Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-29-2020, 01:37
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
private exe protector unpacking?

hello everyone,

i was looking at a binary protected with private exe protector, cant find any tutorials, can anyone push me in right direction? if not resources than any hints?

thank you
Reply With Quote
  #2  
Old 02-29-2020, 15:18
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
literally if you enter "private exe protector manual unpacking tutorial" into google, this is the first hit:

http://185.62.190.110/accessroot/arteam/site/download.php?view.330

For v3 though. Much of it applies also to v4. Dont know about v5.
Reply With Quote
The Following 2 Users Say Thank You to deepzero For This Useful Post:
chants (03-03-2020), niculaita (03-01-2020)
  #3  
Old 03-02-2020, 01:31
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
i tried got some references on tuts4you but no accessroot site!

sorry i didn't mention version i was looking for v4, thank you for the reference though.

the pdf is about unpacking the protector not a target packed through it?

Last edited by 0xall0c; 03-02-2020 at 01:43.
Reply With Quote
  #4  
Old 03-02-2020, 01:47
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
Quote:
the pdf is about unpacking the protector not a target packed through it?
Same thing, as the protector is protected by the protector.
you will have to see how much applies to your specific target.
Reply With Quote
The Following User Says Thank You to deepzero For This Useful Post:
0xall0c (03-02-2020)
  #5  
Old 03-02-2020, 01:58
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
also i reached till import resolver on my own though!!

after that i get access violation!!
Reply With Quote
  #6  
Old 03-02-2020, 02:33
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
the target i have has no trial just the nag, i don't think i will be able to reach oep as you have mentioned in the text, what should be the approach now?
Reply With Quote
  #7  
Old 03-03-2020, 01:27
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
Quote:
also i reached till import resolver on my own though!
great!

Quote:
i don't think i will be able to reach oep as you have mentioned in the text, what should be the approach now?
I dont know! Try any of the generic OEP detection methods out there. Then post what you tried. I doubt they are using OEP virtualization.

PM me the target, but I am on the road right now, so dont idle and count on me...
Reply With Quote
  #8  
Old 03-03-2020, 02:45
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
thanks for the gesture man, its ok i will try it for my self for now..

so i think there is a confusion, do pep provide a registration scheme dialog box or something like that? cause i have a window where it says unregistered, and enter user and key, and gives a reference to a hwid, i think its coded in delphi but i am not sure its part of the protection or the real program, does pep provides a licensing mechanism?

p.s. have a safe journey man!
Reply With Quote
  #9  
Old 03-03-2020, 03:30
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
Yes, pep provides something like that, but of course the program might be providing its own form. Good luck!
Reply With Quote
  #10  
Old 03-03-2020, 18:36
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
tracing backwards from NtTerminateProcess Call, i figured out ntcontinue api calls are being used to make following the code difficult, if u came across in pep ntcontinue as any standard trick like running vm wrapping arround ntcontinue, please enlighten!

thank you!
Reply With Quote
  #11  
Old 03-03-2020, 19:13
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Location: RCE
Posts: 56
Rept. Given: 1
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 49
Thanks Rcvd at 81 Times in 35 Posts
h4sh3m Reputation: 4
Hi

You can use this patterns :
Quote:
=============================================
Private Exe Protector 3.3.3 Bypass Reg

C6459C00E9????0000
=============================================
Private Exe Protector 4.1.2 Bypass Reg

85 C0 75 04 33 C0 EB 02 B0 01 5B 5D C2 10 00
=============================================
Private Exe Protector 4.2.5 Bypass Reg

B? ?? ?? ?? ?? E8 ?? ?? 00 00 0F B6 ?? ?? 5? 5? C2 10 00 > xor eax,eax
It's not too hard bypassing this protector's registration (as I remember) but not tested on newer versions.


BR,
h4sh3m
Reply With Quote
The Following User Says Thank You to h4sh3m For This Useful Post:
niculaita (03-03-2020)
  #12  
Old 03-03-2020, 19:17
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
ok i will try, target is 4 i dont know exactly which version! will report
Reply With Quote
  #13  
Old 03-03-2020, 19:28
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
pattern search for 4.2.5 gave me this

Code:
push ebp
mov ebp,esp
push ecx
push dword ptr ss:[ebp+14]
push dword ptr ss:[ebp+10]
push dword ptr ss:[ebp+C]
push dword ptr ss:[ebp+8]
call <wartrc2.sub_FDFB10>
test eax,eax
jne wartrc2.FDFF3F
mov byte ptr ss:[ebp-1],0
jmp wartrc2.FDFF4C
lea edx,dword ptr ss:[ebp-1]
mov ecx,1
call <wartrc2.sub_FE04F8>
movzx eax,byte ptr ss:[ebp-1]
pop ecx
pop ebp
ret 10
i tried to set eax return to 1 but no luck can you explain a little bit more!
Reply With Quote
  #14  
Old 03-03-2020, 21:17
evlncrn8 evlncrn8 is offline
VIP
 
Join Date: Sep 2005
Posts: 179
Rept. Given: 36
Rept. Rcvd 54 Times in 24 Posts
Thanks Given: 49
Thanks Rcvd at 117 Times in 69 Posts
evlncrn8 Reputation: 54
and setting eax to zero does.. ?
Reply With Quote
  #15  
Old 03-03-2020, 22:00
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
nop zero makes it directly exit!, no form nothing appears. i also tried to nop all opcodes which are in pattern, but no luck!

Last edited by 0xall0c; 03-03-2020 at 22:04. Reason: added more info
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 16:56.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )