Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 10-20-2014, 00:27
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 14
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
Quote:
Originally Posted by Conquest View Post
my bad for using wrong words. i didnt mean to offend you . what i meant was that its not always 100% working because in some cases the execution flow may pass the patch point already before the patching fries up (not going to explain why . its obvious that thread timings and thread priority is the biggest issue here. not to mention without a sleep delay the process will consume 100% of a single cpu thread ).
Its same with even if you do proxy dll methods as well .

@mr. exodia . i will try to find it out today. i used it for that "mushroom game" long ago when i couldnt make a working unpack out of themida
Thanks for your input, im not a good coder, so maybe i will do it better next time
Reply With Quote
  #17  
Old 10-20-2014, 03:07
quygia128's Avatar
quygia128 quygia128 is offline
Family
 
Join Date: Apr 2011
Location: SomeWhere
Posts: 109
Rept. Given: 242
Rept. Rcvd 182 Times in 47 Posts
Thanks Given: 121
Thanks Rcvd at 30 Times in 19 Posts
quygia128 Reputation: 100-199 quygia128 Reputation: 100-199
Yes, it shouldn't work for other Packed file.

Your Loader need add code loop(for/while) to detect WMProtect have been decrypted your app code(Real code you need patch), verify it then byte is exist, you will be suspend process and patch code before resume process.
That's all

BR,
quygia128
Reply With Quote
  #18  
Old 10-20-2014, 03:21
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 14
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
Quote:
Originally Posted by quygia128 View Post
Yes, it shouldn't work for other Packed file.

Your Loader need add code loop(for/while) to detect WMProtect have been decrypted your app code(Real code you need patch), verify it then byte is exist, you will be suspend process and patch code before resume process.
That's all

BR,
quygia128
It works as long as you insert the correct offsets. It works on all VMProtect with self-checks as well as Safengine's selfcheck, tested on multiple protected files and i have cracks released with this loader for weeks without complains.
Reply With Quote
  #19  
Old 10-20-2014, 04:01
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Quote:
Originally Posted by 0x22 View Post
It works as long as you insert the correct offsets. It works on all VMProtect with self-checks as well as Safengine's selfcheck, tested on multiple protected files and i have cracks released with this loader for weeks without complains.
It still depends on the hardware (CPU power) of the machine. I have done a VMP loader myself in the past and I had to use Sleep() with a certain amount of time. The good thing is that you can automatically bruteforce the correct Sleep time more or less for a specific machine.

Real release groups don't allow "loader" cracks for obvious reasons.
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
  #20  
Old 10-20-2014, 09:28
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 732
Rept. Given: 177
Rept. Rcvd 773 Times in 259 Posts
Thanks Given: 213
Thanks Rcvd at 885 Times in 242 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
For VMProtect and Themida/WinLicense,
Here is my method for loader.

1. Hook the API near OEP or near your patch point.
2. Check the return address from stack.

Then, you know when your target is unpacked.
Reply With Quote
The Following 3 Users Gave Reputation+1 to ZeNiX For This Useful Post:
0x22 (10-20-2014), b30wulf (10-20-2014), Newbie_Cracker (10-24-2014)
The Following User Says Thank You to ZeNiX For This Useful Post:
niculaita (08-30-2016)
  #21  
Old 10-20-2014, 09:41
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 14
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
Quote:
Originally Posted by Carbon View Post
It still depends on the hardware (CPU power) of the machine. I have done a VMP loader myself in the past and I had to use Sleep() with a certain amount of time. The good thing is that you can automatically bruteforce the correct Sleep time more or less for a specific machine.

Real release groups don't allow "loader" cracks for obvious reasons.
Are you talking about my loader?
I'm not sure if i understood you correctly, because the source i posted here does not depend on hardware/CPU becuase it does not use sleep.
Sleep is a method i would never use at all, its shit, cuz yes as you said CPU.

I accept your critizism but i released my source to be nice, so that people that may not be "that" expericed with this, might solve it with my working method as well as giving people an idea to work on, and on how it could done.

To be honest i couldnt give two shits about what real release groups allow or not.
In my eyes, a working method is a working method, as long as the program opens, I'm happy and the users that use it will remain happy.

Good day.

Last edited by 0x22; 10-20-2014 at 10:29.
Reply With Quote
The Following User Gave Reputation+1 to 0x22 For This Useful Post:
b30wulf (10-20-2014)
The Following User Says Thank You to 0x22 For This Useful Post:
niculaita (08-30-2016)
  #22  
Old 10-20-2014, 11:53
fmtx fmtx is offline
Friend
 
Join Date: Jun 2014
Posts: 7
Rept. Given: 2
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
fmtx Reputation: 0
0x22:

Easy tiger. I know your good intention of bringing the loader source here (although imho it doesn't help much). But honestly I think you should improve your code, and make it more universal, make it available on more machines.

It works on your computer, well ok. It fits your needs, ok.

The people just state here that they think you need to do more than that. Slapping a little bit on your ego isn't comfortable for you, but do accept it as a challenge. Don't be a kid or you will forever stay at your "level".

You can listen to my advice or not, it depends on you. However, satisifying yourself with little achievement won't take you far.

