Jump to content
Tuts 4 You

[unpackme] PC-Guard 5.0 UnpackMe


burdoz

Recommended Posts

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment

Prolly it was protected by a demo version, cause registered one is equally simple but can remove some procedures and execute at runtime.

Link to comment
  • 6 months later...

it can be easily unpacked using ESP trick and dumped worked well.

my question: got a VB protected with PC-Guard, dumped but encountered error and have to closed.

do i miss something here?

Link to comment

@ tracymee

which kind of error message?Maybe just a VB problem after unpacking.

Or.....

PC Guard can also use EN & DE Cryption Code.

push Bytes
call DeCrypt
encrypted code
......
......
push Bytes
call EnCrypt

Just have a look whether you see something like this.If yes then you need to execute all calls.After execute one DeCrypt call you need to nop the right EnCrypt call.Do this and then dump & fix.

greetz

Link to comment

Something like this:

AppName: dumped_.exe AppVer: 2.1.0.1 ModName: dumped_.exe

ModVer: 2.1.0.1 Offset: 000f7a1f

Where should notice this de-en call? after landed to VB oep or before?

thx for the reply :-)

Link to comment

You can search them at the OEP in the code section but I think you have a other problem.Try this.Step into the first API jmp ThunRTMain and set a BP on the ret of this API and run or press exeute til ret.See whether you get the error before you reach the ret.If yes then it can be a version check.On the other hand it can be that the file used some empty addresses which are no more empty and filled with some mem addresses.This can also be your problem [mostly happend if you dump after the OEP] and if yes then you need to zero the address.

You can also try this.Set a BP on all intermodular calls and run.If you break then remove the BP and run go on til you get the bad message.Now you know the code address before so that you can trace from this address forward to find & fix the reason.

Also have a look with LordPE maybe you can see somethig which is no more good like BoundImports etc.

If you can't find out the reason then send us your UnpackMe {target name etc}.

greetz

Link to comment

@LCF-AT

I tried BP on the RET of the first API and got error before it.

I tried BP AllIntermodularCall, and I landed to the same error code as the first:

004C74B9 . FF15 74615000 CALL DWORD PTR DS:[<&msvbvm60.#384>] ; msvbvm60.__vbaRecUniToAnsi

004C74BF . 50 PUSH EAX

004C74C0 . E8 973EF4FF CALL dumped_.0040B35C =====>got "error to close" after this call)

004C74C5 . 8945 88 MOV DWORD PTR SS:[EBP-78],EAX

004C74C8 . FF15 78605000 CALL DWORD PTR DS:[<&msvbvm60.#394>] ; msvbvm60.__vbaSetSystemError

Call landed to:

0040B35C $ A1 B0A24D00 MOV EAX,DWORD PTR DS:[4DA2B0]

0040B361 . 0BC0 OR EAX,EAX

0040B363 . 74 02 JE SHORT dumped_.0040B367

0040B365 - FFE0 JMP EAX =========> error ends after this

0040B367 > 68 44B34000 PUSH dumped_.0040B344

0040B36C . B8 402C4000 MOV EAX,<JMP.&msvbvm60.#187>

0040B371 . FFD0 CALL EAX

0040B373 .- FFE0 JMP EAX

hehe, pls check it for me, this is the target, thks:

unpackme

Edited by tracymee
Link to comment

@ tracymee

Problem is that you need some .ocx files like sevEin20.ocx.Download all needed ocx files til the original file also start.

Run-time error '339':Component 'sevEin20.ocx' or one of its dependencies not correctly registered: a file is missing or invalid

So you can see this message also which file it needs.I don't have this file so there was no ocx file in your package.If you got this file and it's not working for you then you need to register this file on your system.

regsvr32 c:\windows\system32\sevEin20.ocx

greetz

Link to comment

@ tracymee

Problem is that you need some .ocx files like sevEin20.ocx.Download all needed ocx files til the original file also start.

Run-time error '339':Component 'sevEin20.ocx' or one of its dependencies not correctly registered: a file is missing or invalid

So you can see this message also which file it needs.I don't have this file so there was no ocx file in your package.If you got this file and it's not working for you then you need to register this file on your system.

regsvr32 c:\windows\system32\sevEin20.ocx

greetz

@LCF-AT

oh my mistake, i thought it was a simple exe, pls download the setup (ca. 3mb):

setup

Link to comment
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...