[ajron]

It's probably Safecast protection. I've coded safecast unpacker, but I need more targets to test it before I release it. I have 2 targets (2.65 & 3.0), but it's not enough, so could you PM the target name/link, too?

Steps to unpack Safecast:
1. find OEP and IAT ;)

2. break on OEP

3. make tracer to get real api on every iat entry (imprec is not good enough), but not overwrite iat yet

4. search for fake api calls in section code:
0xFF15 - CALL [xxxx]
0xFF25 - JMP [xxxx]
0xE9 - JMP xxxx
0x8bxx - mov r32,[xxxx]

and trace to get real api

5. fix fake api calls/jmps, so they use proper iat entry (from point 3)

6. search for redirected calls in section code:
these calls point to code:
push ecx
push eax
call xxxx

which points to code like this:
mov eax, 6FBh
pop ecx
lea eax, [eax+ecx]
mov eax, [eax]
jmp eax

or this:
mov eax, 324Bh
pop ecx
add eax, ecx
mov eax, [eax]
jmp eax

and trace until get back to code section.

In this step protection engine restore a few bytes in redirected call instruction and after this instruction. You can hook WriteProcessMemory to see this.

7. update iat and fix header

8. dump file

9. use imprec to buil import table

10. if target works fine, be happy ;)