I am a real newbie. I am learning unpacking. I encountered 2 packed files(from a forum). It seemed packed with "EncryptPE v1.0 CnCrkGroup PE·", via FI 3.01(PEID can't recognize them). When I fired it with OD,after 2 or 3 exceptions, the proggie exited. How to config OD to unpack the packer? Would anybody post a tut about unpacking it?

The attached files include an exe file and a dll file.

The zipped dll file.

Hi

I've got a better idea. You just uploaded 1.6+Mb worth of what appears to be a commercial app. While it was hard to tell because the program links to a Chinese? site, the program is listed on several download archive sites and has many earlier versions.

The program itself (some net app) was essentially unusable, dozens of messy controls with nothing in English, and gave me several error and access violation (Delphi?) messages before even starting.

Now, that said, this example for unpacking purposes was pretty crappy IMO. Let alone the fact that it was most likely a commercial app, which makes your post a crack request, blatant disregard of the board rules, blah, blah, and any of the moderators would have deleted this post outright and lambasted your ass for not reading the Faq.


Instead, I might suggest this, go to the packers home page

http://www.encryptpe.com/

and pack notepad to your hearts content. Start analyzing it and report what you find. If things look interesting you can up a packed test file and create a mini project if you wish. If anyone has experience with the packer or wants to test it themselves they can assist. But please, we try to avoid the "here's an app, can you unpack it and write me a tut" type of posts here.

Kayaker

Sorry,sorry. I am not targeting on the "commercial app". The uploaded files were taken from a forum, as I said. It couldn't be run on my computer, i.e.,they were parts of an app, not a complete "commercial app".

We can download a demo packer from the site you posted. But, as I know,the demo version and the registered version are not the same. The registered one is more difficult to unpack. The demo version packed proggie can be fired and debugged with OD, and the registered one can't be debugged (on my poor konwledge) with OD. And it is not so easy to find out a proggie (especially with a packed dll) packed with this thing. This is the reason I posted the exe and dll files to this forum for help.

The attached test files are packed with a repacked EncryptPe from a Chinese forum. I hope we can learn something from unpacking this packer.

I know you weren't specifically targetting this app, however all that was missing was a few non-PE data files, making it target-specific enough to make RE'ing it a legal liability to the board.

As for the packer, since there seems to be zero information about it anyway, I would think the demo version would be enough to satisfy your desire to learn unpacking, at least as a start...

Since this test app looks interesting enough, I move it to the Mini Project forum as an unpacking challenge. I'd suggest the first task is to analyze the embedded file v1200*.epe that is written to disk, how it is decrypted and how it is used by the program. Next task might be to figure out why the program crashes when Softice is loaded, perhaps it detects ring3 debuggers as well.


To trace the program, if you can't get it to break any other way, I'd recommend setting BreakInSharedMods ON and setting a BP on _BaseProcessStart, as outlined by pLayAr in this thread, the trick works well:

http://www.woodmann.com/forum/showthread.php?p=36907#post36907


Detail your initial findings, tweak the interest of others, and we may soon find out how this packer works.

Cheers,
Kayaker