Log in

View Full Version : another target...??


SpekkeL!
January 8th, 2001, 06:13
Yep a read all the good work of your Revirgin..
Dont know if it can handle this proggy....
It is protected By E-license (vtcpak24.dll, try buy etc) after pushing try it's unpacking..
http://www.soft-trade.com/?a=appdl&appid=234& (winoptimizer2000.exe)

Greetz ...SpeKKeL!.....

+SplAj
January 9th, 2001, 12:32
Mmmmmmmm just DL it...

Load TRW 2.11
Load target exe
Set BPMB 499644 X
run encrypted exe
press TRY
TRW breaks at OEiP again...
voila, unencrypted exe !!!
Makepe new.exe
Runs fine, set date 2 years ahead, runs fine
DONE
5 mins.

so i tried it and it works thanks.

'patch+play'

SpeKKel!
January 9th, 2001, 13:03
H'mmm Nice work, on what way did you find 499644.??

Thanks for reply..SpeKKeL!.......

SpeK
January 9th, 2001, 13:08
Sorry,Sorry i was to fast Just the entry-point..

Greetz Spekkel!

SpeKKeL
January 9th, 2001, 15:24
Ok i have done it in several way's (with trw, procdump etc) but the new.exe
keeps crashing on address 4997c6: call 44aa1c in this call i get:Access violation at address 0000001 read of address fffffffff ????
I did close all proggy's and closed all bp's while dumping so what could here be the problem ?
Btw: when i trace with trw/si all goes well...

Thanks.......SpeKKeL!..

+SplAj
January 10th, 2001, 07:13
Hi SpeKKel.

Sorry for brief message but I was in one of those Cafe things using TRW from Floppy

Now I took the target home and retried with SI. Mmmm lock ups and crashing on NT4. So tried with TRW on my W98SE Notebook. It worked as long as i DONT 'LOAD' the target via TRW just load TRW, CTL-N set BPMB 499644 X. Then START the target,pop etc until after TRY button. TRW pops at unencrypted OEiP and so then MAKEPE Winopt_make..exe .
This new exe works on my Win98SE notebook OK.
Then transferred WEinopt_make.exe to my NT4 and got message 'no Cydoor' so fixed that flag at [49C90C] to 0 by changing code at 464EA3 - Mov byte ptr [49c90c],01 to 00.

It works fine now without e-licence manager

BUT could not DUMP and rebuild. Only 'make' with TRW worked . Strange. But this target is a cr*p piece of Sh*t
anyway so i just trashed the lot. Can't waste time with this.

You can have my 'make' exe if you want to study it further ?

+SplAj
'patch+play'

+SplAj
January 11th, 2001, 13:27
Greetz SpeKKel...

Ive had a good learning experience today while beta bashing Revirgin. I tried my old friend Iris 101 from eEye.com (network scanner like CommView) Although I cracked it months ago I could never get a dumpster to work
It's packed with Pelock or whatever (AnAKIn) and then PCGuard32 applied.

I noticed on comparing my dumpster with the Revigined IAT that there was an extra link to the IRIS.exe that I asumed was the problem. So , how to get rid of it ? I used
PEeditor 1.7 (Greetz MoD & Yoda) and they have a 'right-click' selector in the Import Table section tht you can delete API links and it refixes your exe. I did it on my dumped iris.exe and....IT WORKED NOW.

So I applied the same to the Winopt dump as it had still Vkrypt.dll links in the IT whereas the MAKE version did not.So I deleted this API link and this new dump got the no cydoor message. I patched the byte referred to above and THIS Dumped exe WORKS !

Just sharing this revelation with you. Have fun

+SplAj

SpeKKeL
January 12th, 2001, 12:04
Hajo great thanks for the info but,...i lost you on your way (imust studdy harder!)
i saw ,with pe-editor, in the section table viewer the section .vtc224 i think this is what i should delete(i did but after running it crashed) so what must i patch now or did i it wrong....

regards spekkel!

+SplAj
January 14th, 2001, 07:17
Greetz SpeKKel

Sorry for confusing message. Here is the the reply. Freshly baked....

1) Launch Winoptimizer2000.exe
2) At the TRY/Rent/Buy screen start TRW2000
3) CTL-N set a BPMB 499644 x and F5
4) Presss TRY
5) TRW pops at unencrypted OEiP 499644
6) clear all BP's
7) PEDUMP new.exe
8) Close everything.
9) Start PEDITOR 1.7 (you have it ?)
10) Browse to new.exe and load
11) Press directory button
12) Press Imports button
13) See Vtcpack.dll as first dll (1st thunk 9D17C)
14) 'right-mouse-button' click on this line and choose
'delete ImageImportDescriptor', confirm and delete
15) Close peditor.
16) run new.exe - if 'No Cydoor' message. Edit raw
offset 64EA9 from 01 to 00

VOILA ! - it worked 3rd time just now ????

If this don't work for U then can't help any further other than this done is using Win98SE and TRW 1.22

+SplAj

SpeKKel
January 14th, 2001, 09:11
HowdyHO + Splaj

All works fine by now.....

The only thing was that i could,t find the vtcpak24.dll
because in my dump (with trw2000) there wasn,t any....So i tried dumping with procdump (bpx getprocaddressss..and traced) and now I had also the vtc library copied,allthough i must delete it ??,But
yep it works !!!!!!

So verry thanks for this and maybe i clould use this info for other progg's as well

Ciao........SpeKKeL...........