now it´s time to release my newest RLPack unpack script as I promised in the past.Also I made a movie where you can exactly see how to use my script so in this movie I unpacked four diffrent RLPack targets which diffrent enabled protection features.So the new script is again a long script and it should work for all RLPack targets.The script supports all what is important to get your file unpacked.Just in some cases if a advanced IAT redirection is used you need to use the UIF tool.
Script Features:
*****************************************************
( 1.) Anti Debug Patching YES *
*
( 2.) DRx Register Patching NO *
*
( 3.) VM Code Translate & Rebuild YES *
*
( 4.) Prevent IAT Redirection / x 2 YES *
*
( 5.) Prevent Invalid PE Reading YES *
*
( 6.) Stolen OEP Byte´s Translater YES *
*
( 7.) Using of UIF Tool for some targets YES *
*
( 8.) TLS Fast Info & Fix YES *
*
( 9.) Creating Of A Extra File With The YES *
Complete Stolen OEP Byte´s For a Fast *
Insert At The OEP & Info Log *
*
( 10.) RLPack Version Scanner YES *
*
(Info) Use MUltimate Assembler Plugin By RaMMicHaeL *
For A Fast Stolen OEP Byte Insert! *
*****************************************************
Now the VM Code will fixed with a direct patch so this will save a lot time.I also added a VM´ed OEP bytes Translater which will translate all stolen bytes.This bytes you can see in the log window of Olly and also in the created "OEP_REBUILD_BYTES_FOR....txt".There you will see all commands which you just need to insert at the OEP.For this you should use the MUltimate Assembler Plugin By RaMMicHaeL.
So if you find any RLPack target where you get problems to unpack this with my script then you can tell me to create a update if necessary.Thats all for the moment.Just watch the movie and then try it by yourself and also use this topic if you have any problem etc.. before you send me a PM.
greetz
EDIT: I fixed a small [GMA PROCESSNAME] bug in the new 1.1 script.
FAST_CHECK_TEST: Try this if you have problems to use the script successfully-
-Use a fresh unmodded OllyDbg.exe + script plugin 1.7 [or higher] [just one plugin for the test now]
-Now you can let unpack successfully ALL UnpackMe´s from my movie except the UM++ <-- for this you need to enable the !*Kill BadPE Bug in StrongOD for example so that you can load it also in Olly and then you can use also the unpack script.If you can unpack the UnpackMe5 or UM++ successfully with this settings then all is fine and if not then you can have a problem with your system / setting!Bad hooks / driver or something which you need to fix.
EDIT_2: Again I updated the script to version 1.2 / I added more checks and messages.Also I fixed one BIG [CheckRemoteDebuggerPresent] bug which I have not seen before so I just use normaly winXP without SP.....so the new 1.2 version should now also work for all.I also packed some new exe files and dlls which you can also try to unpack.
发表于 2010-2-11 15:33
发表于 2010-2-11 16:31
|
发表于 2010-2-17 22:30
