ACProtect is not bad protector. It has some dumb things , but it also has some good features. This tutorial will explain unpacking of version 1.09 altough at first look his version looks like 1.41. I guess that they are all very simular.
Code is decrypted! ACProtector desn't encrypt sections, it only has packing option. If target is not packed, you can make inline patch imidialtey, but I don't remember anymore if there was some CRC checks.
Place memory bp on access on first section and run. You will break on false OEP:
If you patch all those jumps, there won't be redirection. Firts jump is if api is MessageBoxA, that api is always redirected (for some internal purpose probably). Two others needs to be patched too. I forgot to say, you need place hv bp on execution on some line in that procedure, like on
Follow first jump and you will see that it points to first obfuscation pattern in table. Every jump points to single pattern in table. All jumps are 6-bytes opcode and all patterns in table are 6-byte opcodes too:
But we can see that there are mush more jumps that obfuscation patterns! Rest of jumps are probably just leftover with no purpose.
We will dump target now, but stolen OEP we will solve later. I just dumped it with LordPE. I used ImpREC to find imports and it found all of them, about 441. Neither one invalid. I fixed dump and run it, file worked OK without stolen OEP.
4.4. Finding stolen OEP bytes
Ah, this is pain in the ass. We need to trace whole day to find where it hide those bytes because ACProtect has encryption layer under layer. I made small script that will pass this layers ( script just finds jmp that jumps backwards, place bp below it and run, then again). Stolen code is here:
In newer versions of ACProtect there are lots of this caves with stolen code and we cannot find original bytes. But we can fix that by just attaching whole this code to main image and placng oep there. But in this example I will just restore these bytes. Before:
Now just with LordPE set OEP to 4271B0-400000=271B0 and that's it!
Here is script for passing layers:
/////////////// Start /////////////////
msgyn "One more layer?"
////////////// End /////////////////////