Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   File Unpacking (http://www.reteam.org/board/forumdisplay.php?f=27)
-   -   Unpack Impossible?!! (http://www.reteam.org/board/showthread.php?t=260)

ultraprotectkillinMe 06-24-2005 06:23 AM

Sorry for the bother.. this is a file i'm gettin tired and sick of... :P Dun usually need help unpacking..
but even with Ollydbg and hide plugin, this is givin me a pain in the neck... :)
would be eternally grateful if someone here has the knowhow to unpack this.. i get stuck halfway..

gah... thanks a mil.. hope u dun encounter as many problems as me.
I used OllyDbg 1.10 with hide plugin and using this script:-


var bpaddr //Break Point Address

start:
run

lbl1:
findop eip,#C3#
eob lbl2
bp $RESULT
esto

lbl2:
bc $RESULT
sto
mov bpaddr,esp
eob lbl3
bphws bpaddr,"r"
run

lbl3:
bphwc bpaddr
sto
sto

end:
cmt eip,"OEP found!please dumped it!"
msg "Silly Ultraprotector"
ret

Thanks for all help and pointers :)

Jenda 06-24-2005 06:36 PM

I've been trying to unpack this same file for the past night and a half. I'm stuck in the same place you are. <_<

It'd be greatful to find out the steps needed to accomplish this task. If anyone knows, please help.

beko 06-27-2005 09:54 AM

I was bussy with this 2, hard to unpack.

v3in 06-29-2005 03:58 AM

OK lets all work together on this!!!!

I think this file is protected with acprotect 1.41, not ultraprotect.

Im not sure if i got the correct OEP because I'm having trouble fixing the imports with ImportREC.

Ok First what you need to do is in Olly's options check all the tabs under exceptions, that's how i got it to run until the ACP ok message.

When you see the OK message goto the memory view in olly and set a breakpoint on access on dragonbots rdata section.

and the click OK and read the address olly breaks on, and thats what im using for OEP.

I load up importrec attach to an open dragonbot.exe and type in the last 4 numbers from the OEP click IAT autosearch then get imports.

This returns a long list with one api that is invalid, but when i right click and use the trace3 option it finds it, and then i fix dump and get an error when i open it.


ultraprotectkillinMe 06-29-2005 10:24 PM

Lol.. hahaha!! i love ur Paintshopped No! :P

ultraprotectkillinMe 06-29-2005 10:54 PM

Hmms... the dumped.exe file has error... fixing dont seem to work

orangutang 07-11-2005 11:01 PM

UltraProtect, and Asprotect have some of the best debugger protections. I hate them.


All times are GMT -4. The time now is 10:26 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.