CodeExplorer Posted April 9, 2019 Posted April 9, 2019 Language : Visual C++ 6.0 Platform : Windows x32 OS Version : Windows All Packer / Protector : PELock Demo v2.09 Description : This is just one of my program protected. The objective is unpack it. FolderCompare_prot.zip 1
karan Posted July 24, 2019 Posted July 24, 2019 (edited) PElock use GetLocalTime Function 83 7D 14 00 EB 05 1st API Emulate 87 01 EB 04 67 D2 DE 2nd API Emulate this file is not contain OEP stolen byte FolderCompare_prot_dump_SCY.exe Edited July 24, 2019 by karan 2
CodeExplorer Posted July 24, 2019 Author Posted July 24, 2019 I've already made Olly scripts and a tutorials for this: https://forum.tuts4you.com/topic/41261-pelock-v1-and-v2-scripts-and-tutorials/ Just needed to be configured for trial version. Your unpacked doesn't properly work on my Win 7 x86 computer 1
CodeExplorer Posted July 24, 2019 Author Posted July 24, 2019 Found the bug: 004012D0 . 56 PUSH ESI 004012D1 . 57 PUSH EDI 004012D2 . 8BF1 MOV ESI,ECX 004012D4 . E8 F9140000 CALL 004027D2 ; <JMP.&mfc42.#4710> 004012D9 . 8B86 E0000000 MOV EAX,DWORD PTR DS:[ESI+E0] 004012DF . 8B4E 20 MOV ECX,DWORD PTR DS:[ESI+20] 004012E2 . 8B3D 54324000 MOV EDI,DWORD PTR DS:[403254] 004012E8 . 50 PUSH EAX 004012E9 . 6A 01 PUSH 1 004012EB . 68 80000000 PUSH 80 004012F0 . 51 PUSH ECX 004012F1 . FFD7 CALL EDI 004012F3 . 8B96 E0000000 MOV EDX,DWORD PTR DS:[ESI+E0] 00403228 >753D77AD w=u msvcrt.__setusermatherr 0040322C 00000000 .... 00403230 >7616DC6A jÜv shell32.SHBrowseForFolderA 00403234 >76041C24 $v shell32.SHGetPathFromIDListA 00403238 00000000 .... 0040323C >75B07D2F /}°u USER32.GetSystemMetrics 00403240 >75B10C62 b.±u USER32.GetClientRect 00403244 >75B18DEB ë±u USER32.DrawIcon 00403248 >75B12DA4 ¤-±u USER32.EnableWindow 0040324C >75B132A9 ©2±u USER32.IsIconic 00403250 >75B0DAFB ûÚ°u USER32.LoadIconA 00403254 7594A480 €¤”u 00403258 00000000 .... 0040325C 00000000 .... The real Api is: 00403254 >75B1612E .a±u USER32.SendMessageA ˈ 1
karan Posted July 24, 2019 Posted July 24, 2019 16 minutes ago, CodeExplorer said: Found the bug: 004012D0 . 56 PUSH ESI 004012D1 . 57 PUSH EDI 004012D2 . 8BF1 MOV ESI,ECX 004012D4 . E8 F9140000 CALL 004027D2 ; <JMP.&mfc42.#4710> 004012D9 . 8B86 E0000000 MOV EAX,DWORD PTR DS:[ESI+E0] 004012DF . 8B4E 20 MOV ECX,DWORD PTR DS:[ESI+20] 004012E2 . 8B3D 54324000 MOV EDI,DWORD PTR DS:[403254] 004012E8 . 50 PUSH EAX 004012E9 . 6A 01 PUSH 1 004012EB . 68 80000000 PUSH 80 004012F0 . 51 PUSH ECX 004012F1 . FFD7 CALL EDI 004012F3 . 8B96 E0000000 MOV EDX,DWORD PTR DS:[ESI+E0] 00403228 >753D77AD w=u msvcrt.__setusermatherr 0040322C 00000000 .... 00403230 >7616DC6A jÜv shell32.SHBrowseForFolderA 00403234 >76041C24 $v shell32.SHGetPathFromIDListA 00403238 00000000 .... 0040323C >75B07D2F /}°u USER32.GetSystemMetrics 00403240 >75B10C62 b.±u USER32.GetClientRect 00403244 >75B18DEB ë±u USER32.DrawIcon 00403248 >75B12DA4 ¤-±u USER32.EnableWindow 0040324C >75B132A9 ©2±u USER32.IsIconic 00403250 >75B0DAFB ûÚ°u USER32.LoadIconA 00403254 7594A480 €¤”u 00403258 00000000 .... 0040325C 00000000 .... The real Api is: 00403254 >75B1612E .a±u USER32.SendMessageA ˈ oh... got it. thank you
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now