burdoz Posted February 27, 2010 Posted February 27, 2010 (edited) PC-Guard 5.0 UnpackMeCalc.rar Edited February 27, 2010 by burdoz
NullPointerException Posted February 27, 2010 Posted February 27, 2010 check dependencies before uploadjwldbutn2b.ocx missing
Ronar22 Posted February 27, 2010 Posted February 27, 2010 Is this a protector or a packer?! , cause all u have to do is to locate the oep and dumb ,no IAT Redirecting no oep stolen nothing at all!"JwldButn2b.ocx" Included.Unpacked.rar
Teddy Rogers Posted February 28, 2010 Posted February 28, 2010 The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply]
EvOlUtIoN Posted March 1, 2010 Posted March 1, 2010 Prolly it was protected by a demo version, cause registered one is equally simple but can remove some procedures and execute at runtime.
tracymee Posted September 16, 2010 Posted September 16, 2010 it can be easily unpacked using ESP trick and dumped worked well.my question: got a VB protected with PC-Guard, dumped but encountered error and have to closed.do i miss something here?
LCF-AT Posted September 16, 2010 Posted September 16, 2010 @ tracymeewhich kind of error message?Maybe just a VB problem after unpacking.Or.....PC Guard can also use EN & DE Cryption Code.push Bytescall DeCryptencrypted code............push Bytescall EnCryptJust have a look whether you see something like this.If yes then you need to execute all calls.After execute one DeCrypt call you need to nop the right EnCrypt call.Do this and then dump & fix.greetz
tracymee Posted September 16, 2010 Posted September 16, 2010 Something like this:AppName: dumped_.exe AppVer: 2.1.0.1 ModName: dumped_.exeModVer: 2.1.0.1 Offset: 000f7a1fWhere should notice this de-en call? after landed to VB oep or before?thx for the reply :-)
LCF-AT Posted September 16, 2010 Posted September 16, 2010 You can search them at the OEP in the code section but I think you have a other problem.Try this.Step into the first API jmp ThunRTMain and set a BP on the ret of this API and run or press exeute til ret.See whether you get the error before you reach the ret.If yes then it can be a version check.On the other hand it can be that the file used some empty addresses which are no more empty and filled with some mem addresses.This can also be your problem [mostly happend if you dump after the OEP] and if yes then you need to zero the address.You can also try this.Set a BP on all intermodular calls and run.If you break then remove the BP and run go on til you get the bad message.Now you know the code address before so that you can trace from this address forward to find & fix the reason.Also have a look with LordPE maybe you can see somethig which is no more good like BoundImports etc.If you can't find out the reason then send us your UnpackMe {target name etc}.greetz
tracymee Posted September 16, 2010 Posted September 16, 2010 (edited) @LCF-ATI tried BP on the RET of the first API and got error before it.I tried BP AllIntermodularCall, and I landed to the same error code as the first:004C74B9 . FF15 74615000 CALL DWORD PTR DS:[<&msvbvm60.#384>] ; msvbvm60.__vbaRecUniToAnsi004C74BF . 50 PUSH EAX004C74C0 . E8 973EF4FF CALL dumped_.0040B35C =====>got "error to close" after this call)004C74C5 . 8945 88 MOV DWORD PTR SS:[EBP-78],EAX004C74C8 . FF15 78605000 CALL DWORD PTR DS:[<&msvbvm60.#394>] ; msvbvm60.__vbaSetSystemErrorCall landed to:0040B35C $ A1 B0A24D00 MOV EAX,DWORD PTR DS:[4DA2B0]0040B361 . 0BC0 OR EAX,EAX0040B363 . 74 02 JE SHORT dumped_.0040B3670040B365 - FFE0 JMP EAX =========> error ends after this 0040B367 > 68 44B34000 PUSH dumped_.0040B3440040B36C . B8 402C4000 MOV EAX,<JMP.&msvbvm60.#187>0040B371 . FFD0 CALL EAX0040B373 .- FFE0 JMP EAXhehe, pls check it for me, this is the target, thks:unpackme Edited September 20, 2010 by tracymee
LCF-AT Posted September 20, 2010 Posted September 20, 2010 @ tracymeeProblem is that you need some .ocx files like sevEin20.ocx.Download all needed ocx files til the original file also start.Run-time error '339':Component 'sevEin20.ocx' or one of its dependencies not correctly registered: a file is missing or invalidSo you can see this message also which file it needs.I don't have this file so there was no ocx file in your package.If you got this file and it's not working for you then you need to register this file on your system.regsvr32 c:\windows\system32\sevEin20.ocxgreetz
tracymee Posted September 20, 2010 Posted September 20, 2010 @ tracymeeProblem is that you need some .ocx files like sevEin20.ocx.Download all needed ocx files til the original file also start.Run-time error '339':Component 'sevEin20.ocx' or one of its dependencies not correctly registered: a file is missing or invalidSo you can see this message also which file it needs.I don't have this file so there was no ocx file in your package.If you got this file and it's not working for you then you need to register this file on your system.regsvr32 c:\windows\system32\sevEin20.ocxgreetz@LCF-AToh my mistake, i thought it was a simple exe, pls download the setup (ca. 3mb):setup
nima20-20 Posted November 1, 2010 Posted November 1, 2010 hiPlease unpack by a movie How to Teach?tanks
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now