Need an Unpacking Tutorial or Inline Patched ZProtect

[JJQ]

Hello all.
I am looking for Unpacking or Inline Patched Tutorials for programs protected with ZProtect.
I have tried dozens of Tutorials and Scripts released by LCF-AT but I have never succeeded.
The script that I use is:

• ZProtect 1.3 - 1.6 Medium Unpacker 1.0
• ZProtect Full DeCryption & InLine Patcher 1.0
• ZProtect HWID & InLine Patcher 1.0
• ZProtect HWID & InLine Patcher 1.1
• ZProtect HWID & InLine Patcher 1.3
• ZProtect HWID & InLine Patcher 1.4

Here I also attached my target and experimental video to my failure. Please see my video and show me where the mistakes I made.
In my experimental video, I use the ZProtect HWID Script & InLine Patcher 1.4
Please give me guidance so that I can succeed in the next experiment.
Below is a link for my target and experimental videos :

https://1drv.ms/u/s!Am0UFMaEnOEId42U3n6HxB5rV5w

Thank you veri much.

[CodeExplorer]

"My Problem ZProtect.rar contains a virus
OneDrive has detected that My Problem ZProtect.rar contains a virus that could harm your computer and stopped the download."

So can't be downloaded!

[JJQ]

Thank you for responding to my request.
I'm sorry CodeCracker, I fixed the link.

https://1drv.ms/u/s!Am0UFMaEnOEIeRLoRcyZsTO0F1E

Thank you very much.

[CodeExplorer]

1. What scripts are your using in this video???
Used myself these two scripts:
ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0.txt
ZProtect Full DeCryption & InLine Patcher 1.0.txt
The result is 100% different: doesn't ask for imports to be added.

2. The exe file is corrupted after you add imports with LordPE,
It seems to be file integrity check (not memory check) but I may be wrong,
so make him think that original file is there and make the last step (step 3) with original file:
you will load on Olly your manual unpacked exe!
Sharing your manual unpacked exe file would help!

[CodeExplorer]

https://www.virustotal.com/gui/file/b85 ... /detection

ESET-NOD32
Win32/Ramnit.A

It is not false positive, but an almost undetectable virus!
We got to report infected file to popular antivirus!

[JJQ]

Thanks.
I will show you using the recommended script.

[JJQ]

This is my experimental video using the script that you recommended.

https://1drv.ms/u/s!Am0UFMaEnOEIenaf6xkYoov3VBY

Thank's

[CodeExplorer]

Just add user32.dll imports with LordPE like you did with kernel32.dll
it doesn't matter that user32.dll is not is used!

Like I said before the target exe file is infected:
https://www.virustotal.com/gui/file/b85 ... /detection

So I won't run that sheet in my computer, I already had to restore C:\ partition from backup,
some files from D:\ got infected, not that many, ESET SysRescue disk did a good job for scanning and cleaning infected files!

[JJQ]

Well, I will give another target that I have scanned on my computer using the paid version of Kaspersky Anti Virus.
Please wait a while.

[JJQ]

This is another target I have scanned.

https://1drv.ms/u/s!Am0UFMaEnOEIewkKOgraVM-_JXI

Thank's

[CodeExplorer]

Will be very great if you upload the target again! Since all links are dead!

I found a way:
Step 1 load the target and run the ZProtect Full DeCryption & InLine Patcher 1.0.txt script
The so called find and patch the new CRC DWORD <<<- 3 Step = LAST STEP
is actually the first step you should do:
so Click on Yes; script log:
The CRC DWORD was located at 409046 | 19565FD4

The new CRC DWORD is 19565FD4

******************************************************
The new CRC result is: 409046 | 19565FD4

So we set hardware breakpoint on access to 409046 address since it hold the CRC value:
003B030D /E9 011A0000 JMP 003B1D13
003B1D13 /0F84 7F2C0000 JE 003B4998
003B1D19 |E9 45460000 JMP 003B6363

ECX = 83B1076A
ECX register hold current CRC!
The 003B1D13 should jump!

So what you should do is first makes changes to file like add sections and imports then run the
ZProtect Full DeCryption & InLine Patcher 1.0.txt script
and choose YES on first question "find and patch the new CRC DWORD <<<- 3 Step = LAST STEP"

So if you will post a target I will surely unpack it for you!

[JJQ]

Will be very great if you upload the target again! Since all links are dead!

I found a way:
Step 1 load the target and run the ZProtect Full DeCryption & InLine Patcher 1.0.txt script
The so called find and patch the new CRC DWORD <<<- 3 Step = LAST STEP
is actually the first step you should do:
so Click on Yes; script log:
The CRC DWORD was located at 409046 | 19565FD4

The new CRC DWORD is 19565FD4

******************************************************
The new CRC result is: 409046 | 19565FD4

So we set hardware breakpoint on access to 409046 address since it hold the CRC value:
003B030D /E9 011A0000 JMP 003B1D13
003B1D13 /0F84 7F2C0000 JE 003B4998
003B1D19 |E9 45460000 JMP 003B6363

ECX = 83B1076A
ECX register hold current CRC!
The 003B1D13 should jump!

So what you should do is first makes changes to file like add sections and imports then run the
ZProtect Full DeCryption & InLine Patcher 1.0.txt script
and choose YES on first question "find and patch the new CRC DWORD <<<- 3 Step = LAST STEP"

So if you will post a target I will surely unpack it for you!

Thank you CodeCracker.
I'm sorry, I lost the first target stored in my Flash Disk.
I give a different target but still in ZProtect v1.6.xx protection.

https://1drv.ms/u/s!Am0UFMaEnOEIgTQezdq ... o?e=p9wxfc

Password: 321

I would be very happy if you could provide guidance to me in the format of the video tutorial you made.
Thank you very much.

[CodeExplorer]

OK. CRC Fixed:
https://www8.zippyshare.com/v/WN6PbBdq/file.html

I can't bypass the dialog yet!
7E456D7D user32.DialogBoxIndirectParamA
should return in eax "mov eax, 232C"

[CodeExplorer]

After a long search I found this:
httpx://wwx.downturk.net/2447017-epson-adjustment-program-v107.html
Epson Adjustment Program v1.0.7

Edit:
Sorry but my link seems to contains malwares!

[JJQ]

After a long search I found this:
httpx://wwx.downturk.net/2447017-epson-adjustment-program-v107.html
Epson Adjustment Program v1.0.7

Thank you CodeCracker.
The software that I gave you is the "Epson Adjustment Program" for SureColor SC-P607 printers with the latest Firmware.
The link you gave me is the "Epson Adjustment Program" for L-360 printers.
Of course the Adjustment L-360 is not suitable for SureColor SC-P607 because each printer has a different adjustment.
My printer has now stopped working because it has exceeded the specified print limit and badly needs a reset.

[CodeExplorer]

I know it is a old topic but can someone upload the old target?
(Or post link to similar protections???)
Protected some files with ZPROTECT myself and all works fine;
dunno why inline patching fails that bad for this protected file!

[MafiaOnMove]

I know it is a old topic but can someone upload the old target?
(Or post link to similar protections???)
Protected some files with ZPROTECT myself and all works fine;
dunno why inline patching fails that bad for this protected file!

Not the one asked earlier by thread starter ,..

But here it is ,.. Packed by ZProtect....

https://www.datafilehost.com/d/6def6850

Share unpacked one if u succeed ,..!!

[CodeExplorer]

@MafiaOnMove:
[!] VM Protect v1.60 - v2.05 detected !
[CompilerDetect] -> Borland Delphi (unknown version) - 40% probability

What Olly debugger you used to debug that???
Since I can't even debug that program!

[MafiaOnMove]

Sorry CodeCracker for late reply..

I didn't scan the target on my own. The person who needed it told me it was Zprotect. So i forwarded it to u. My RCE machine is damned so i dont have any packer detector installed neither olly on my this win10 laptop.

I just try to handle targets which i can via DnSpy in this laptop. Also this laptop i use for my banking etc, cant take risk of any packed malware.

See if u can get it unpacked. or may be some other senior can take it.
Thanks,..