Need an Unpacking Tutorial or Inline Patched ZProtect
Need an Unpacking Tutorial or Inline Patched ZProtect
Hello all.
I am looking for Unpacking or Inline Patched Tutorials for programs protected with ZProtect.
I have tried dozens of Tutorials and Scripts released by LCF-AT but I have never succeeded.
The script that I use is:
• ZProtect 1.3 - 1.6 Medium Unpacker 1.0
• ZProtect Full DeCryption & InLine Patcher 1.0
• ZProtect HWID & InLine Patcher 1.0
• ZProtect HWID & InLine Patcher 1.1
• ZProtect HWID & InLine Patcher 1.3
• ZProtect HWID & InLine Patcher 1.4
Here I also attached my target and experimental video to my failure. Please see my video and show me where the mistakes I made.
In my experimental video, I use the ZProtect HWID Script & InLine Patcher 1.4
Please give me guidance so that I can succeed in the next experiment.
Below is a link for my target and experimental videos :
https://1drv.ms/u/s!Am0UFMaEnOEId42U3n6HxB5rV5w
Thank you veri much.
I am looking for Unpacking or Inline Patched Tutorials for programs protected with ZProtect.
I have tried dozens of Tutorials and Scripts released by LCF-AT but I have never succeeded.
The script that I use is:
• ZProtect 1.3 - 1.6 Medium Unpacker 1.0
• ZProtect Full DeCryption & InLine Patcher 1.0
• ZProtect HWID & InLine Patcher 1.0
• ZProtect HWID & InLine Patcher 1.1
• ZProtect HWID & InLine Patcher 1.3
• ZProtect HWID & InLine Patcher 1.4
Here I also attached my target and experimental video to my failure. Please see my video and show me where the mistakes I made.
In my experimental video, I use the ZProtect HWID Script & InLine Patcher 1.4
Please give me guidance so that I can succeed in the next experiment.
Below is a link for my target and experimental videos :
https://1drv.ms/u/s!Am0UFMaEnOEId42U3n6HxB5rV5w
Thank you veri much.
-
- Posts: 178
- Joined: Tue Jun 13, 2017 11:13 am
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
"My Problem ZProtect.rar contains a virus
OneDrive has detected that My Problem ZProtect.rar contains a virus that could harm your computer and stopped the download."
So can't be downloaded!
OneDrive has detected that My Problem ZProtect.rar contains a virus that could harm your computer and stopped the download."
So can't be downloaded!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Thank you for responding to my request.
I'm sorry CodeCracker, I fixed the link.
https://1drv.ms/u/s!Am0UFMaEnOEIeRLoRcyZsTO0F1E
Thank you very much.
I'm sorry CodeCracker, I fixed the link.
https://1drv.ms/u/s!Am0UFMaEnOEIeRLoRcyZsTO0F1E
Thank you very much.
-
- Posts: 178
- Joined: Tue Jun 13, 2017 11:13 am
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
1. What scripts are your using in this video???
Used myself these two scripts:
ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0.txt
ZProtect Full DeCryption & InLine Patcher 1.0.txt
The result is 100% different: doesn't ask for imports to be added.
2. The exe file is corrupted after you add imports with LordPE,
It seems to be file integrity check (not memory check) but I may be wrong,
so make him think that original file is there and make the last step (step 3) with original file:
you will load on Olly your manual unpacked exe!
Sharing your manual unpacked exe file would help!
Used myself these two scripts:
ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0.txt
ZProtect Full DeCryption & InLine Patcher 1.0.txt
The result is 100% different: doesn't ask for imports to be added.
2. The exe file is corrupted after you add imports with LordPE,
It seems to be file integrity check (not memory check) but I may be wrong,
so make him think that original file is there and make the last step (step 3) with original file:
you will load on Olly your manual unpacked exe!
Sharing your manual unpacked exe file would help!
-
- Posts: 178
- Joined: Tue Jun 13, 2017 11:13 am
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
https://www.virustotal.com/gui/file/b85 ... /detection
ESET-NOD32
Win32/Ramnit.A
It is not false positive, but an almost undetectable virus!
We got to report infected file to popular antivirus!
ESET-NOD32
Win32/Ramnit.A
It is not false positive, but an almost undetectable virus!
We got to report infected file to popular antivirus!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Thanks.
I will show you using the recommended script.
I will show you using the recommended script.
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
This is my experimental video using the script that you recommended.
https://1drv.ms/u/s!Am0UFMaEnOEIenaf6xkYoov3VBY
Thank's
https://1drv.ms/u/s!Am0UFMaEnOEIenaf6xkYoov3VBY
Thank's
-
- Posts: 178
- Joined: Tue Jun 13, 2017 11:13 am
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Just add user32.dll imports with LordPE like you did with kernel32.dll
it doesn't matter that user32.dll is not is used!
Like I said before the target exe file is infected:
https://www.virustotal.com/gui/file/b85 ... /detection
So I won't run that sheet in my computer, I already had to restore C:\ partition from backup,
some files from D:\ got infected, not that many, ESET SysRescue disk did a good job for scanning and cleaning infected files!
it doesn't matter that user32.dll is not is used!
Like I said before the target exe file is infected:
https://www.virustotal.com/gui/file/b85 ... /detection
So I won't run that sheet in my computer, I already had to restore C:\ partition from backup,
some files from D:\ got infected, not that many, ESET SysRescue disk did a good job for scanning and cleaning infected files!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Well, I will give another target that I have scanned on my computer using the paid version of Kaspersky Anti Virus.
Please wait a while.
Please wait a while.
-
- Posts: 178
- Joined: Tue Jun 13, 2017 11:13 am
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Will be very great if you upload the target again! Since all links are dead!
I found a way:
Step 1 load the target and run the ZProtect Full DeCryption & InLine Patcher 1.0.txt script
The so called find and patch the new CRC DWORD <<<- 3 Step = LAST STEP
is actually the first step you should do:
so Click on Yes; script log:
The CRC DWORD was located at 409046 | 19565FD4
The new CRC DWORD is 19565FD4
******************************************************
The new CRC result is: 409046 | 19565FD4
So we set hardware breakpoint on access to 409046 address since it hold the CRC value:
003B030D /E9 011A0000 JMP 003B1D13
003B1D13 /0F84 7F2C0000 JE 003B4998
003B1D19 |E9 45460000 JMP 003B6363
ECX = 83B1076A
ECX register hold current CRC!
The 003B1D13 should jump!
So what you should do is first makes changes to file like add sections and imports then run the
ZProtect Full DeCryption & InLine Patcher 1.0.txt script
and choose YES on first question "find and patch the new CRC DWORD <<<- 3 Step = LAST STEP"
So if you will post a target I will surely unpack it for you!
I found a way:
Step 1 load the target and run the ZProtect Full DeCryption & InLine Patcher 1.0.txt script
The so called find and patch the new CRC DWORD <<<- 3 Step = LAST STEP
is actually the first step you should do:
so Click on Yes; script log:
The CRC DWORD was located at 409046 | 19565FD4
The new CRC DWORD is 19565FD4
******************************************************
The new CRC result is: 409046 | 19565FD4
So we set hardware breakpoint on access to 409046 address since it hold the CRC value:
003B030D /E9 011A0000 JMP 003B1D13
003B1D13 /0F84 7F2C0000 JE 003B4998
003B1D19 |E9 45460000 JMP 003B6363
ECX = 83B1076A
ECX register hold current CRC!
The 003B1D13 should jump!
So what you should do is first makes changes to file like add sections and imports then run the
ZProtect Full DeCryption & InLine Patcher 1.0.txt script
and choose YES on first question "find and patch the new CRC DWORD <<<- 3 Step = LAST STEP"
So if you will post a target I will surely unpack it for you!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Thank you CodeCracker.CodeCracker wrote: ↑Sun May 05, 2019 1:16 pm Will be very great if you upload the target again! Since all links are dead!
I found a way:
Step 1 load the target and run the ZProtect Full DeCryption & InLine Patcher 1.0.txt script
The so called find and patch the new CRC DWORD <<<- 3 Step = LAST STEP
is actually the first step you should do:
so Click on Yes; script log:
The CRC DWORD was located at 409046 | 19565FD4
The new CRC DWORD is 19565FD4
******************************************************
The new CRC result is: 409046 | 19565FD4
So we set hardware breakpoint on access to 409046 address since it hold the CRC value:
003B030D /E9 011A0000 JMP 003B1D13
003B1D13 /0F84 7F2C0000 JE 003B4998
003B1D19 |E9 45460000 JMP 003B6363
ECX = 83B1076A
ECX register hold current CRC!
The 003B1D13 should jump!
So what you should do is first makes changes to file like add sections and imports then run the
ZProtect Full DeCryption & InLine Patcher 1.0.txt script
and choose YES on first question "find and patch the new CRC DWORD <<<- 3 Step = LAST STEP"
So if you will post a target I will surely unpack it for you!
I'm sorry, I lost the first target stored in my Flash Disk.
I give a different target but still in ZProtect v1.6.xx protection.
https://1drv.ms/u/s!Am0UFMaEnOEIgTQezdq ... o?e=p9wxfc
Password: 321
I would be very happy if you could provide guidance to me in the format of the video tutorial you made.
Thank you very much.
-
- Posts: 178
- Joined: Tue Jun 13, 2017 11:13 am
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
OK. CRC Fixed:
https://www8.zippyshare.com/v/WN6PbBdq/file.html
I can't bypass the dialog yet!
7E456D7D user32.DialogBoxIndirectParamA
should return in eax "mov eax, 232C"
https://www8.zippyshare.com/v/WN6PbBdq/file.html
I can't bypass the dialog yet!
7E456D7D user32.DialogBoxIndirectParamA
should return in eax "mov eax, 232C"
-
- Posts: 178
- Joined: Tue Jun 13, 2017 11:13 am
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
After a long search I found this:
httpx://wwx.downturk.net/2447017-epson-adjustment-program-v107.html
Epson Adjustment Program v1.0.7
Edit:
Sorry but my link seems to contains malwares!
httpx://wwx.downturk.net/2447017-epson-adjustment-program-v107.html
Epson Adjustment Program v1.0.7
Edit:
Sorry but my link seems to contains malwares!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Thank you CodeCracker.CodeCracker wrote: ↑Mon May 06, 2019 2:41 pm After a long search I found this:
httpx://wwx.downturk.net/2447017-epson-adjustment-program-v107.html
Epson Adjustment Program v1.0.7
The software that I gave you is the "Epson Adjustment Program" for SureColor SC-P607 printers with the latest Firmware.
The link you gave me is the "Epson Adjustment Program" for L-360 printers.
Of course the Adjustment L-360 is not suitable for SureColor SC-P607 because each printer has a different adjustment.
My printer has now stopped working because it has exceeded the specified print limit and badly needs a reset.
-
- Posts: 178
- Joined: Tue Jun 13, 2017 11:13 am
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
I know it is a old topic but can someone upload the old target?
(Or post link to similar protections???)
Protected some files with ZPROTECT myself and all works fine;
dunno why inline patching fails that bad for this protected file!
(Or post link to similar protections???)
Protected some files with ZPROTECT myself and all works fine;
dunno why inline patching fails that bad for this protected file!
-
- Posts: 5
- Joined: Sat Sep 02, 2017 11:59 am
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Not the one asked earlier by thread starter ,..CodeCracker wrote: ↑Wed Oct 16, 2019 7:25 pm I know it is a old topic but can someone upload the old target?
(Or post link to similar protections???)
Protected some files with ZPROTECT myself and all works fine;
dunno why inline patching fails that bad for this protected file!
But here it is ,.. Packed by ZProtect....
https://www.datafilehost.com/d/6def6850
Share unpacked one if u succeed ,..!!
-
- Posts: 178
- Joined: Tue Jun 13, 2017 11:13 am
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
@MafiaOnMove:
[!] VM Protect v1.60 - v2.05 detected !
[CompilerDetect] -> Borland Delphi (unknown version) - 40% probability
What Olly debugger you used to debug that???
Since I can't even debug that program!
[!] VM Protect v1.60 - v2.05 detected !
[CompilerDetect] -> Borland Delphi (unknown version) - 40% probability
What Olly debugger you used to debug that???
Since I can't even debug that program!
-
- Posts: 5
- Joined: Sat Sep 02, 2017 11:59 am
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Sorry CodeCracker for late reply..
I didn't scan the target on my own. The person who needed it told me it was Zprotect. So i forwarded it to u. My RCE machine is damned so i dont have any packer detector installed neither olly on my this win10 laptop.
I just try to handle targets which i can via DnSpy in this laptop. Also this laptop i use for my banking etc, cant take risk of any packed malware.
See if u can get it unpacked. or may be some other senior can take it.
Thanks,..
I didn't scan the target on my own. The person who needed it told me it was Zprotect. So i forwarded it to u. My RCE machine is damned so i dont have any packer detector installed neither olly on my this win10 laptop.
I just try to handle targets which i can via DnSpy in this laptop. Also this laptop i use for my banking etc, cant take risk of any packed malware.
See if u can get it unpacked. or may be some other senior can take it.
Thanks,..