Request for EZCD x86 unpack Tutorial

[Benten]

Finally the Lord heard me...

Thank you Mr. Exodia, I put a lot of effort in to learning. You coming here to help means a lot. This is the best present ever. Don't know what to say, I am so excited. Thank you for your time.

I am a big fan of your work. You are amazing.

Respects,
Ben

[Benten]

As promised here is the x64 IAT Elimination - Manual Unpacking
This is actually the FFF Tutorial. I've just added a much needed video to it.

Also I've identified some patterns to make the search easy. There are crashes so the dump is not perfect, but the unpacking works fine. May be locked features are crashing the dump, as Mr. Exodia puts it, needs more work I guess. I can't do brute forcing, we don't have any PC that good around the Coffee shop.

Code:

A great tut by FFF
TrapZero.FFF.Armadillo.9.x64.Manual.Unpacking.ENG.Ben

Thanks and Respects,

[SmilingWolf]

Quote:

Originally Posted by Benten

May be locked features are crashing the dump

That's not how Secure Sections work. If the program works in trial mode but not once unpacked something got messed up in the process. Most likely it's the splices that haven't been fixed correctly. You can try to simply redirect them to the .pdata section instead of resolving/fixing them. Less likely it's because of some CALL or JMP to imports that for one reason or the other didn't make it into the final dump.

Quote:

Originally Posted by Benten

I can't do brute forcing, we don't have any PC that good around the Coffee shop.

Code:

Global Information:
   TimeStamp : 522B6164
 First DWORD : BEB12B6C
  Project ID : EZ CD Audio Converter 5
     Website : http://www.poikosoft.com/buy.html
      Magic1 : A99D3A69
      Magic2 : 185F
        Salt : DDFD006F
  Crypt Seed : 3D1F87D1 (0xE, 0xF, 0x4, 0x4)

Public Certificate Information:
  Short V3 Level 10:
    Chk : 2C0F3520
    Sym : 2B7D0D69
  BaseP : 438743756 (Size=4F, Diff=2F67, MD5=32F5621D)
  Pub.X : 5166803264428898532848136302152315
  Pub.Y : 5885292780640973861494979822117782

  Short V3 Level 10:
    Chk : F4A58BED
    Sym : D25882FE
  BaseP : 2707316665 (Size=50, Diff=2FBC, MD5=EB410984)
  Pub.X : 9572786991591576323293497288923141
  Pub.Y : 7813891883224157983281644193935444

  Short V3 Level 10:
    Chk : D310A5F2
    Sym : F9B0ABB5
  BaseP : 3073286976 (Size=50, Diff=3012, MD5=5DD8378B)
  Pub.X : 8853314056135967505699477416912929
  Pub.Y : 2273504409043285102220298435426270

  Short V3 Level 10:
    Chk : 76B6BB27
    Sym : AA65E8AC
  BaseP : 3279749701 (Size=4F, Diff=3068, MD5=81777B0F)
  Pub.X : 3277174474704060691137745527117117
  Pub.Y : 308731733377103543808919722499418

Intercepted Libraries:
  -*

GIV's script v0.1 can be found on tuts4you just like *shameless plug* my Armadillo Factotum script. Never ask anyone but the original poster to mirror an attachment. It's against the rules.