Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   private exe protector unpacking? (https://forum.exetools.com/showthread.php?t=19446)

0xall0c 02-29-2020 01:37

private exe protector unpacking?
 
hello everyone,

i was looking at a binary protected with private exe protector, cant find any tutorials, can anyone push me in right direction? if not resources than any hints?

thank you

deepzero 02-29-2020 15:18

literally if you enter "private exe protector manual unpacking tutorial" into google, this is the first hit:

http://185.62.190.110/accessroot/arteam/site/download.php?view.330

For v3 though. Much of it applies also to v4. Dont know about v5.

0xall0c 03-02-2020 01:31

i tried got some references on tuts4you but no accessroot site!

sorry i didn't mention version i was looking for v4, thank you for the reference though.

the pdf is about unpacking the protector not a target packed through it?

deepzero 03-02-2020 01:47

Quote:

the pdf is about unpacking the protector not a target packed through it?
Same thing, as the protector is protected by the protector. ;)
you will have to see how much applies to your specific target.

0xall0c 03-02-2020 01:58

also i reached till import resolver on my own though!!

after that i get access violation!!

0xall0c 03-02-2020 02:33

the target i have has no trial just the nag, i don't think i will be able to reach oep as you have mentioned in the text, what should be the approach now?

deepzero 03-03-2020 01:27

Quote:

also i reached till import resolver on my own though!
great! :)

Quote:

i don't think i will be able to reach oep as you have mentioned in the text, what should be the approach now?
I dont know! Try any of the generic OEP detection methods out there. Then post what you tried. I doubt they are using OEP virtualization.

PM me the target, but I am on the road right now, so dont idle and count on me...

0xall0c 03-03-2020 02:45

thanks for the gesture man, its ok i will try it for my self for now..

so i think there is a confusion, do pep provide a registration scheme dialog box or something like that? cause i have a window where it says unregistered, and enter user and key, and gives a reference to a hwid, i think its coded in delphi but i am not sure its part of the protection or the real program, does pep provides a licensing mechanism?

p.s. have a safe journey man!

deepzero 03-03-2020 03:30

Yes, pep provides something like that, but of course the program might be providing its own form. Good luck!

0xall0c 03-03-2020 18:36

tracing backwards from NtTerminateProcess Call, i figured out ntcontinue api calls are being used to make following the code difficult, if u came across in pep ntcontinue as any standard trick like running vm wrapping arround ntcontinue, please enlighten!

thank you!

h4sh3m 03-03-2020 19:13

Hi

You can use this patterns :
Quote:

=============================================
Private Exe Protector 3.3.3 Bypass Reg

C6459C00E9????0000
=============================================
Private Exe Protector 4.1.2 Bypass Reg

85 C0 75 04 33 C0 EB 02 B0 01 5B 5D C2 10 00
=============================================
Private Exe Protector 4.2.5 Bypass Reg

B? ?? ?? ?? ?? E8 ?? ?? 00 00 0F B6 ?? ?? 5? 5? C2 10 00 > xor eax,eax
It's not too hard bypassing this protector's registration (as I remember) but not tested on newer versions.


BR,
h4sh3m

0xall0c 03-03-2020 19:17

ok i will try, target is 4 i dont know exactly which version! will report

0xall0c 03-03-2020 19:28

pattern search for 4.2.5 gave me this

Code:

push ebp
mov ebp,esp
push ecx
push dword ptr ss:[ebp+14]
push dword ptr ss:[ebp+10]
push dword ptr ss:[ebp+C]
push dword ptr ss:[ebp+8]
call <wartrc2.sub_FDFB10>
test eax,eax
jne wartrc2.FDFF3F
mov byte ptr ss:[ebp-1],0
jmp wartrc2.FDFF4C
lea edx,dword ptr ss:[ebp-1]
mov ecx,1
call <wartrc2.sub_FE04F8>
movzx eax,byte ptr ss:[ebp-1]
pop ecx
pop ebp
ret 10

i tried to set eax return to 1 but no luck can you explain a little bit more!

evlncrn8 03-03-2020 21:17

and setting eax to zero does.. ?

0xall0c 03-03-2020 22:00

nop zero makes it directly exit!, no form nothing appears. i also tried to nop all opcodes which are in pattern, but no luck!


All times are GMT +8. The time now is 15:23.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX