Since none of the dev teams or crack teams posted this. Heres a quick guide for TargetPE and how to unpack stuff thats packed with it. Credits to Death War Team for the guide Translation (NShell did the translating)
Original Link :Http://www.ptteam.com/EPEunpackme.rar
Link is broken and working on solution.
Code:; By Immlep
; Www.ptteam.com
; Target:EPEunpackme 910.exe
; Http://www.ptteam.com/EPEunpackme.rar
Yesterday saw some chivalrous person sent Loveboom epe910 in the group the decorticator (afterwards to learn this units place chivalrous person was loveboom myself, overthrew loveboom ! ! ).... The picture, itches, but machine turning over to machine, escapes turns over to escape, previous time is prompted by a sudden impulse, registers the version with EPE to add UnpackMe, do not have to ask I take the registration version before, this was some brothers in has not played explains speech X00 Yuan RMB has bought, own software have not but actually added, is used for by me to add UnPackMe, really was.......
The speech said UnpackMe was added, has put two days, all quickly putrefied, but the matter occurs in today early morning, rested excessively! Rested excessively? This peels off the shell originally is does not have any relations, but, I rested excessively Arab League, you did not know, today early morning 3, 4 has the class, when had a look the present is ten and half, on already arrived third, this was not miserable! The day rains, goes needs to walk several minutes to the classroom, goes to after on was all quick to fourth, human's inertia, from this lived, My God! I ran away the class, but ran away the class also to have to look for a matter to do, have I like this wasted two + dangerous + 6.25*2 which mentions by name by teacher block RMB (the speech which calculated according to year 5,500 school expenses, year 40 weeks, each week 22 classes! Altogether on 880 classes), the day, this 12.5RMB may not be able to waste, but I saw on tabletop EPE UnpackMe time, I have revealed the deceitful smiling face, hee hee hee hee! ! Your boy, previous some people took 500RMB to want me to be you, I has not done, today I had to do for 12.5RMB you.
Finished the explorer advancement, writes down EPEunpackme 910.exe with OD, neglects "the memory in OD to ask in reply exceptionally", the F9 movement, has first INT3 to be unusual, Go, here my Luo ?, I only has not taught you to revise the code, concrete own slowly track, first exceptionally stops is under the revision code.
