CodeExplorer Posted April 9, 2019 Share Posted April 9, 2019 Language : Visual C++ 6.0 Platform : Windows x32 OS Version : Windows All Packer / Protector : PELock Demo v2.09 Description : This is just one of my program protected. The objective is unpack it. FolderCompare_prot.zip 1 Link to comment Share on other sites More sharing options...
karan Posted July 24, 2019 Share Posted July 24, 2019 (edited) PElock use GetLocalTime Function 83 7D 14 00 EB 05 1st API Emulate 87 01 EB 04 67 D2 DE 2nd API Emulate this file is not contain OEP stolen byte FolderCompare_prot_dump_SCY.exe Edited July 24, 2019 by karan 2 Link to comment Share on other sites More sharing options...
CodeExplorer Posted July 24, 2019 Author Share Posted July 24, 2019 I've already made Olly scripts and a tutorials for this: https://forum.tuts4you.com/topic/41261-pelock-v1-and-v2-scripts-and-tutorials/ Just needed to be configured for trial version. Your unpacked doesn't properly work on my Win 7 x86 computer 1 Link to comment Share on other sites More sharing options...
CodeExplorer Posted July 24, 2019 Author Share Posted July 24, 2019 Found the bug: 004012D0 . 56 PUSH ESI 004012D1 . 57 PUSH EDI 004012D2 . 8BF1 MOV ESI,ECX 004012D4 . E8 F9140000 CALL 004027D2 ; <JMP.&mfc42.#4710> 004012D9 . 8B86 E0000000 MOV EAX,DWORD PTR DS:[ESI+E0] 004012DF . 8B4E 20 MOV ECX,DWORD PTR DS:[ESI+20] 004012E2 . 8B3D 54324000 MOV EDI,DWORD PTR DS:[403254] 004012E8 . 50 PUSH EAX 004012E9 . 6A 01 PUSH 1 004012EB . 68 80000000 PUSH 80 004012F0 . 51 PUSH ECX 004012F1 . FFD7 CALL EDI 004012F3 . 8B96 E0000000 MOV EDX,DWORD PTR DS:[ESI+E0] 00403228 >753D77AD w=u msvcrt.__setusermatherr 0040322C 00000000 .... 00403230 >7616DC6A jÜv shell32.SHBrowseForFolderA 00403234 >76041C24 $v shell32.SHGetPathFromIDListA 00403238 00000000 .... 0040323C >75B07D2F /}°u USER32.GetSystemMetrics 00403240 >75B10C62 b.±u USER32.GetClientRect 00403244 >75B18DEB ë±u USER32.DrawIcon 00403248 >75B12DA4 ¤-±u USER32.EnableWindow 0040324C >75B132A9 ©2±u USER32.IsIconic 00403250 >75B0DAFB ûÚ°u USER32.LoadIconA 00403254 7594A480 €¤”u 00403258 00000000 .... 0040325C 00000000 .... The real Api is: 00403254 >75B1612E .a±u USER32.SendMessageA ˈ 1 Link to comment Share on other sites More sharing options...
karan Posted July 24, 2019 Share Posted July 24, 2019 16 minutes ago, CodeExplorer said: Found the bug: 004012D0 . 56 PUSH ESI 004012D1 . 57 PUSH EDI 004012D2 . 8BF1 MOV ESI,ECX 004012D4 . E8 F9140000 CALL 004027D2 ; <JMP.&mfc42.#4710> 004012D9 . 8B86 E0000000 MOV EAX,DWORD PTR DS:[ESI+E0] 004012DF . 8B4E 20 MOV ECX,DWORD PTR DS:[ESI+20] 004012E2 . 8B3D 54324000 MOV EDI,DWORD PTR DS:[403254] 004012E8 . 50 PUSH EAX 004012E9 . 6A 01 PUSH 1 004012EB . 68 80000000 PUSH 80 004012F0 . 51 PUSH ECX 004012F1 . FFD7 CALL EDI 004012F3 . 8B96 E0000000 MOV EDX,DWORD PTR DS:[ESI+E0] 00403228 >753D77AD w=u msvcrt.__setusermatherr 0040322C 00000000 .... 00403230 >7616DC6A jÜv shell32.SHBrowseForFolderA 00403234 >76041C24 $v shell32.SHGetPathFromIDListA 00403238 00000000 .... 0040323C >75B07D2F /}°u USER32.GetSystemMetrics 00403240 >75B10C62 b.±u USER32.GetClientRect 00403244 >75B18DEB ë±u USER32.DrawIcon 00403248 >75B12DA4 ¤-±u USER32.EnableWindow 0040324C >75B132A9 ©2±u USER32.IsIconic 00403250 >75B0DAFB ûÚ°u USER32.LoadIconA 00403254 7594A480 €¤”u 00403258 00000000 .... 0040325C 00000000 .... The real Api is: 00403254 >75B1612E .a±u USER32.SendMessageA ˈ oh... got it. thank you Link to comment Share on other sites More sharing options...
TRISTAN Pro Posted February 12, 2023 Share Posted February 12, 2023 Ok FolderCompare unpacked.rar Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now