat critical

h4sh3m 03-04-2020 03:37
can you share your target (max 50 mb)?

0xall0c 03-04-2020 03:50
https://www78.zippyshare.com/v/CHp4KO0m/file.html

here

0xall0c 03-04-2020 03:56
Quote:
Originally Posted by evlncrn8 (Post 119468)
and whats the value of the byte @ ebp-1.. that seems somewhat critical
i tried changing it to zero still same direct exit!

also that value is written by the above function as edx is treated as a pointer to that location, a value is being copied from another location

h4sh3m 03-04-2020 04:18
Quote:
Originally Posted by 0xall0c (Post 119470)
needs password ;)

0xall0c 03-04-2020 04:21
Quote:
Originally Posted by h4sh3m (Post 119472)
needs password ;)
12345 is the password

h4sh3m 03-04-2020 04:47
did you tried to run your debugger as admin?

0xall0c 03-04-2020 04:51
nop i dont have a reason to do so, do i?

h4sh3m 03-04-2020 06:05
Quote:
0100A060 | E8 3F 66 FC FF | call <wartrc2.RegCreateKeyExW> |
returns non-zero and will exit silently :|
you just need debug file carefully to find out solution, you need look after decryption function for next step ;) (you have all needed info to reach oep).

0xall0c 03-04-2020 06:39
i am not running inside a vm and i dont know the key if it has already created, this api is not being called(can you tell me the key path so i can delete it?)..also i have to return 0 in eax and ebp-1?

also i am getting access violation if i return all 0 from the pattern function...strange!

0xall0c 03-04-2020 15:42
so i think this is doing something like xoring the first byte at that address where the exception is occuring, and as because registration is bypassed by xoring but our licence is still invalid so i get exception?

also this is wrapped by a loop and later one more loop to decrypt another function!!
dont know how i can validate the licence keys!

here:

Code:
push ebx
mov ebx,dword ptr ds:[eax]
xor ebx,dword ptr ds:[edx]
mov dword ptr ds:[ecx],ebx
mov ebx,dword ptr ds:[eax+4]
xor ebx,dword ptr ds:[edx+4]
mov dword ptr ds:[ecx+4],ebx
mov ebx,dword ptr ds:[eax+8]
xor ebx,dword ptr ds:[edx+8]
mov dword ptr ds:[ecx+8],ebx
mov eax,dword ptr ds:[eax+C]
xor eax,dword ptr ds:[edx+C]
mov dword ptr ds:[ecx+C],eax
pop ebx
ret

0xall0c 03-04-2020 20:38
is 0x4c00000 is the oep?

0xall0c 03-05-2020 19:12
my progress till now in python x64dbg:


Code:
from x64dbgpy import pluginsdk
from x64dbgpy.pluginsdk._scriptapi import module
from x64dbgpy.pluginsdk._scriptapi import memory
from x64dbgpy.pluginsdk._scriptapi import pattern
from x64dbgpy.pluginsdk._scriptapi import register

PEP_425_REG = "B? ?? ?? ?? ?? E8 ?? ?? 00 00 0F B6 ?? ?? 5? 5? C2 10 00"

addr  = pluginsdk.RemoteGetProcAddress('kernel32.dll','CompareStringW')
pluginsdk.Run()
pluginsdk.Run()
pluginsdk.SetBreakpoint(addr)
pluginsdk.Run()
pluginsdk.DeleteBreakpoint(addr)


pattern_location = pattern.FindMem(module.GetMainModuleBase(), module.GetMainModuleSize(), PEP_425_REG)

setEaxAddress = pattern_location + 10

pluginsdk.SetHardwareBreakpoint(setEaxAddress,pluginsdk.HardwareType.HardwareExecute)
pluginsdk.Run()

# called 14 times, if ebp-1 set to 0
for i in range(13):
    memory.WriteByte(register.GetEBP() - 1, 0)
    pluginsdk.Run()

pluginsdk.DeleteHardwareBreakpoint(setEaxAddress)

# now it will jump to oep 0x4c0000

0xall0c 03-06-2020 02:22
Quote:
Originally Posted by evlncrn8 (Post 119468)
and whats the value of the byte @ ebp-1.. that seems somewhat critical
yes it was can you, give some more hints?

0xall0c 03-06-2020 02:35
previous oep is wrong, i am very sure it is 0x004BF9C0 but still contains all 0s. its hard!


All times are GMT +8. The time now is 02:10.
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX