Page 1 of 1
Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Thu Mar 28, 2019 1:32 am
by JJQ
Hello all.
I am looking for Unpacking or Inline Patched Tutorials for programs protected with ZProtect.
I have tried dozens of Tutorials and Scripts released by LCF-AT but I have never succeeded.
The script that I use is:
• ZProtect 1.3 - 1.6 Medium Unpacker 1.0
• ZProtect Full DeCryption & InLine Patcher 1.0
• ZProtect HWID & InLine Patcher 1.0
• ZProtect HWID & InLine Patcher 1.1
• ZProtect HWID & InLine Patcher 1.3
• ZProtect HWID & InLine Patcher 1.4
Here I also attached my target and experimental video to my failure. Please see my video and show me where the mistakes I made.
In my experimental video, I use the ZProtect HWID Script & InLine Patcher 1.4
Please give me guidance so that I can succeed in the next experiment.
Below is a link for my target and experimental videos :
https://1drv.ms/u/s!Am0UFMaEnOEId42U3n6HxB5rV5w
Thank you veri much.
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Thu Mar 28, 2019 12:57 pm
by CodeExplorer
"My Problem ZProtect.rar contains a virus
OneDrive has detected that My Problem ZProtect.rar contains a virus that could harm your computer and stopped the download."
So can't be downloaded!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Thu Mar 28, 2019 1:42 pm
by JJQ
Thank you for responding to my request.
I'm sorry CodeCracker, I fixed the link.
https://1drv.ms/u/s!Am0UFMaEnOEIeRLoRcyZsTO0F1E
Thank you very much.
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Thu Mar 28, 2019 6:34 pm
by CodeExplorer
1. What scripts are your using in this video???
Used myself these two scripts:
ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0.txt
ZProtect Full DeCryption & InLine Patcher 1.0.txt
The result is 100% different: doesn't ask for imports to be added.
2. The exe file is corrupted after you add imports with LordPE,
It seems to be file integrity check (not memory check) but I may be wrong,
so make him think that original file is there and make the last step (step 3) with original file:
you will load on Olly your manual unpacked exe!
Sharing your manual unpacked exe file would help!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Thu Mar 28, 2019 7:37 pm
by CodeExplorer
https://www.virustotal.com/gui/file/b85 ... /detection
ESET-NOD32
Win32/Ramnit.A
It is not false positive, but an almost undetectable virus!
We got to report infected file to popular antivirus!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Fri Mar 29, 2019 12:59 am
by JJQ
Thanks.
I will show you using the recommended script.
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Fri Mar 29, 2019 5:10 am
by JJQ
This is my experimental video using the script that you recommended.
https://1drv.ms/u/s!Am0UFMaEnOEIenaf6xkYoov3VBY
Thank's
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Fri Mar 29, 2019 11:36 am
by CodeExplorer
Just add user32.dll imports with LordPE like you did with kernel32.dll
it doesn't matter that user32.dll is not is used!
Like I said before the target exe file is infected:
https://www.virustotal.com/gui/file/b85 ... /detection
So I won't run that sheet in my computer, I already had to restore C:\ partition from backup,
some files from D:\ got infected, not that many, ESET SysRescue disk did a good job for scanning and cleaning infected files!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Fri Mar 29, 2019 11:45 am
by JJQ
Well, I will give another target that I have scanned on my computer using the paid version of Kaspersky Anti Virus.
Please wait a while.
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Fri Mar 29, 2019 11:52 am
by JJQ
This is another target I have scanned.
https://1drv.ms/u/s!Am0UFMaEnOEIewkKOgraVM-_JXI
Thank's
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Sun May 05, 2019 1:16 pm
by CodeExplorer
Will be very great if you upload the target again! Since all links are dead!
I found a way:
Step 1 load the target and run the ZProtect Full DeCryption & InLine Patcher 1.0.txt script
The so called find and patch the new CRC DWORD <<<- 3 Step = LAST STEP
is actually the first step you should do:
so Click on Yes; script log:
The CRC DWORD was located at 409046 | 19565FD4
The new CRC DWORD is 19565FD4
******************************************************
The new CRC result is: 409046 | 19565FD4
So we set hardware breakpoint on access to 409046 address since it hold the CRC value:
003B030D /E9 011A0000 JMP 003B1D13
003B1D13 /0F84 7F2C0000 JE 003B4998
003B1D19 |E9 45460000 JMP 003B6363
ECX = 83B1076A
ECX register hold current CRC!
The 003B1D13 should jump!
