Jump to content
Tuts 4 You

PELock Demo v2.09


CodeExplorer

Recommended Posts

CodeExplorer

Language : Visual C++ 6.0
Platform : Windows  x32
OS Version : Windows All
Packer / Protector : PELock Demo v2.09

Description :

This is just one of my program protected. The objective is unpack it.

2019-04-09 18_17_59-Information.png

322203926_2018-12-1119_57_34-CompareInfo1.0byCodeCracker.png.c9425bda38108477a908f42e9bb95c8b.png

FolderCompare_prot.zip

Link to comment
  • 3 months later...
CodeExplorer

Found the bug:

004012D0   .  56                        PUSH ESI
004012D1   .  57                        PUSH EDI
004012D2   .  8BF1                      MOV ESI,ECX
004012D4   .  E8 F9140000               CALL 004027D2                            ;  <JMP.&mfc42.#4710>
004012D9   .  8B86 E0000000             MOV EAX,DWORD PTR DS:[ESI+E0]
004012DF   .  8B4E 20                   MOV ECX,DWORD PTR DS:[ESI+20]
004012E2   .  8B3D 54324000             MOV EDI,DWORD PTR DS:[403254]
004012E8   .  50                        PUSH EAX
004012E9   .  6A 01                     PUSH 1
004012EB   .  68 80000000               PUSH 80
004012F0   .  51                        PUSH ECX
004012F1   .  FFD7                      CALL EDI
004012F3   .  8B96 E0000000             MOV EDX,DWORD PTR DS:[ESI+E0]

00403228 >753D77AD  ­w=u  msvcrt.__setusermatherr
0040322C  00000000  ....
00403230 >7616DC6A  jÜv  shell32.SHBrowseForFolderA
00403234 >76041C24  $v  shell32.SHGetPathFromIDListA
00403238  00000000  ....
0040323C >75B07D2F  /}°u  USER32.GetSystemMetrics
00403240 >75B10C62  b.±u  USER32.GetClientRect
00403244 >75B18DEB  ë±u  USER32.DrawIcon
00403248 >75B12DA4  ¤-±u  USER32.EnableWindow
0040324C >75B132A9  ©2±u  USER32.IsIconic
00403250 >75B0DAFB  ûÚ°u  USER32.LoadIconA
00403254  7594A480  €¤”u
00403258  00000000  ....
0040325C  00000000  ....

The real Api is:
00403254 >75B1612E  .a±u  USER32.SendMessageA

ˈ

  • Thanks 1
Link to comment

 

16 minutes ago, CodeExplorer said:

Found the bug:

004012D0   .  56                        PUSH ESI
004012D1   .  57                        PUSH EDI
004012D2   .  8BF1                      MOV ESI,ECX
004012D4   .  E8 F9140000               CALL 004027D2                            ;  <JMP.&mfc42.#4710>
004012D9   .  8B86 E0000000             MOV EAX,DWORD PTR DS:[ESI+E0]
004012DF   .  8B4E 20                   MOV ECX,DWORD PTR DS:[ESI+20]
004012E2   .  8B3D 54324000             MOV EDI,DWORD PTR DS:[403254]
004012E8   .  50                        PUSH EAX
004012E9   .  6A 01                     PUSH 1
004012EB   .  68 80000000               PUSH 80
004012F0   .  51                        PUSH ECX
004012F1   .  FFD7                      CALL EDI
004012F3   .  8B96 E0000000             MOV EDX,DWORD PTR DS:[ESI+E0]

00403228 >753D77AD  ­w=u  msvcrt.__setusermatherr
0040322C  00000000  ....
00403230 >7616DC6A  jÜv  shell32.SHBrowseForFolderA
00403234 >76041C24  $v  shell32.SHGetPathFromIDListA
00403238  00000000  ....
0040323C >75B07D2F  /}°u  USER32.GetSystemMetrics
00403240 >75B10C62  b.±u  USER32.GetClientRect
00403244 >75B18DEB  ë±u  USER32.DrawIcon
00403248 >75B12DA4  ¤-±u  USER32.EnableWindow
0040324C >75B132A9  ©2±u  USER32.IsIconic
00403250 >75B0DAFB  ûÚ°u  USER32.LoadIconA
00403254  7594A480  €¤”u
00403258  00000000  ....
0040325C  00000000  ....

The real Api is:
00403254 >75B1612E  .a±u  USER32.SendMessageA

ˈ

oh... got it. thank you :)

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...