I have been trying to figure out what is protecting the d3d9.dll wrapper that is attached. Originally I thought it was modified UPX.
I noticed the unpacking opcodes were not what I expected so I searched for clues around
100F8FB7 8D4424 80 LEA EAX,DWORD PTR SS:[ESP-80]
100F8FBB 6A 00 PUSH 0
100F8FBD 39C4 CMP ESP,EAX
100F8FBF ^75 FA JNZ SHORT d3d9.100F8FBB
100F8FC1 83EC 80 SUB ESP,-80
100F8FC4 -E9 9952F3FF JMP d3d9.1002E262

searching the internet I found mention of vmprotect and or virustotal indicates a possible match of yodacrypt or pack. (http://webcache.googleusercontent.com/search?q=cache:HEWoBm_3jDsJ:bbs.pediy.com/archive/index.php%3Ft-40814.html+8D442480&cd=2&hl=en&ct=clnk&gl=us)

It has been a while since I have come across a protected binary that Pe Explorer/Ollydbg/imprec/lordpe hasn't worked on. Can you help me figure out what the protection is?

4d8b_06.09.2012_EXELAB.rU.tgz - d3d9.zip

| Сообщение посчитали полезным:

boned
ACProtect 1.3x-1.4x DLL -> Risco Software Inc. (DiE says...)

My file d3d9.dll (1689088 bytes). In your: 460 kB...

NikolayD writes:
UPX modified...
Agree... OEP: 0002E262

-----
One death is a tragedy, one million is a statistic.

| Сообщение посчитали полезным:

Thank you very much zaza for the quick reply. I will see if I can unpack it assuming it is acprotect and will report back when I have success.

| Сообщение посчитали полезным:

UPX modified...

| Сообщение посчитали полезным: boned

Yes, I was unable to confirm it was ACprotect.

I suggest removing this entry from userdb: [ACProtect 1.3x - 1.4x DLL -> Risco Software Inc.]
signature = 80 7C 24 08 01 0F 85
ep_only = true

The signature is used for detecting if the DLL is being unloaded or not from what I can tell. This could be used in other DLL packers.

| Сообщение посчитали полезным:

After doing imprec and then checking out the new 'fixed' binary, ollydbg tells me that the oep is outside of the code area. This is true and the oep opcodes don't look like a normal d3d9 wrapper (from experience). Any ideas or is this just basic PE header fixing that I am missing out on?

| Сообщение посчитали полезным:

boned
try --> Unpacked <--

-----
ds

| Сообщение посчитали полезным: boned

DimitarSerg, this is good. I am curious how you rebuilt the code sections. I am a beginner at unpacking so I followed basic upx unpack tutorial where I dump from OEP in olly then use imprec to fix dump. I did have the same EP as your unpack but my sections were CODE, DATA, but not .text .rsrc etc. Did you manually set the sections when dumping from olly?

Thanks! Trying to learn to be better.

| Сообщение посчитали полезным:

Here's another option --> unpack <--

| Сообщение посчитали полезным:

hey i am newbie here. i found this thread and i need yours help. need remove protection from this dll files. can help me same body ?

--> Link <--

| Сообщение посчитали полезным:

Jeta
Use crack requests topic https://ssl.exelab.ru/f/action=vthread&forum=10&topic=16314&page=10 for requests like this.

| Сообщение посчитали полезным: Jeta