Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
CodeExplorer

PELock Demo v2.09

Question

CodeExplorer

Language : Visual C++ 6.0
Platform : Windows  x32
OS Version : Windows All
Packer / Protector : PELock Demo v2.09

Description :

This is just one of my program protected. The objective is unpack it.

2019-04-09 18_17_59-Information.png

322203926_2018-12-1119_57_34-CompareInfo1.0byCodeCracker.png.c9425bda38108477a908f42e9bb95c8b.png

FolderCompare_prot.zip

Share this post


Link to post

4 answers to this question

Recommended Posts

  • 0
karan
Posted (edited)

PElock use GetLocalTime Function

83 7D 14 00 EB 05 

1st API Emulate 

87 01 EB 04 67 D2 DE

2nd API Emulate

this file is not contain OEP stolen byte

FolderCompare_prot_dump_SCY.exe

Edited by karan (see edit history)
  • Like 1

Share this post


Link to post
  • 0
CodeExplorer

Found the bug:

004012D0   .  56                        PUSH ESI
004012D1   .  57                        PUSH EDI
004012D2   .  8BF1                      MOV ESI,ECX
004012D4   .  E8 F9140000               CALL 004027D2                            ;  <JMP.&mfc42.#4710>
004012D9   .  8B86 E0000000             MOV EAX,DWORD PTR DS:[ESI+E0]
004012DF   .  8B4E 20                   MOV ECX,DWORD PTR DS:[ESI+20]
004012E2   .  8B3D 54324000             MOV EDI,DWORD PTR DS:[403254]
004012E8   .  50                        PUSH EAX
004012E9   .  6A 01                     PUSH 1
004012EB   .  68 80000000               PUSH 80
004012F0   .  51                        PUSH ECX
004012F1   .  FFD7                      CALL EDI
004012F3   .  8B96 E0000000             MOV EDX,DWORD PTR DS:[ESI+E0]

00403228 >753D77AD  ­w=u  msvcrt.__setusermatherr
0040322C  00000000  ....
00403230 >7616DC6A  jÜv  shell32.SHBrowseForFolderA
00403234 >76041C24  $v  shell32.SHGetPathFromIDListA
00403238  00000000  ....
0040323C >75B07D2F  /}°u  USER32.GetSystemMetrics
00403240 >75B10C62  b.±u  USER32.GetClientRect
00403244 >75B18DEB  ë±u  USER32.DrawIcon
00403248 >75B12DA4  ¤-±u  USER32.EnableWindow
0040324C >75B132A9  ©2±u  USER32.IsIconic
00403250 >75B0DAFB  ûÚ°u  USER32.LoadIconA
00403254  7594A480  €¤”u
00403258  00000000  ....
0040325C  00000000  ....

The real Api is:
00403254 >75B1612E  .a±u  USER32.SendMessageA

ˈ

  • Thanks 1

Share this post


Link to post
  • 0
karan

 

16 minutes ago, CodeExplorer said:

Found the bug:

004012D0   .  56                        PUSH ESI
004012D1   .  57                        PUSH EDI
004012D2   .  8BF1                      MOV ESI,ECX
004012D4   .  E8 F9140000               CALL 004027D2                            ;  <JMP.&mfc42.#4710>
004012D9   .  8B86 E0000000             MOV EAX,DWORD PTR DS:[ESI+E0]
004012DF   .  8B4E 20                   MOV ECX,DWORD PTR DS:[ESI+20]
004012E2   .  8B3D 54324000             MOV EDI,DWORD PTR DS:[403254]
004012E8   .  50                        PUSH EAX
004012E9   .  6A 01                     PUSH 1
004012EB   .  68 80000000               PUSH 80
004012F0   .  51                        PUSH ECX
004012F1   .  FFD7                      CALL EDI
004012F3   .  8B96 E0000000             MOV EDX,DWORD PTR DS:[ESI+E0]

00403228 >753D77AD  ­w=u  msvcrt.__setusermatherr
0040322C  00000000  ....
00403230 >7616DC6A  jÜv  shell32.SHBrowseForFolderA
00403234 >76041C24  $v  shell32.SHGetPathFromIDListA
00403238  00000000  ....
0040323C >75B07D2F  /}°u  USER32.GetSystemMetrics
00403240 >75B10C62  b.±u  USER32.GetClientRect
00403244 >75B18DEB  ë±u  USER32.DrawIcon
00403248 >75B12DA4  ¤-±u  USER32.EnableWindow
0040324C >75B132A9  ©2±u  USER32.IsIconic
00403250 >75B0DAFB  ûÚ°u  USER32.LoadIconA
00403254  7594A480  €¤”u
00403258  00000000  ....
0040325C  00000000  ....

The real Api is:
00403254 >75B1612E  .a±u  USER32.SendMessageA

ˈ

oh... got it. thank you :)

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...