My two cents.
Reply With Quote
  #23  
Old 10-20-2014, 14:35
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 732
Rept. Given: 177
Rept. Rcvd 773 Times in 259 Posts
Thanks Given: 213
Thanks Rcvd at 885 Times in 242 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
I am not a good coder, too.
So, if I share my source codes, they will surely be ugly.

But I think we share source codes, methods. And with help from more friends here, we work out new and better solutions together.
Reply With Quote
The Following 2 Users Gave Reputation+1 to ZeNiX For This Useful Post:
b30wulf (10-20-2014), chessgod101 (11-01-2014)
The Following User Says Thank You to ZeNiX For This Useful Post:
niculaita (08-30-2016)
  #24  
Old 10-20-2014, 22:19
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 14
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
Quote:
Originally Posted by fmtx View Post
0x22:

Easy tiger. I know your good intention of bringing the loader source here (although imho it doesn't help much). But honestly I think you should improve your code, and make it more universal, make it available on more machines.

It works on your computer, well ok. It fits your needs, ok.

The people just state here that they think you need to do more than that. Slapping a little bit on your ego isn't comfortable for you, but do accept it as a challenge. Don't be a kid or you will forever stay at your "level".

You can listen to my advice or not, it depends on you. However, satisifying yourself with little achievement won't take you far.

My two cents.
I love to learn, i have no issues with learning, i learn every day and i enjoy it.
One of the cracks i used this loader on has 8291 unique logins in my php panel as we speak, and not a single complaint.
So i dont see the reason to rip on something that work.
Reply With Quote
  #25  
Old 10-24-2014, 07:40
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by ZeNiX View Post
For VMProtect and Themida/WinLicense,
Here is my method for loader.

1. Hook the API near OEP or near your patch point.
2. Check the return address from stack.

Then, you know when your target is unpacked.
Yeah, It is very useful especially for patching child process created by father process; such as Armadillo, SDProtect, etc.

I always use hook method when loaders like dUP2 fails to patch on time.

So if the VMProtect does not check for API hooking, this method is the best.
__________________
In memory of UnREal RCE...
Reply With Quote
The Following User Says Thank You to Newbie_Cracker For This Useful Post:
niculaita (08-30-2016)
  #26  
Old 10-24-2014, 13:46
Conquest Conquest is offline
Friend
 
Join Date: Jan 2013
Location: 0x484F4D45
Posts: 125
Rept. Given: 46
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 31
Thanks Rcvd at 60 Times in 29 Posts
Conquest Reputation: 29
Quote:
Originally Posted by Newbie_Cracker View Post
Yeah, It is very useful especially for patching child process created by father process; such as Armadillo, SDProtect, etc.

I always use hook method when loaders like dUP2 fails to patch on time.

So if the VMProtect does not check for API hooking, this method is the best.
Problem is ,like themida, vmp uses emulated api as well . so normally its hard to predict which api is "universally free" from api emulation and thus hooking doesnt work in all cases
Reply With Quote
  #27  
Old 10-24-2014, 18:11
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 14
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
Quote:
Originally Posted by Conquest View Post
Problem is ,like themida, vmp uses emulated api as well . so normally its hard to predict which api is "universally free" from api emulation and thus hooking doesnt work in all cases
This has worked bulletproof on VMProtect, Themida and Safengine for several dozen of loaders for me, never had any problems with using this method tbh.

Last edited by 0x22; 10-24-2014 at 18:17.
Reply With Quote
  #28  
Old 10-24-2014, 19:18
b30wulf's Avatar
b30wulf b30wulf is offline
Family
 
Join Date: Nov 2013
Posts: 194
Rept. Given: 210
Rept. Rcvd 116 Times in 38 Posts
Thanks Given: 195
Thanks Rcvd at 229 Times in 74 Posts
b30wulf Reputation: 100-199 b30wulf Reputation: 100-199
As title says "SIMPLE" so thst is what this is.... simple loader. But as I can see after so many suggestions and criticism maybe some of you could show user 0x22 how to "ADVANCE" it...
Reply With Quote
The Following 2 Users Gave Reputation+1 to b30wulf For This Useful Post:
0x22 (10-25-2014)
  #29  
Old 10-24-2014, 23:55
Conquest Conquest is offline
Friend
 
Join Date: Jan 2013
Location: 0x484F4D45
Posts: 125
Rept. Given: 46
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 31
Thanks Rcvd at 60 Times in 29 Posts
Conquest Reputation: 29
Quote:
Originally Posted by 0x22 View Post
This has worked bulletproof on VMProtect, Themida and Safengine for several dozen of loaders for me, never had any problems with using this method tbh.
i dont see any link between your message and my statement . it doesnt apply to your method at all .
Reply With Quote
  #30  
Old 10-25-2014, 01:34
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 14
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
Quote:
Originally Posted by Conquest View Post
i dont see any link between your message and my statement . it doesnt apply to your method at all .
I'm sorry i must've misunderstood, my apologies
Reply With Quote
The Following User Gave Reputation+1 to 0x22 For This Useful Post:
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Simple Task [make loader for UPX target]... diablo2oo2 General Discussion 1 12-30-2004 07:03


All times are GMT +8. The time now is 17:26.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )