Log in

View Full Version : unpacking program which is protected against debuggers

numericalMan
June 10th, 2010, 09:35
there is a program that I can not unpack,
I can not run PROCDUMP.EXE
If I try to run it in W32DASM and save it to a text file I get:

Code:
Disassembly of File: NeoBot.exe

Code Offset = 00000000, Code Size = 00000000

Data Offset = 00000000, Data Size = 00000000



Number of Objects = 0009 (dec), Imagebase = 00400000h



   Object01: .text    RVA: 00001000 Offset: 00000000 Size: 00000000 Flags: 60000020

   Object02: .rdata   RVA: 0006B000 Offset: 00000000 Size: 00000000 Flags: 40000040

   Object03: .data    RVA: 0009B000 Offset: 00000000 Size: 00000000 Flags: C0000040

   Object04: .rsrc    RVA: 000AB000 Offset: 00000400 Size: 0000EE00 Flags: 40000040

   Object05: 0        RVA: 000BA000 Offset: 00000000 Size: 00000000 Flags: 60000060

   Object06: 1        RVA: 000C5000 Offset: 00000000 Size: 00000000 Flags: E0000060

   Object07: .tls     RVA: 002C6000 Offset: 0000F200 Size: 00000200 Flags: C0000000

   Object08: 2        RVA: 002C7000 Offset: 0000F400 Size: 0024A200 Flags: E2000060

   Object09: .reloc   RVA: 00512000 Offset: 00259600 Size: 00000200 Flags: 42000040





+++++++++++++++++++ MENU INFORMATION ++++++++++++++++++



        There Are No Menu Resources in This Application



+++++++++++++++++ DIALOG INFORMATION ++++++++++++++++++



        There Are No Dialog Resources in This Application



+++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++

Number of Imported Modules =    0 (decimal)





+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++



+++++++++++++++++++ EXPORTED FUNCTIONS ++++++++++++++++++

Number of Exported Functions = 0001 (decimal)





 Addr:00400000 Ord:   1 (0001h) Name: m4a®¸äŽú8ë#ugą¶'ÄC}°OÄlŇ! ˛^Č*…™Öm1ÁÚ•Taˇóvu“tÁŘĽ!§‰D±,hŰ9«^+€×KOn«@Ú!





+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++

//********************** Start of Code in Object .text **************

Program Entry Point = 008871B5 (NeoBot.exe File Offset:003DBFB5)





[44. line]:004BA000 65                      BYTE 065h

[147. line]:FFFFFFFF    End Of Listing



If I even try to see properties of process in Process Explorer v11.04, process explorer gets closed.
2300

I have installed Soft Ice 4.05 and booting it was set to manual, but I was not even able to run the application, because I got error saying that 'there was a running debugger found. unload it from memory and run again.'

Programs I have:
Win32dasm, ProcDump, Softice 4.05

My question is how to deal with such a protection?
disavowed
June 10th, 2010, 13:51
Try unpacking it with OllyDbg and Import REConstructor.
BoB
June 10th, 2010, 15:53
Looks like VMProtect to me, that always has 1 dodgy export.

BoB
numericalMan
June 10th, 2010, 17:35
disavowed, thank you, i have started learning it.

Quote:
[Originally Posted by BoB;86827]Looks like VMProtect to me, that always has 1 dodgy export.

It is great news,
I have question,
I had found http://www.tuts4you.com/request.php?2836 tutorial, which contains files:

Code:
VMProtect 1.7 - 1.8 targets

Infos_01.txt

Infos_02.txt

VMProtect 1.7 - 1.8 OEP & Unpack Helper 1.0.txt

Unpacking VMProtect 1.7 - 1.8 Tutorial Set

VMProtect 1.7 - 1.8 targets\Base64 Tool

VMProtect 1.7 - 1.8 targets\Calc

VMProtect 1.7 - 1.8 targets\Sec Add

VMProtect 1.7 - 1.8 targets\Notepad

VMProtect 1.7 - 1.8 targets\RC4 Tool

VMProtect 1.7 - 1.8 targets\anti VMP test your hide status

VMProtect 1.7 - 1.8 targets\Base64 Tool\Base64 Too_1.7_Unpack Results

VMProtect 1.7 - 1.8 targets\Base64 Tool\Base64 Too_1.7.exe

VMProtect 1.7 - 1.8 targets\Base64 Tool\BASSMOD.dll

VMProtect 1.7 - 1.8 targets\Base64 Tool\Base64 Too_1.7_Unpack Results\Base64 Tool_Session_Infos.txt

VMProtect 1.7 - 1.8 targets\Base64 Tool\Base64 Too_1.7_Unpack Results\iatpatch.txt_Base64 Tool.txt

VMProtect 1.7 - 1.8 targets\Base64 Tool\Base64 Too_1.7_Unpack Results\In_API_Patch_for_Base64 Tool.txt

VMProtect 1.7 - 1.8 targets\Base64 Tool\Base64 Too_1.7_Unpack Results\NEW_WAY_APIs_for_Base64 Tool.txt

VMProtect 1.7 - 1.8 targets\Base64 Tool\Base64 Too_1.7_Unpack Results\Base64 Tool_1.7_Dump_IAT_INLINE.exe

VMProtect 1.7 - 1.8 targets\Base64 Tool\Base64 Too_1.7_Unpack Results\IAT_INLINE_DA0000_4000_New_VA_9A0000.mem

VMProtect 1.7 - 1.8 targets\Calc\Calc 1.8_Unpack Results

VMProtect 1.7 - 1.8 targets\Calc\calc 1.8.exe

VMProtect 1.7 - 1.8 targets\Calc\Calc 1.8_Unpack Results\calc - Extra APIs.txt

VMProtect 1.7 - 1.8 targets\Calc\Calc 1.8_Unpack Results\calc_Session_Infos.txt

VMProtect 1.7 - 1.8 targets\Calc\Calc 1.8_Unpack Results\iatpatch.txt

VMProtect 1.7 - 1.8 targets\Calc\Calc 1.8_Unpack Results\In_API_Patch_for_calc.txt

VMProtect 1.7 - 1.8 targets\Calc\Calc 1.8_Unpack Results\NEW_WAY_APIs_for_calc.txt

VMProtect 1.7 - 1.8 targets\Calc\Calc 1.8_Unpack Results\calc 1.8_Dump_IAT_INLINE_System_API_Fix.exe

VMProtect 1.7 - 1.8 targets\Calc\Calc 1.8_Unpack Results\calc 1.8_Dump_Nooby_dll_System_API_Fix.exe

VMProtect 1.7 - 1.8 targets\Calc\Calc 1.8_Unpack Results\nooby.dll

VMProtect 1.7 - 1.8 targets\Calc\Calc 1.8_Unpack Results\IAT_INLINE_1080000_39000_New_VA_80000.mem

VMProtect 1.7 - 1.8 targets\Sec Add\Sec Add_1.8 vmp_Unpack Results

VMProtect 1.7 - 1.8 targets\Sec Add\Sec_Add_1.7 vmp_Unpack Results

VMProtect 1.7 - 1.8 targets\Sec Add\Sec Add 1.8 vmp

VMProtect 1.7 - 1.8 targets\Sec Add\Sec_Add_1.7 vmp

VMProtect 1.7 - 1.8 targets\Sec Add\Sec_Add_Orginal_File

VMProtect 1.7 - 1.8 targets\Sec Add\Sec Add_1.8 vmp_Unpack Results\iatpatch.txt

VMProtect 1.7 - 1.8 targets\Sec Add\Sec Add_1.8 vmp_Unpack Results\In_API_Patch_for_Sec Add_1.8 version.txt

VMProtect 1.7 - 1.8 targets\Sec Add\Sec Add_1.8 vmp_Unpack Results\NEW_WAY_APIs_for_Sec Add_1.8 version.txt

VMProtect 1.7 - 1.8 targets\Sec Add\Sec Add_1.8 vmp_Unpack Results\Sec Add_1.8 version_Session_Infos.txt

VMProtect 1.7 - 1.8 targets\Sec Add\Sec Add_1.8 vmp_Unpack Results\Sec Add_1.8 version_Dump_IAT_INLINE.exe

VMProtect 1.7 - 1.8 targets\Sec Add\Sec Add_1.8 vmp_Unpack Results\Sec Add_1.8 version_Dump_Nooby_dll.exe

VMProtect 1.7 - 1.8 targets\Sec Add\Sec Add_1.8 vmp_Unpack Results\nooby.dll

VMProtect 1.7 - 1.8 targets\Sec Add\Sec Add_1.8 vmp_Unpack Results\IAT_INLINE_910000_4000_New_VA_510000.mem

VMProtect 1.7 - 1.8 targets\Sec Add\Sec_Add_1.7 vmp_Unpack Results\iatpatch.txt

VMProtect 1.7 - 1.8 targets\Sec Add\Sec_Add_1.7 vmp_Unpack Results\In_API_Patch_for_Sec_Add_1.7 vmp version.txt

VMProtect 1.7 - 1.8 targets\Sec Add\Sec_Add_1.7 vmp_Unpack Results\NEW_WAY_APIs_for_Sec_Add_1.7 vmp version.txt

VMProtect 1.7 - 1.8 targets\Sec Add\Sec_Add_1.7 vmp_Unpack Results\Sec_Add_1.7 vmp version_Session_Infos.txt

VMProtect 1.7 - 1.8 targets\Sec Add\Sec_Add_1.7 vmp_Unpack Results\Sec_Add_1.7 Dump_IAT_INLINE.exe

VMProtect 1.7 - 1.8 targets\Sec Add\Sec_Add_1.7 vmp_Unpack Results\IAT_INLINE_910000_3000_New_VA_510000.mem

