Need an Unpacking Tutorial or Inline Patched ZProtect

A place to talk. Keep it civil. No sexual content, racism, necrophilia, etc.
Post Reply
JJQ
Posts: 8
Joined: Fri Jun 30, 2017 8:17 am

Need an Unpacking Tutorial or Inline Patched ZProtect

Post by JJQ » Thu Mar 28, 2019 1:32 am

Hello all.
I am looking for Unpacking or Inline Patched Tutorials for programs protected with ZProtect.
I have tried dozens of Tutorials and Scripts released by LCF-AT but I have never succeeded.
The script that I use is:

• ZProtect 1.3 - 1.6 Medium Unpacker 1.0
• ZProtect Full DeCryption & InLine Patcher 1.0
• ZProtect HWID & InLine Patcher 1.0
• ZProtect HWID & InLine Patcher 1.1
• ZProtect HWID & InLine Patcher 1.3
• ZProtect HWID & InLine Patcher 1.4

Here I also attached my target and experimental video to my failure. Please see my video and show me where the mistakes I made.
In my experimental video, I use the ZProtect HWID Script & InLine Patcher 1.4
Please give me guidance so that I can succeed in the next experiment.
Below is a link for my target and experimental videos :

https://1drv.ms/u/s!Am0UFMaEnOEId42U3n6HxB5rV5w

Thank you veri much.

CodeCracker
Posts: 121
Joined: Tue Jun 13, 2017 11:13 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by CodeCracker » Thu Mar 28, 2019 12:57 pm

"My Problem ZProtect.rar contains a virus
OneDrive has detected that My Problem ZProtect.rar contains a virus that could harm your computer and stopped the download."

So can't be downloaded!

JJQ
Posts: 8
Joined: Fri Jun 30, 2017 8:17 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by JJQ » Thu Mar 28, 2019 1:42 pm

Thank you for responding to my request.
I'm sorry CodeCracker, I fixed the link.

https://1drv.ms/u/s!Am0UFMaEnOEIeRLoRcyZsTO0F1E

Thank you very much.

CodeCracker
Posts: 121
Joined: Tue Jun 13, 2017 11:13 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by CodeCracker » Thu Mar 28, 2019 6:34 pm

1. What scripts are your using in this video???
Used myself these two scripts:
ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0.txt
ZProtect Full DeCryption & InLine Patcher 1.0.txt
The result is 100% different: doesn't ask for imports to be added.

2. The exe file is corrupted after you add imports with LordPE,
It seems to be file integrity check (not memory check) but I may be wrong,
so make him think that original file is there and make the last step (step 3) with original file:
you will load on Olly your manual unpacked exe!
Sharing your manual unpacked exe file would help!

CodeCracker
Posts: 121
Joined: Tue Jun 13, 2017 11:13 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by CodeCracker » Thu Mar 28, 2019 7:37 pm

https://www.virustotal.com/gui/file/b85 ... /detection

ESET-NOD32
Win32/Ramnit.A

It is not false positive, but an almost undetectable virus!
We got to report infected file to popular antivirus!

JJQ
Posts: 8
Joined: Fri Jun 30, 2017 8:17 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by JJQ » Fri Mar 29, 2019 12:59 am

Thanks.
I will show you using the recommended script.

JJQ
Posts: 8
Joined: Fri Jun 30, 2017 8:17 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by JJQ » Fri Mar 29, 2019 5:10 am

This is my experimental video using the script that you recommended.

https://1drv.ms/u/s!Am0UFMaEnOEIenaf6xkYoov3VBY

Thank's

CodeCracker
Posts: 121
Joined: Tue Jun 13, 2017 11:13 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by CodeCracker » Fri Mar 29, 2019 11:36 am

Just add user32.dll imports with LordPE like you did with kernel32.dll
it doesn't matter that user32.dll is not is used!

Like I said before the target exe file is infected:
https://www.virustotal.com/gui/file/b85 ... /detection

So I won't run that sheet in my computer, I already had to restore C:\ partition from backup,
some files from D:\ got infected, not that many, ESET SysRescue disk did a good job for scanning and cleaning infected files!

JJQ
Posts: 8
Joined: Fri Jun 30, 2017 8:17 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by JJQ » Fri Mar 29, 2019 11:45 am

Well, I will give another target that I have scanned on my computer using the paid version of Kaspersky Anti Virus.
Please wait a while.

JJQ
Posts: 8
Joined: Fri Jun 30, 2017 8:17 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by JJQ » Fri Mar 29, 2019 11:52 am

This is another target I have scanned.

https://1drv.ms/u/s!Am0UFMaEnOEIewkKOgraVM-_JXI

Thank's

CodeCracker
Posts: 121
Joined: Tue Jun 13, 2017 11:13 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by CodeCracker » Sun May 05, 2019 1:16 pm

Will be very great if you upload the target again! Since all links are dead!

I found a way:
Step 1 load the target and run the ZProtect Full DeCryption & InLine Patcher 1.0.txt script
The so called find and patch the new CRC DWORD <<<- 3 Step = LAST STEP
is actually the first step you should do:
so Click on Yes; script log:
The CRC DWORD was located at 409046 | 19565FD4

The new CRC DWORD is 19565FD4

******************************************************
The new CRC result is: 409046 | 19565FD4

So we set hardware breakpoint on access to 409046 address since it hold the CRC value:
003B030D /E9 011A0000 JMP 003B1D13
003B1D13 /0F84 7F2C0000 JE 003B4998
003B1D19 |E9 45460000 JMP 003B6363

ECX = 83B1076A
ECX register hold current CRC!
The 003B1D13 should jump!

