Unpackme nr.5

[herr-master]

her is are new unpackme from me i hope is not to hard for you this one is not for noobs.

[KenTheFurry]

Lol this is annoying me I think I have the OEP but I can't seem to get the correct imports.

[LCF-AT]

Hi,

new unpackme by herr-master {hafe deutsch? }.

So after a fast view on it I can say that I have seen this protection already but I can´t remember the name of it...hmm.

@ KenTheFurry

One exsample:

[herr-master]

LCF-AT one question i can say ap0x and yes LCF-AT i am are germen boy.
For you its easy to unpack the packer i us hafe are vm and many is debugger present.

[LCF-AT]

Hello herr-master,

thank´s for the info about ap0x so now I know again what it is.
Ahhh also german!
So I just saw some of your mystery grammatical spelling like "hafe" etc.

greetz

[herr-master]

Yes you see i can not good english i us google and the site from chooki,
can you help me are little bit wight my keygenme.

[LCF-AT]

Yes your english is not the best and my is also bad.Hmm chooki has a translate page?So I would help you but I have no idea about keygen stuff.

greetz

[cozofdeath]

I like it. Much harder than the basic. Ap0x adds good features. I like the VM OEP. If I wasn't somewhat familiar with rlpack I would of had a very hard time identifying the OEP. Nice one Hopefully I can make a script for it. Should we post dumps?

[herr-master]

Yes i wait for the dumps no one has post are dumped one.I fell me so lucky that you found my unpackmes usefull.
PS:My next one is coming.
@cozofdeath if you can make are script make it.

[cozofdeath]

Well I think my script is good to find oep and correct 98% of the IAT but I'm having a dumping issue. Since you enabled the Virtual OEP and the anticrack protection the VM OEP isn't dumping. It looks like you enabled a lot of things so this will take me a while if I can even get it dumped. You probably have that extra dump protection to which I still haven't totally solved but that isn't why my dump isn't working. Can anyone offer some help or tut even if you can get it to dump properly but not run.

PS I have tried the normal dump corrections, SizeOfImage, section size fixes, rebuilding, fixing resource section. Nothing works when it has the vm oep. What am I doing wrong???? AHHHHHHH

[LCF-AT]

Hello,

just as info for all other´s which want to unpack herr-master´s Unpackme nr.5.So the first one has it solved alraedy.Look´s like me.

So you see it´s also possible to unpack this {much harder} UnpackMe.

What to do.
- Redirect IAT // a bit harder as other RLpack app´s
- Rebuild OEP routine // 290 bytes brutto / net
- Repair VM´d code // over 500 parts

The redirection of the IAT is in this UnpackMe the easiest thing.
The OEP rebuild is the hardest thing.There are also a lot to translate.
If you want to repair the VM´d main code then you have first to translate correctly all VM´d opportunities back to the original code.I found ca. 30 diffrent´s {+ other RLpack protected app´s} which you have to translate and then you can write a script to repair this code correctly.

greetz

[cozofdeath]

What do you mean by...

[herr-master]

@cozofdeath this unpackme has more as one vm you whil see 10 - 20 vm, that is what lcf-at whant say wight over 500 parts,and to you second question that is true what you say cozofdeath.Are liitel tip from me cozofdeath you need are unpacked one to compare wight the packed one to found the real oep.

[LCF-AT]

Hi,

1. You have to rebuild exact 17 instructions.The whole OEP routine.From

push ebp
.....
untill
.....
Call xxxxxxxx // last one // till here are 40 bytes Hex
LEA EAX,DWORD PTR DS:[EAX]

Stolen Bytes start

[LCF-AT]

So one thing I forgot to tell.So it can be that your unpacked file later crashes without a exception.Reason for this is a TLS problem.