Jump to content
Tuts 4 You

[UnpackME] WinLicense + RLPack

AnTiCDLoCK

By AnTiCDLoCK
in UnPackMe

 Share

Recommended Posts

AnTiCDLoCK

AnTiCDLoCK

Posted
Posted

Hi,

Plz Unpack this Unpack me !

unpacked file must have msgbox Correctly!

Level ?

Test3.rar

LCF-AT

LCF-AT

Posted
Posted

@ AnTiCDLoCK

Nice file.Got it unpacked too but I get this message in the original file.Some runtime error.See pic.So what to do now?I have no "Microsoft Office Outlook" installed on my system...

CDO.dll

DAO350.dll

DAO360.dll

--------------
/>http://www.wintotal.de/tipparchiv/?id=1007

--------------

Found this link with the problem description.Any chance to get it work now without to install the other app's?Or do you have some other VB runtime installer or something?

PS: File is tricky,so you just used the codesection for all! :)

greetz

post-27695-0-69348200-1323977352_thumb.p

AnTiCDLoCK

AnTiCDLoCK

Posted
  • Author
Posted (edited)

Hi my dear Master LCF-AT

No no , it has a bundle activex DLL, must be extract that ! clap3.gif

when you click on test button , load that dll and if can load , then give messageBox !

plz give difficulty (Level)?

TnX.

Edited by AnTiCDLoCK
LCF-AT

LCF-AT

Posted
Posted

@ AnTiCDLoCK

I see the bundle dll & got this already but this is not the problem. :) So the original file makes trouble because this run time error if it access vba_new2 API.

Anyway so I have create a set of 3 unpacked files which you can test on your PC.

- test3dll.dll <-- Bundle dll

- Test3_Unpacked.exe <-- just unpacked

- Test3_Unpacked+Patched.exe <-- Patched so that you get the NAG to see :)

- Test3_Unpacked+Patched_VM_Remove.exe <-- VM removed = not needed

Fixed also missing commands (5) = no CPUID access too

So if you run the file Test3_Unpacked.exe then you get A) runtime error if you press the button to get the NAG or B) you get the NAG without problem.If you get the NAG = you have installed some VB system stuff (dlls ocx etc) which I have not installed on my system.So check this out.The other files are patched so that you get the NAG.

Difficulty Level: 2 of 10

PS: Info for others who have problems with this file.

TM WL EP is: VA 005F4000 | SUB ESP,4

You can also dump it there + few imports fix

If you have trouble to handle the file with one section then you can also change the file sizes in LordPE and give the codesection a size of 3000 + adjust the section below to 4000 offset etc and now your TM WL section is the RLpack section.

VM OEP is 4FE57C

RD CODE + CPUID inside

00401C56  JMP 003D0014
00401C98  JMP 003D0042
00401CCC  JMP 003D0070
00401D0A  JMP 003D009E
00401D70  JMP 003D00B3

Note: If you dump after RLpack layer and if you use the TM WL layer alone then the missing code jmps to nothing = crash so the code above is from RLpack.Just check the original file and rebuild the 5 code commands later on your file.

greetz

Test3_Unpacked_x3.rar

  • Like 1
LCF-AT

LCF-AT

Posted
Posted

@ AnTiCDLoCK

Ok now it work with both dll files packed dll & unpacked dll.So I have send you the packed dll [simple rlpack too].

So now your packed file will also run normaly + NAG show & without any runtime error anymore.

Original file + NAG = OK

Original file - NAG = Runtime error = some reg etc problem.

After some debuging it has work after a while so something must happend so that my OS say OK now.No idea what the reason is or was.Anyway,to use VB seems not to be the best solution. :) Takes much time if you get some strange running problems etc.

greetz

AnTiCDLoCK

AnTiCDLoCK

Posted
  • Author
Posted (edited)

@ LCF-AT

your unpacked file correct but it has a problem:

if i delete dll = nag show !!!! patch file is not rule !

it has some stolen instruction by rlpack , do you fix that ?

anyway i attached New file you can study it .

question : if bundle txt file or ... can exctract that ???

tnx

Test4.rar

Edited by AnTiCDLoCK
LCF-AT

LCF-AT

Posted
Posted (edited)

@ AnTiCDLoCK

Open your eyes and read my text!

Test3_Unpacked.exe <- Just unpacked!If this runs for you + dll = Fine

"it has some stolen instruction by rlpack,do you fix that?" - again read my text!

RLpack RD commands = also fixed if not then app would not run.

00401C56  JMP 003D0014
00401C98  JMP 003D0042
00401CCC  JMP 003D0070
00401D0A  JMP 003D009E
00401D70  JMP 003D00B3

So you have packed the files so you should also know what to check in the unpacked files.Just have a look there and you see it.

"question : if bundle txt file or ... can exctract that?" - Yes.Any files.

Your new file is almost the same except one TM WL VM input on vba_new2 API + command below + new dll + messagebox in dll now. :) Check my unpacked files again.

PS: Your new file does show nothing if you press the button on the original file.Same trouble like before....*** VB trash. :)

PS: Normaly the packed file should show the NAG if you press the button.If not = problem or you added some check for it etc.Bundled files are extract into memory which then also used in the packed file.If you dump only the exe without bundle files then the NAG should be not shown etc.So this is the normaly way.

EDIT: regsvr32 C:\Test4DLL.dll

Ok so you need to register the extracted dll before it works with the files [packed & unpacked].Thats the reason why I get this runtime message before in the original & unpacked file in test3.exe.Thats a big problem if you use bundle dll files in TM WL targets which need to register before working.So TM WL Xbundle does not register a dll by itself.

= Packed file + xbundle dll which need to register = packed file does not work correctly = problem messages xy for xy user. :)

greetz

Test4_Unpacked+dll.rar

Edited by LCF-AT
AnTiCDLoCK

AnTiCDLoCK

Posted
  • Author
Posted (edited)

Sorry,

ok , well done .doh.gif

greetz

Edited by AnTiCDLoCK

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...