#1
|
|||
|
|||
private exe protector unpacking?
hello everyone,
i was looking at a binary protected with private exe protector, cant find any tutorials, can anyone push me in right direction? if not resources than any hints? thank you |
#2
|
||||
|
||||
literally if you enter "private exe protector manual unpacking tutorial" into google, this is the first hit:
http://185.62.190.110/accessroot/arteam/site/download.php?view.330 For v3 though. Much of it applies also to v4. Dont know about v5. |
#3
|
|||
|
|||
i tried got some references on tuts4you but no accessroot site!
sorry i didn't mention version i was looking for v4, thank you for the reference though. the pdf is about unpacking the protector not a target packed through it? Last edited by 0xall0c; 03-02-2020 at 01:43. |
#4
|
||||
|
||||
Quote:
you will have to see how much applies to your specific target. |
The Following User Says Thank You to deepzero For This Useful Post: | ||
0xall0c (03-02-2020) |
#5
|
|||
|
|||
also i reached till import resolver on my own though!!
after that i get access violation!! |
#6
|
|||
|
|||
the target i have has no trial just the nag, i don't think i will be able to reach oep as you have mentioned in the text, what should be the approach now?
|
#7
|
||||
|
||||
Quote:
Quote:
PM me the target, but I am on the road right now, so dont idle and count on me... |
#8
|
|||
|
|||
thanks for the gesture man, its ok i will try it for my self for now..
so i think there is a confusion, do pep provide a registration scheme dialog box or something like that? cause i have a window where it says unregistered, and enter user and key, and gives a reference to a hwid, i think its coded in delphi but i am not sure its part of the protection or the real program, does pep provides a licensing mechanism? p.s. have a safe journey man! |
#9
|
||||
|
||||
Yes, pep provides something like that, but of course the program might be providing its own form. Good luck!
|
#10
|
|||
|
|||
tracing backwards from NtTerminateProcess Call, i figured out ntcontinue api calls are being used to make following the code difficult, if u came across in pep ntcontinue as any standard trick like running vm wrapping arround ntcontinue, please enlighten!
thank you! |
#11
|
|||
|
|||
Hi
You can use this patterns : Quote:
BR, h4sh3m |
The Following User Says Thank You to h4sh3m For This Useful Post: | ||
niculaita (03-03-2020) |
#12
|
|||
|
|||
ok i will try, target is 4 i dont know exactly which version! will report
|
#13
|
|||
|
|||
pattern search for 4.2.5 gave me this
Code:
push ebp mov ebp,esp push ecx push dword ptr ss:[ebp+14] push dword ptr ss:[ebp+10] push dword ptr ss:[ebp+C] push dword ptr ss:[ebp+8] call <wartrc2.sub_FDFB10> test eax,eax jne wartrc2.FDFF3F mov byte ptr ss:[ebp-1],0 jmp wartrc2.FDFF4C lea edx,dword ptr ss:[ebp-1] mov ecx,1 call <wartrc2.sub_FE04F8> movzx eax,byte ptr ss:[ebp-1] pop ecx pop ebp ret 10 |
#14
|
|||
|
|||
and setting eax to zero does.. ?
|
#15
|
|||
|
|||
nop zero makes it directly exit!, no form nothing appears. i also tried to nop all opcodes which are in pattern, but no luck!
Last edited by 0xall0c; 03-03-2020 at 22:04. Reason: added more info |
|
|