telexxingou
September 14th, 2001, 10:42
please, someone know if an unpacker for telock0.90 exist ?
i really need it
very thanks for your help
Byebye
i really need it
very thanks for your help
Byebye
View Full Version : telock 0.90
+SplAj
September 16th, 2001, 04:25
Hajo
Best unpacking tool is BRAIN :-)
Other tools to assist:-
SI
Icedump
LordPE
RV
TE! tricks - anti SI, Anti dump (section count =FFFF and IAT is mapped, relocated then destroyed)
Solution :-
========
Load target in SI (after running Icedump)
BPX VirtualProtectEx
F5
F12
S CS:EIP L EIP+100 EB,02,CD,20,61
Set a BPX on the memory were the 61 (POPAD) is. F5
Press F8 carefully cos your nearly at the OEiP
At OEiP change bytes from 55 8B to EB FE (loop)
Use LordPE to dump (with load section header from disk on to solve the section count FFFF trick)
Then use RV to rebuild the IAT/IT (or stop TE from destroying the
IAT/IT once you know the VA offset)
Fix up your dump (OEiP pointer, EB FE -> 55 8B, IAT pointer etc)
and TE! is gone :-)
+Spl/\j
Best unpacking tool is BRAIN :-)
Other tools to assist:-
SI
Icedump
LordPE
RV
TE! tricks - anti SI, Anti dump (section count =FFFF and IAT is mapped, relocated then destroyed)
Solution :-
========
Load target in SI (after running Icedump)
BPX VirtualProtectEx
F5
F12
S CS:EIP L EIP+100 EB,02,CD,20,61
Set a BPX on the memory were the 61 (POPAD) is. F5
Press F8 carefully cos your nearly at the OEiP
At OEiP change bytes from 55 8B to EB FE (loop)
Use LordPE to dump (with load section header from disk on to solve the section count FFFF trick)
Then use RV to rebuild the IAT/IT (or stop TE from destroying the
IAT/IT once you know the VA offset)
Fix up your dump (OEiP pointer, EB FE -> 55 8B, IAT pointer etc)
and TE! is gone :-)
+Spl/\j
nchanta
September 16th, 2001, 06:47
hola unpax0r king
thanks for the compressed telock essay, will come in handy
your student...
NchantA
thanks for the compressed telock essay, will come in handy
your student...
NchantA
telexxingou
September 19th, 2001, 07:21
very thanks for your help 
do you have url for BRAIN ?
Icedump is working with Win2k ?
thanks
byebye
do you have url for BRAIN ?
Icedump is working with Win2k ?
thanks
byebye
+SplAj
September 19th, 2001, 08:09
http://www.vh.org/Providers/Textbooks/BrainAnatomy/BrainAnatomy.html
telexxingou
September 19th, 2001, 08:27
LOL
sorry my english is very not perfect !!!
maybe Brain is near my head, isn't it ? ahahahaha
Thanks
sorry my english is very not perfect !!!
maybe Brain is near my head, isn't it ? ahahahaha
Thanks
+SplAj
September 19th, 2001, 09:17
Near your head....
---------------------
yes you are getting warmer .... roll your eyes upwards
Ok one last thing about tE!lock is the 'Mutex' feature which MOST programmers have not a clue and think it is a Teletext alternative to find cheap holidays.....
But some are clever enough to implement this in the tE! packed ( protected
) exe.
To bypass this feature (if the programmer took Egoiste advice)
is to set BPX CreateMutexA and see if a check is made on existence of tE!lock code. Usually they give a big clue by giving easy name like 'my_Mutex_check' duh. A simple JMP instead of JE is all that is required - Maybe tE! codes some encrypt/decrypt code soon around his mutex ?
Hope that helps some more. You can see this feature in the target Iris 3.x from eEye.com - search for my oh um 'super tut' on the MB describing tE! unpacking and Sheriff Licence butt fucking in Iris 3 a couple of months ago.... ppl here have such short memories
+Spl/\j
---------------------
yes you are getting warmer .... roll your eyes upwards
Ok one last thing about tE!lock is the 'Mutex' feature which MOST programmers have not a clue and think it is a Teletext alternative to find cheap holidays.....
But some are clever enough to implement this in the tE! packed ( protected
) exe.To bypass this feature (if the programmer took Egoiste advice)
is to set BPX CreateMutexA and see if a check is made on existence of tE!lock code. Usually they give a big clue by giving easy name like 'my_Mutex_check' duh. A simple JMP instead of JE is all that is required - Maybe tE! codes some encrypt/decrypt code soon around his mutex ?
Hope that helps some more. You can see this feature in the target Iris 3.x from eEye.com - search for my oh um 'super tut' on the MB describing tE! unpacking and Sheriff Licence butt fucking in Iris 3 a couple of months ago.... ppl here have such short memories
+Spl/\j
telexxingou
September 19th, 2001, 11:17
really thanks
My level on packed/crypted exe is very low
now i'm begin with your help
thanks
byebye
My level on packed/crypted exe is very low
now i'm begin with your help
thanks
byebye
SpeKKeL
September 19th, 2001, 12:29
Just watch that api's that contain a "0"-dword and delete them .
just try on a te-locked notepad !!
Spek.
just try on a te-locked notepad !!
Spek.
Bengaly
September 23rd, 2001, 01:13
heya +P ;D
just wanted to say hi ;D
i love +reversers i am contacting everybody i can
till now:
+Sandman
+Tsehp
and now you ?
just wanted to say hi ;D
i love +reversers i am contacting everybody i can
till now:
+Sandman
+Tsehp
and now you ?
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.