So what you should do is first makes changes to file like add sections and imports then run the
ZProtect Full DeCryption & InLine Patcher 1.0.txt script
and choose YES on first question "find and patch the new CRC DWORD <<<- 3 Step = LAST STEP"
So if you will post a target I will surely unpack it for you!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Sun May 05, 2019 10:14 pm
by JJQ
CodeCracker wrote: ↑Sun May 05, 2019 1:16 pm
Will be very great if you upload the target again! Since all links are dead!
I found a way:
Step 1 load the target and run the ZProtect Full DeCryption & InLine Patcher 1.0.txt script
The so called find and patch the new CRC DWORD <<<- 3 Step = LAST STEP
is actually the first step you should do:
so Click on Yes; script log:
The CRC DWORD was located at 409046 | 19565FD4
The new CRC DWORD is 19565FD4
******************************************************
The new CRC result is: 409046 | 19565FD4
So we set hardware breakpoint on access to 409046 address since it hold the CRC value:
003B030D /E9 011A0000 JMP 003B1D13
003B1D13 /0F84 7F2C0000 JE 003B4998
003B1D19 |E9 45460000 JMP 003B6363
ECX = 83B1076A
ECX register hold current CRC!
The 003B1D13 should jump!
So what you should do is first makes changes to file like add sections and imports then run the
ZProtect Full DeCryption & InLine Patcher 1.0.txt script
and choose YES on first question "find and patch the new CRC DWORD <<<- 3 Step = LAST STEP"
So if you will post a target I will surely unpack it for you!
Thank you CodeCracker.
I'm sorry, I lost the first target stored in my Flash Disk.
I give a different target but still in ZProtect v1.6.xx protection.
https://1drv.ms/u/s!Am0UFMaEnOEIgTQezdq ... o?e=p9wxfc
Password: 321
I would be very happy if you could provide guidance to me in the format of the video tutorial you made.
Thank you very much.
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Mon May 06, 2019 8:25 am
by CodeExplorer
OK. CRC Fixed:
https://www8.zippyshare.com/v/WN6PbBdq/file.html
I can't bypass the dialog yet!
7E456D7D user32.DialogBoxIndirectParamA
should return in eax "mov eax, 232C"
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Mon May 06, 2019 2:41 pm
by CodeExplorer
After a long search I found this:
httpx://wwx.downturk.net/2447017-epson-adjustment-program-v107.html
Epson Adjustment Program v1.0.7
Edit:
Sorry but my link seems to contains malwares!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Mon May 06, 2019 5:14 pm
by JJQ
CodeCracker wrote: ↑Mon May 06, 2019 2:41 pm
After a long search I found this:
httpx://wwx.downturk.net/2447017-epson-adjustment-program-v107.html
Epson Adjustment Program v1.0.7
Thank you CodeCracker.
The software that I gave you is the "Epson Adjustment Program" for SureColor SC-P607 printers with the latest Firmware.
The link you gave me is the "Epson Adjustment Program" for L-360 printers.
Of course the Adjustment L-360 is not suitable for SureColor SC-P607 because each printer has a different adjustment.
My printer has now stopped working because it has exceeded the specified print limit and badly needs a reset.
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Wed Oct 16, 2019 7:25 pm
by CodeExplorer
I know it is a old topic but can someone upload the old target?
(Or post link to similar protections???)
Protected some files with ZPROTECT myself and all works fine;
dunno why inline patching fails that bad for this protected file!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Thu Oct 17, 2019 1:56 pm
by MafiaOnMove
CodeCracker wrote: ↑Wed Oct 16, 2019 7:25 pm
I know it is a old topic but can someone upload the old target?
(Or post link to similar protections???)
Protected some files with ZPROTECT myself and all works fine;
dunno why inline patching fails that bad for this protected file!
Not the one asked earlier by thread starter ,..
But here it is ,.. Packed by ZProtect....
https://www.datafilehost.com/d/6def6850
Share unpacked one if u succeed ,..!!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Thu Oct 17, 2019 5:36 pm
by CodeExplorer
@MafiaOnMove:
[!] VM Protect v1.60 - v2.05 detected !
[CompilerDetect] -> Borland Delphi (unknown version) - 40% probability
What Olly debugger you used to debug that???
Since I can't even debug that program!
Re: Need an Unpacking Tutorial or Inline Patched ZProtect
Posted: Sat Oct 19, 2019 5:06 am
by MafiaOnMove
Sorry CodeCracker for late reply..
I didn't scan the target on my own. The person who needed it told me it was Zprotect. So i forwarded it to u. My RCE machine is damned so i dont have any packer detector installed neither olly on my this win10 laptop.
I just try to handle targets which i can via DnSpy in this laptop. Also this laptop i use for my banking etc, cant take risk of any packed malware.
See if u can get it unpacked. or may be some other senior can take it.
Thanks,..