|
|
#1
03-25-2004, 22:07
|
|||
|
|||
|
ACProtector
Is there a way to unpack this? (e.g. a generic unpacker?)
How difficult is it? What about programs like ProcDump, can they dump this? 
|
|
#2
03-25-2004, 23:16
|
||||
|
||||
|
ACProtect
Of course it is and was done, several times - manually.
About difficulty - it's medium hard. In theory very similar to AsProtect. About dumping - you can dump it by yourself but then you need to rebuild import table (manually) and jumps to perplex. Good luck, dyn!o
|
|
#3
03-25-2004, 23:35
|
||||
|
||||
Hi,
a newbie question, is there any good tut around for doing such a thing manually? I digged somewhere but with no luck. TIA
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com
|
|
#4
03-26-2004, 00:09
|
|||
|
|||
|
waste of time
unpacking is a bit of a pointless exercise, all the apps I've seen protected with it are function limited and you are not going to enable them (well I don't know of anyone that has succeeded) you might just as well stick with EVACleaner. If you are set on unpacking, lownoise released a plugin (search the forum) for ollydb may be of help.
|
|
#5
03-26-2004, 04:09
|
|||
|
|||
|
If there function limited they most likely use encrypted sections, in which case your right theres nothing you can do about that without a real key on hand. Only app I use thats ACProtect is UltraFXP, and DiGERATi did a very good job on the loader with it functions great.
|
|
#6
03-26-2004, 10:51
|
||||
|
||||
|
The anti-debug trick of ACProtect is INT3/INT1 etc., easy to bypass.
The Import-Table-Destroy scheme of ACProtect is just like TELock, so we can recover IT/IAT without ReVirgin/ImpREC. The stolen bytes of ACProtect needs patience to recover. As MrAnonymous said, code-snippet-encryption needs a real key to decrypt and there may be too many snippets encrypted. crazy.
__________________
AKA Solomon/blowfish.
|
|
#7
03-26-2004, 15:06
|
|||
|
|||
|
the stolen bytes for acprotect perior to 1.20 is easy to find, trace after int3, when you stop at the code section look in the trace for ebp==esp, you will find the stolen and the address of your oep shown in trace as eax value.but 1.20 and up is different.
|
|
#8
03-26-2004, 16:38
|
||||
|
||||
|
The strange think is that this protector seemed to not obtain attention..no one of the tools around support unacprotecting..or am I wrong?
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com
|
|
#9
03-26-2004, 19:27
|
|||
|
|||
|
I think this is due to few programs protected with it.
|
 |
|
|
Linear Mode