711E4142 0F95C0 SETNE AL ; The effect is thrifty
711E5FD1 0F95C0 SETNE AL ; The effect is thrifty
711E4081 8B55 F8 MOV EDX, DWORD PTR [ EBP-8 ] ; Function processing
Revises as follows
711E4142 0F94C0 SETE AL
711E5FD1 0F94C0 SETE AL
711E4081 8B55 FC MOV EDX, DWORD PTR [ EBP-4 ]
The 711E5AED place code (in revision procedure function transfers the JMP kind):
711E5AED 66:C700 FF25 MOV WORD PTR [ EAX ], 25FF
711E5AF2 8B55 FC MOV EDX, DWORD PTR [ EBP-4 ]
711E5AF5 8,950 02 MOV DWORD PTR [ EAX+2 ], EDX
711E5AF8 8BD0 MOV EDX, EAX
711E5AFA 8B5D E8 MOV EBX, DWORD PTR [ EBP-18 ]
711E5AFD 83C3 06 ADD EBX, 6
711E5B00 8B45 E0 MOV EAX, DWORD PTR [ EBP-20 ] ; V2200591.711DC6DC
711E5B03 03C0 ADD EAX, EAX
711E5B05 03D8 ADD EBX, EAX
711E5B07 8B45 E8 MOV EAX, DWORD PTR [ EBP-18 ]
711E5B0A 8B00 MOV EAX, DWORD PTR [ EAX ]
711E5B0C 0FB70B MOVZX ECX, WORD PTR [ EBX ]
711E5B0F 81E9 00.3 million SUB ECX, 3,000
711E5B15 03C1 ADD EAX, ECX
711E5B17 0,345 DC ADD EAX, DWORD PTR [ EBP-24 ]
711E5B1A 48 DEC EAX
711E5B1B 2BD0 SUB EDX, EAX
711E5B1D 83EA 04 SUB EDX, 4
711E5B20 8,910 MOV DWORD PTR [ EAX ], EDX
Revises as follows:
711E5AED 8B5D E8 MOV EBX, DWORD PTR [ EBP-18 ]
711E5AF0 83C3 06 ADD EBX, 6
711E5AF3 8B45 E0 MOV EAX, DWORD PTR [ EBP-20 ]
711E5AF6 03C0 ADD EAX, EAX
711E5AF8 03D8 ADD EBX, EAX
711E5AFA 8B45 E8 MOV EAX, DWORD PTR [ EBP-18 ]
711E5AFD 8B00 MOV EAX, DWORD PTR [ EAX ]
711E5AFF 0FB70B MOVZX ECX, WORD PTR [ EBX ]
711E5B02 81E9 00.3 million SUB ECX, 3,000
711E5B08 03C1 ADD EAX, ECX
711E5B0A 0,345 DC ADD EAX, DWORD PTR [ EBP-24 ]
711E5B0D 83E8 02 SUB EAX, 2
711E5B10 66:C700 FF25 MOV WORD PTR [ EAX ], 25FF
711E5B15 8B55 FC MOV EDX, DWORD PTR [ EBP-4 ]
711E5B18 8,950 02 MOV DWORD PTR [ EAX+2 ], EDX
711E5B1B 90 NOP
711E5B1C 90 NOP
711E5B1D 90 NOP
711E5B1E 90 NOP
711E5B1F 90 NOP
711E5B20 90 NOP
711E5B21 90 NOP
The hexadecimal system code is:
8B 5D E8 83 C3 06 8B 45 E0 03 C0 03 D8 8B 45 E8 8B 00 0F B7 0B 81 E9 00 30 00 00 03 C1 03 45 DC
83 E8 02 66 C7 00 FF 25 8B 55 FC 89 50 02 90 90 90 90 90 90 90
The 711E5B2C place code (in revision procedure function transfers JMP kind and CALL):
711E5B2C 66:C700 FF25 MOV WORD PTR [ EAX ], 25FF
711E5B31 8B55 FC MOV EDX, DWORD PTR [ EBP-4 ]
711E5B34 8,950 02 MOV DWORD PTR [ EAX+2 ], EDX
711E5B37 8BD0 MOV EDX, EAX
711E5B39 8B5D E8 MOV EBX, DWORD PTR [ EBP-18 ]
711E5B3C 83C3 06 ADD EBX, 6
711E5B3F 8B45 E0 MOV EAX, DWORD PTR [ EBP-20 ] ; V2200591.711DC6DC
