unpack exe

[kolaz]

Can anyone unpack this file? https://www3.zippyshare.com/v/yh4EFw8A/file.html
Is it possible to make a tutorial?
Thanks in advance.

[narciszu]

From where it comes that file and what is it more exactly ? If is intended to be one encoder file from real Ioncube Encoder then be aware. I have a lot of legit Full Ioncube Encoders and "ioncube_encoder56.exe" has around 980KB. Your file is a lot larger.

[kolaz]

(11-20-2020 06:20 PM)narciszu Wrote:  From where it comes that file and what is it more exactly ? If is intended to be one encoder file from real Ioncube Encoder then be aware. I have a lot of legit Full Ioncube Encoders and "ioncube_encoder56.exe" has around 980KB. Your file is a lot larger.

It is from a paid version but packed with VMProtect (i think).

[narciszu]

(11-20-2020 06:32 PM)kolaz Wrote:  It is from a paid version but packed with VMProtect (i think).

If you mean Original Paid version from Ioncube developer this isn't true.
As I told you I have already many legit PAID versions. I mean FULL version of encoder starting with version 8, and version 9 and even latest version. Downloaded by myself from the ioncube author server - untouched files. Pro version, Cerberus version and version that contains so called "Special GUI".

Separate command-line encoder "ioncube_encoder56.exe" has the biggest size in the last version 10.2 and, as I already told you, has around 980KB. And for sure isn't packed with VMProtect or any other packers.

Even paid version needs license in order to work. License is verified and activated online. Verification is done periodically.

In order to crack full paid version you need to crack:
- encoder_gui.exe
- all command lines encoders (4, 5, 53, 54, 55, 56, 71, 72)
- remove watermark from all exe files
- remove internal client ID from exe files

That means all files are watermarked with unique string for every client and also contains another unique ID that can be find in every single php encoded file generated. So, any ioncube encoded file contain a small mark of used encoder. If you encode some malicious php files, can to detect which encoder was used. Who was the owner of used encoder.

[cw2k]

JFYI I can't download the file for zippyshare.com!
I get:

403 Forbidden
nginx

I google and read that zippyshare has some geo-ban on certain country.
And maybe I'm in one form the 'lucky' ones.
Just notice that.

Use some other OCH like
https://www.file.io/ https://mediafire.com or https://mega.nz
just to name some alternatives


Well yes I mean I could find some proxy to get sneak around that - however I don't like to do that right now.

[cw2k]

Wow that worked.

Okay target is packed with VMProtect
Analysis details are here:
https://www.unpac.me/results/d8b63b02-a5...2681652546

Dumped file is here:
https://file.io/wPMskSybzfRr
Please note dumped file will not run.
OEP is not set as well as imports were not fixed.
However for analysis in IDA Pro it'll work.

Hmm target is "ionCube Encoder Evaluation Version 10.2.0" from 2018.
What's ya plan with this?

Not very recent version as well as there is probably an already 'cracked Encoder' somewhere.

Sure ya choose the right forum? That's the php pirates bay here. Cool
We are dealing here with getting ionCube and crap like this removed
... and NOT how to add it.
Don't forget to give me reputation if I helped you!

[kolaz]

(11-25-2020 05:40 PM)cw2k Wrote:  Wow that worked.

Okay target is packed with VMProtect
Analysis details are here:
https://www.unpac.me/results/d8b63b02-a5...2681652546

Dumped file is here:
https://file.io/wPMskSybzfRr
Please note dumped file will not run.
OEP is not set as well as imports were not fixed.
However for analysis in IDA Pro it'll work.

Hmm target is "ionCube Encoder Evaluation Version 10.2.0" from 2018.
What's ya plan with this?

Not very recent version as well as there is probably an already 'cracked Encoder' somewhere.

Sure ya choose the right forum? That's the php pirates bay here. Cool
We are dealing here with getting ionCube and crap like this removed
... and NOT how to add it.
Don't forget to give me reputation if I helped you!

THANK you!
link of analysis does not work...
The unpacked file maybe help us to see how encoder works.
Reputation added.

[cw2k]

(11-25-2020 05:58 PM)kolaz Wrote:  The unpacked file maybe help us to see how encoder works.

Ah well I nearly forgot to mention:
https://files.planet-dl.org/PHP/Decoders..._18_VB6.7z
https://files.planet-dl.org/?dir=PHP/Dec...nders/Cw2k
It's old but not completely out of date. When they upgraded Ioncube they were not 'reinventing the wheel again and again'.
So mostly they just updated some XOR keys and that's it.
Well on kind request by the ioncube devs I decided to stopped development.
However just go on sources and stuff is there.
Also have a look at 'OllyDebug StringDecryptScript+Labels' to remove that static string encryption of ioncube loader/encryptor.
Well I might not work right out of the box but still it's probably a good base to work with.

Now young cracker - go for it.