VMProtect 1.7 - 1.8 targets\Sec Add\Sec Add 1.8 vmp\Sec Add_1.8 version.exe

VMProtect 1.7 - 1.8 targets\Sec Add\Sec_Add_1.7 vmp\Sec_Add_1.7 version.exe

VMProtect 1.7 - 1.8 targets\Sec Add\Sec_Add_Orginal_File\Sec_Add_Orginal.exe

VMProtect 1.7 - 1.8 targets\Notepad\Notepad 1.8_Unpack Results

VMProtect 1.7 - 1.8 targets\Notepad\notepad 1.8.exe

VMProtect 1.7 - 1.8 targets\Notepad\Notepad 1.8_Unpack Results\iatpatch.txt

VMProtect 1.7 - 1.8 targets\Notepad\Notepad 1.8_Unpack Results\In_API_Patch_for_notepad.txt

VMProtect 1.7 - 1.8 targets\Notepad\Notepad 1.8_Unpack Results\NEW_WAY_APIs_for_notepad.txt

VMProtect 1.7 - 1.8 targets\Notepad\Notepad 1.8_Unpack Results\notepad - Extra APIs.txt

VMProtect 1.7 - 1.8 targets\Notepad\Notepad 1.8_Unpack Results\notepad_Session_Infos.txt

VMProtect 1.7 - 1.8 targets\Notepad\Notepad 1.8_Unpack Results\notepad 1.8_Dump_IAT_INLINE_System_API_Fix.exe

VMProtect 1.7 - 1.8 targets\Notepad\Notepad 1.8_Unpack Results\notepad 1.8_Dump_Nooby_dll_System_API_Fix.exe

VMProtect 1.7 - 1.8 targets\Notepad\Notepad 1.8_Unpack Results\nooby.dll

VMProtect 1.7 - 1.8 targets\Notepad\Notepad 1.8_Unpack Results\IAT_INLINE_1090000_3A000_New_VA_90000.mem

VMProtect 1.7 - 1.8 targets\RC4 Tool\RC4 Tool_1.7_Unpack Results

VMProtect 1.7 - 1.8 targets\RC4 Tool\RC4 Tool_1.7.exe

VMProtect 1.7 - 1.8 targets\RC4 Tool\comdlg32.ocx

VMProtect 1.7 - 1.8 targets\RC4 Tool\RC4 Tool_1.7_Unpack Results\iatpatch.txt_RC4 Tool.txt

VMProtect 1.7 - 1.8 targets\RC4 Tool\RC4 Tool_1.7_Unpack Results\In_API_Patch_for_RC4 Tool.txt

VMProtect 1.7 - 1.8 targets\RC4 Tool\RC4 Tool_1.7_Unpack Results\NEW_WAY_APIs_for_RC4 Tool.txt

VMProtect 1.7 - 1.8 targets\RC4 Tool\RC4 Tool_1.7_Unpack Results\RC4 Tool_Session_Infos.txt

VMProtect 1.7 - 1.8 targets\RC4 Tool\RC4 Tool_1.7_Unpack Results\RC4 Tool_1.7_Dump_IAT_INLINE.exe

VMProtect 1.7 - 1.8 targets\RC4 Tool\RC4 Tool_1.7_Unpack Results\IAT_INLINE_D60000_4000_New_VA_960000.mem

VMProtect 1.7 - 1.8 targets\anti VMP test your hide status\anti.exe

VMProtect 1.7 - 1.8 targets\anti VMP test your hide status\spec.fne

VMProtect 1.7 - 1.8 targets\anti VMP test your hide status\krnln.fnr

Unpacking VMProtect 1.7 - 1.8 Tutorial Set\Vid_01. Unpacking VMProtect 1.7 - 1.8 Debugger and system setup.htm

Unpacking VMProtect 1.7 - 1.8 Tutorial Set\Vid_02. Unpacking VMProtect 1.7 - 1.8 OEP and API analysis.htm

Unpacking VMProtect 1.7 - 1.8 Tutorial Set\Vid_03. Unpacking VMProtect 1.7 - 1.8 Unpacking VMP 1.7 target.htm

Unpacking VMProtect 1.7 - 1.8 Tutorial Set\Vid_04. Unpacking VMProtect 1.7 - 1.8 Unpacking VMP 1.8 target.htm

Unpacking VMProtect 1.7 - 1.8 Tutorial Set\Vid_05. Unpacking VMProtect 1.7 - 1.8 Test all unpacked files.htm

Unpacking VMProtect 1.7 - 1.8 Tutorial Set\Vid_01. Unpacking VMProtect 1.7 - 1.8 Debugger and system setup.swf

Unpacking VMProtect 1.7 - 1.8 Tutorial Set\Vid_02. Unpacking VMProtect 1.7 - 1.8 OEP and API analysis.swf

Unpacking VMProtect 1.7 - 1.8 Tutorial Set\Vid_03. Unpacking VMProtect 1.7 - 1.8 Unpacking VMP 1.7 target.swf

Unpacking VMProtect 1.7 - 1.8 Tutorial Set\Vid_04. Unpacking VMProtect 1.7 - 1.8 Unpacking VMP 1.8 target.swf

Unpacking VMProtect 1.7 - 1.8 Tutorial Set\Vid_05. Unpacking VMProtect 1.7 - 1.8 Test all unpacked files.swf


Do you think it is helpful in this case?
I did not mention, anyway I think you noticed it, I am a tottaly newbie in unpacking.