711E5B42 03C0 ADD EAX, EAX
711E5B44 03D8 ADD EBX, EAX
711E5B46 8B45 E8 MOV EAX, DWORD PTR [ EBP-18 ]
711E5B49 8B00 MOV EAX, DWORD PTR [ EAX ]
711E5B4B 0FB70B MOVZX ECX, WORD PTR [ EBX ]
711E5B4E 81E9 00.3 million SUB ECX, 3,000
711E5B54 03C1 ADD EAX, ECX
711E5B56 0,345 DC ADD EAX, DWORD PTR [ EBP-24 ]
711E5B59 2BD0 SUB EDX, EAX
711E5B5B 83EA 04 SUB EDX, 4
711E5B5E 8,910 MOV DWORD PTR [ EAX ], EDX
The revision is:
711E5B2C 90 NOP
711E5B2D 90 NOP
711E5B2E 90 NOP
711E5B2F 90 NOP
711E5B30 90 NOP
711E5B31 90 NOP
711E5B32 90 NOP
711E5B33 90 NOP
711E5B34 90 NOP
711E5B35 90 NOP
711E5B36 90 NOP
711E5B37 90 NOP
711E5B38 90 NOP
711E5B39 8B5D E8 MOV EBX, DWORD PTR [ EBP-18 ]
711E5B3C 83C3 06 ADD EBX, 6
711E5B3F 8B45 E0 MOV EAX, DWORD PTR [ EBP-20 ] ; V2200591.711DC6DC
711E5B42 03C0 ADD EAX, EAX
711E5B44 03D8 ADD EBX, EAX
711E5B46 8B45 E8 MOV EAX, DWORD PTR [ EBP-18 ]
711E5B49 8B00 MOV EAX, DWORD PTR [ EAX ]
711E5B4B 0FB70B MOVZX ECX, WORD PTR [ EBX ]
711E5B4E 81E9 00.3 million SUB ECX, 3,000
711E5B54 03C1 ADD EAX, ECX
711E5B56 0,345 DC ADD EAX, DWORD PTR [ EBP-24 ]
711E5B59 - E9 B0C4288F JMP EPEunpac.0047200E ; The code space is insufficient, therefore I found procedure entrance under address 0047200E to read in the code
711E5B5E 90 NOP
711E5B5F 90 NOP
The hexadecimal system code is:
90 90 90 90 90 90 90 90 90 90 90 90 90 8B 5D E8 83 C3 06 8B 45 E0 03 C0 03 D8 8B 45 E8 8B 00 0F
B7 0B 81 E9 00 30 00 00 03 C1 03 45 DC E9 B0 C4 28 8F 90 90
0047200E place reads in the patch code:
0047200E 8,078 FF E8 CMP BYTE PTR [ EAX-1 ], 0E8
00.472012 million 75 10 JNZ SHORT EPEunpac.00472024
00.472014 million 83E8 02 SUB EAX, 2
00.472017 million 66:C700 FF15 MOV WORD PTR [ EAX ], 15FF
0047201C 8B55 FC MOV EDX, DWORD PTR [ EBP-4 ]
0047201F 8,950 02 MOV DWORD PTR [ EAX+2 ], EDX
00.472022 million EB 0E JMP SHORT EPEunpac.00472032
00.472024 million 83E8 02 SUB EAX, 2
00.472027 million 66:C700 FF25 MOV WORD PTR [ EAX ], 25FF
0047202C 8B55 FC MOV EDX, DWORD PTR [ EBP-4 ]
0047202F 8,950 02 MOV DWORD PTR [ EAX+2 ], EDX
00.472032 million - E9 273BD770 JMP V2200591.711E5B5E ; Rebound to 711E5B5E execution.
Hexadecimal system code:
80 78 FF E8 75 10 83 E8 02 66 C7 00 FF 15 8B 55 FC 89 50 02 EB 0E 83 E8 02 66 C7 00 FF 25 8B 55
FC 89 50 02 E9 27 3B D7 70
The OK revision finished, Shift + F9 neglects exceptionally, exceptionally is red-tape operation EIP arrives OEP in last, here I had calculated, my here is 16 exceptionally.
0012FF98 0012FFE0 Pointer to next SEH record
0012FF9C 711DADBD SE handler
711DADBD 53 PUSH EBX
711DADBE 52 PUSH EDX
711DADBF 8B5C24 14 MOV EBX, DWORD PTR [ ESP+14 ]
711DADC3 8B93 C4000000 MOV EDX, DWORD PTR [ EBX+C4 ]
711DADC9 8B83 C0000000 MOV EAX, DWORD PTR [ EBX+C0 ]
711DADCF A3 F4162071 MOV DWORD PTR [ 712016F4 ], EAX
711DADD4 E8 DF060000 CALL V2200591.711DB4B8
711DADD9 9C PUSHFD
711DADDA 58 POP EAX
711DADDB A3 F4162071 MOV DWORD PTR [ 712016F4 ], EAX
711DADE0 E8 D3060000 CALL V2200591.711DB4B8
711DADE5 8B83 B8000000 MOV EAX, DWORD PTR [ EBX+B8 ]
711DADEB 40 INC EAX
711DADEC 8,983 B8000000 MOV DWORD PTR [ EBX+B8 ], EAX
711DADF2 8B4424 0C MOV EAX, DWORD PTR [ ESP+C ]
711DADF6 8B00 MOV EAX, DWORD PTR [ EAX ]
711DADF8 3D 03.00008 million CMP EAX, 80.000003 million
711DADFD 75 71 JNZ SHORT V2200591.711DAE70
711DADFF 803D 21.172071 million 01 CMP BYTE PTR [ 71.201721 million ], 1
711DAE06 74 4F JE SHORT V2200591.711DAE57
711DAE08 8B42 0C MOV EAX, DWORD PTR [ EDX+C ]
711DAE0B 8,983 9C000000 MOV DWORD PTR [ EBX+9C ], EAX
711DAE11 8B42 10 MOV EAX, DWORD PTR [ EDX+10 ]
711DAE14 8,983 A0000000 MOV DWORD PTR [ EBX+A0 ], EAX
711DAE1A 8B42 14 MOV EAX, DWORD PTR [ EDX+14 ]
711DAE1D 8,983 B4000000 MOV DWORD PTR [ EBX+B4 ], EAX
711DAE23 8B42 1C MOV EAX, DWORD PTR [ EDX+1C ]
711DAE26 8,983 A4000000 MOV DWORD PTR [ EBX+A4 ], EAX
711DAE2C 8B42 20 MOV EAX, DWORD PTR [ EDX+20 ]
711DAE2F 8,983 A8000000 MOV DWORD PTR [ EBX+A8 ], EAX
711DAE35 8B42 24 MOV EAX, DWORD PTR [ EDX+24 ]
711DAE38 8,983 AC000000 MOV DWORD PTR [ EBX+AC ], EAX
711DAE3E 8B42 28 MOV EAX, DWORD PTR [ EDX+28 ]
711DAE41 8,983 B0000000 MOV DWORD PTR [ EBX+B0 ], EAX ; Last exceptionally time EAX was OEP.
711DAE47 8B02 MOV EAX, DWORD PTR [ EDX ]
711DAE49 8,942 24 MOV DWORD PTR [ EDX+24 ], EAX
711DAE4C 89D0 MOV EAX, EDX
711DAE4E 83C0 24 ADD EAX, 24
711DAE51 8,983 C4000000 MOV DWORD PTR [ EBX+C4 ], EAX
711DAE57 31C0 XOR EAX, EAX
711DAE59 8,943 04 MOV DWORD PTR [ EBX+4 ], EAX
711DAE5C 8,943 08 MOV DWORD PTR [ EBX+8 ], EAX
711DAE5F 8,943 0C MOV DWORD PTR [ EBX+C ], EAX
711DAE62 8,943 10 MOV DWORD PTR [ EBX+10 ], EAX
711DAE65 C743 18 55.01 million MOV DWORD PTR [ EBX+18 ], 155
711DAE6C 5A POP EDX
711DAE6D 5B POP EBX
711DAE6E C3 RETN
After found OEP, under OEP the break point, the F9 severance in OEP place, Dump, repairs the input table with IMPREC, does decides, is being busy, looked like cannot step the platform, how kao ~ recently peels off the shell all has the question, did not know was my RPWT or my loom JPWT or my XP XPWT, ya, has calculated, or went home.
Note: ImpRec possible blind EPE advancement, because EPE revised the ZwOpenProcess place code, the temporary means are therefore writes down ImpRec with OD, the code which revises is changed the ZwOpenProcess entrance, like this was allowed to see the advancement in ImpRec.
PS: Actually with before results in the s version to be similar. .