So what you should do is first makes changes to file like add sections and imports then run the
ZProtect Full DeCryption & InLine Patcher 1.0.txt script
and choose YES on first question "find and patch the new CRC DWORD <<<- 3 Step = LAST STEP"

So if you will post a target I will surely unpack it for you!

JJQ
Posts: 8
Joined: Fri Jun 30, 2017 8:17 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by JJQ » Sun May 05, 2019 10:14 pm

CodeCracker wrote:
Sun May 05, 2019 1:16 pm
Will be very great if you upload the target again! Since all links are dead!

I found a way:
Step 1 load the target and run the ZProtect Full DeCryption & InLine Patcher 1.0.txt script
The so called find and patch the new CRC DWORD <<<- 3 Step = LAST STEP
is actually the first step you should do:
so Click on Yes; script log:
The CRC DWORD was located at 409046 | 19565FD4

The new CRC DWORD is 19565FD4

******************************************************
The new CRC result is: 409046 | 19565FD4

So we set hardware breakpoint on access to 409046 address since it hold the CRC value:
003B030D /E9 011A0000 JMP 003B1D13
003B1D13 /0F84 7F2C0000 JE 003B4998
003B1D19 |E9 45460000 JMP 003B6363

ECX = 83B1076A
ECX register hold current CRC!
The 003B1D13 should jump!

So what you should do is first makes changes to file like add sections and imports then run the
ZProtect Full DeCryption & InLine Patcher 1.0.txt script
and choose YES on first question "find and patch the new CRC DWORD <<<- 3 Step = LAST STEP"

So if you will post a target I will surely unpack it for you!
Thank you CodeCracker.
I'm sorry, I lost the first target stored in my Flash Disk.
I give a different target but still in ZProtect v1.6.xx protection.

https://1drv.ms/u/s!Am0UFMaEnOEIgTQezdq ... o?e=p9wxfc

Password: 321

I would be very happy if you could provide guidance to me in the format of the video tutorial you made.
Thank you very much.

CodeCracker
Posts: 121
Joined: Tue Jun 13, 2017 11:13 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by CodeCracker » Mon May 06, 2019 8:25 am

OK. CRC Fixed:
https://www8.zippyshare.com/v/WN6PbBdq/file.html

I can't bypass the dialog yet!
7E456D7D user32.DialogBoxIndirectParamA
should return in eax "mov eax, 232C"

CodeCracker
Posts: 121
Joined: Tue Jun 13, 2017 11:13 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by CodeCracker » Mon May 06, 2019 2:41 pm

After a long search I found this:
httpx://wwx.downturk.net/2447017-epson-adjustment-program-v107.html
Epson Adjustment Program v1.0.7

Edit:
Sorry but my link seems to contains malwares!

JJQ
Posts: 8
Joined: Fri Jun 30, 2017 8:17 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by JJQ » Mon May 06, 2019 5:14 pm

CodeCracker wrote:
Mon May 06, 2019 2:41 pm
After a long search I found this:
httpx://wwx.downturk.net/2447017-epson-adjustment-program-v107.html
Epson Adjustment Program v1.0.7
Thank you CodeCracker.
The software that I gave you is the "Epson Adjustment Program" for SureColor SC-P607 printers with the latest Firmware.
The link you gave me is the "Epson Adjustment Program" for L-360 printers.
Of course the Adjustment L-360 is not suitable for SureColor SC-P607 because each printer has a different adjustment.
My printer has now stopped working because it has exceeded the specified print limit and badly needs a reset.

CodeCracker
Posts: 121
Joined: Tue Jun 13, 2017 11:13 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by CodeCracker » Wed Oct 16, 2019 7:25 pm

I know it is a old topic but can someone upload the old target?
(Or post link to similar protections???)
Protected some files with ZPROTECT myself and all works fine;
dunno why inline patching fails that bad for this protected file!

MafiaOnMove
Posts: 5
Joined: Sat Sep 02, 2017 11:59 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by MafiaOnMove » Thu Oct 17, 2019 1:56 pm

CodeCracker wrote:
Wed Oct 16, 2019 7:25 pm
I know it is a old topic but can someone upload the old target?
(Or post link to similar protections???)
Protected some files with ZPROTECT myself and all works fine;
dunno why inline patching fails that bad for this protected file!
Not the one asked earlier by thread starter ,..

But here it is ,.. Packed by ZProtect....

https://www.datafilehost.com/d/6def6850

Share unpacked one if u succeed ,..!!

CodeCracker
Posts: 121
Joined: Tue Jun 13, 2017 11:13 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by CodeCracker » Thu Oct 17, 2019 5:36 pm

@MafiaOnMove:
[!] VM Protect v1.60 - v2.05 detected !
[CompilerDetect] -> Borland Delphi (unknown version) - 40% probability

What Olly debugger you used to debug that???
Since I can't even debug that program!

MafiaOnMove
Posts: 5
Joined: Sat Sep 02, 2017 11:59 am

Re: Need an Unpacking Tutorial or Inline Patched ZProtect

Post by MafiaOnMove » Sat Oct 19, 2019 5:06 am

Sorry CodeCracker for late reply..

I didn't scan the target on my own. The person who needed it told me it was Zprotect. So i forwarded it to u. My RCE machine is damned so i dont have any packer detector installed neither olly on my this win10 laptop.

I just try to handle targets which i can via DnSpy in this laptop. Also this laptop i use for my banking etc, cant take risk of any packed malware.

See if u can get it unpacked. or may be some other senior can take it.
Thanks,..

Post Reply