Log in

View Full Version : PCGuard 4.03 demo unprotecting


evaluator
September 21st, 2001, 17:12
This protector have very hard anti-debuger
code. But I catch in memory original IT (before
it was erased) and then found oeip.

I am interesting:
1. How analise and set correct IT values
(generally).
2. Can you do debug PCGuard.

DakienDX
September 22nd, 2001, 01:40
Hello evaluator !

What do you mean by "analysing" IT values in general? Could you be more specified and tell us what you would like to know exactly.

I remember once debugging PCGuard for DOS. It nearly used no real anti-debugging code, just many time-consuming loops when deprotecting the next 30 bytes where the next decryptor was located )

Could you tell me where to download the target or PCGuard? I've only found a firewall, a password-lock for you computer and an old version 3.0 with the name "PCGuard".

evaluator
September 22nd, 2001, 16:31
goto url
http://www.sofpro.com
direct url is
http://www.sofpro.com/files/demo/pcgw32d.zip

evaluator
September 22nd, 2001, 17:32
So I catch original IT in memory, insert it
in dump file and now I need IT RVA address
& size, IAT size (IAT RVA not a problem).
So maybe you know some tools for
analyzing those IT values?
Or easy for understanding tutorial?
I read r!scs tutorials but they are not easy.(

I treed many variants and found maybe good
values, but I'm not sure.
Program runs and successfully "Wdasmed".
This is my check. Is it enough?

If somebody know interesting program
protected with PCGuard, please tell me!
I already deprotect IRISv3.50.2 (PCGuarded)
and now working "hard" for crack! It has
grandiose IT! Section size 133 Kbytes!
Who want to join me?

Solomon
September 23rd, 2001, 00:34
Is IRIS v3.502 protected by PCGuard or TELock?

evaluator
September 23rd, 2001, 01:11
By PCGuard.
In header you see "wrong" protector name

+SplAj
September 23rd, 2001, 05:28
Greetz guys,

esp. Solomon who is VERY active ...............be careful with diagnosing a certain protector/packer or Egoiste will be laughing too loud ....

extract from rebuilt te!lock .exe :-

--------------
tElockv085.Reminder.Another instance of tElock is already running!.Licensed to: Public.A TMG production. (c) 2000-2001 by tE!..aspack..pklstb..PCGW32.PEPACK!!.CryptX.BitArts..BJFnt..PELOCKntUPX!.....shrink..neolite.peco... .WWPACK..petite.PESHiELD.aspr... Contact:.. WWW:.http://egoiste.cjb.net.. Email:.tmgfreaks@softhome.net.Error.Please do not drop more than -one- file.
-------------

Yes protector is fake -> PCGW32 section name == tE!lock.

BUT having said that the code IS ALSO using PCGuard as the timelimit feature on 'wrapped' exe. Once unwrapped this .lic check is gone and only the stupid 'sheriff' system remains...

Remember Laurentio (eEye/Iris programmer) will also be laughing cos it is an eval version. Those graph functions disappeared after v3 released.

Please refer to previous threads on 'Iris' v2 - v3.5 over the last 5 months or so. The search engine is fully working . Best full info thread is started by hOrn_dOg.

BTW my Iris 3.501 is protected with 'Neolite' duh NOT . That damn tE! again.................If you don't believe me try my tE!lock dumping quick tut from a few days ago. BPX VirtualProtectEx...............whatever

.....and of course a good tool for IT stuff is 'Revirgin' !!! and again I recommend LordPE FX cos it defeats most lame anti-dump tricks.....

+Spl/\j

evaluator
September 24th, 2001, 13:53
Dear Solomon, Dear +SplAj!!!
Thank you for replays.

1. Forgirvme, but section names in iris.exe is "PELOCKntT".
Maybe you have another version?? I downloaded it in 2001/08/30 from
http://www.eEye.com/html/Products/Iris/IrisDemo.exe size=3295589 byte.
File iris.exe size=841728 crc32=E49C94FC, date-27.08.01

2. +SplAj, my english is bad and maybe you don't understand me when you
wrote: good tool for IT stuff is 'Revirgin'...
I wrote: "I catch original IT in memory" (before it will erased)! Why I need Revirgin?
So will be good if some greet (you!) master will write little tutorial about:
"How analyze and set correct values in PE header for original ("virgin" IT"
Or little program!

3. About cracking demo. I think, this is not full demo because for today I crack
2 restricted functions: Decoder and address book 10 entry limit. For me it's enough!
But I'm tired to trace inside MFC42.DLL (shit I think it will be non solid to publish
this partial crack. Or no?
+SplAj! That is your serials for IRISv1.01 beta I have? (Can't believe!) Thanks for it.
So if you want, I will upload for you those virgin IT section or full unprotected iris.exe
for proffy crack!!!

Sorry for eNgLiSh!

+SplAj
September 25th, 2001, 04:45
Hi evaluator

I have a good story about the serials, yes 'splaj' was banned from registering iris so I released some in the name of 'Laurentiou' (eEye programmer). Then when he was online in the GRC.com forums about scanners he was always bugged for new serials by those lamers that don't know a sniff from a cold

Ok, lets step back from this current Iris3.502. Please download all previous versions of te!lock from .05 to 0.90 from w*w.exetools.com and practise ....... you will see from the later versions a nice 'fake known packer' option. This is what Laurentiou is doing with each build of Iris now. The section names will be random selection of ASpack, Neolite, PCGW32, etc etc. See my previous snippet above. Thats what tricks most ppl ..... good idea from Egoiste

It's still same old te!lock and you can unpack in 10 mins if you know about the te! tricks like mapping the IAT and destoying and the FFFF section count etc. I have repeated myself many times explaining how to MANUALLY fix tE! locked targets.... and others .That's why I am here !. I made several tuts for discompress.com on many different protectors/packers (sadly gone from the server since woodmann changed ISP a few weeks ago)

So yes, for tE!locked targets maybe you don't need RV but sometimes it's quicker to tag on a new IAT/IT instead of catching
the real one and copy+pasting it .... or even do both methods for practise ,whatever

I will NEVER release any Keygens or Auto-unpackers for the masses. Thats my policy now. Maybe a few select cracks for
some anal retentive programmers targets ??? They know who they are

But I think you fixed Iris3.5 now anyway ...............congrats.

+Spl/\j

evaluator
September 25th, 2001, 12:01
Dear +SplAj!
I am shaked! So I jumped over two protection?!! Comic!
Please, excuse me, tE!Lock.

+SplAj, tell me please, were I can find tutorials about assemblers instructions,
for better understanding debug process. I can understand only jmp and call instructions (& nop,
but what means these pop, push, xor, etc.?
By the way, from what country are you?

+SplAj
September 26th, 2001, 03:30
Ok ASM.... the masters are Hutch , EliCZ , Iczelion etc etc........ and they hang out at W32asm.cjb.net

Get MASM and the tuts from Iczelion and your away. The forum is super duper too....but DONT say your into RCE cos they are a bit anal about our fine art (regardless of the fact that they do it as well but not in public) . Make a new handle for that forum ....... they are ace guys and many others are there willing to help with ASM as well....


BTW do a search in google and you'll find the Great Me

Spl/\j

Kayaker
September 26th, 2001, 23:33
Quote:
Originally posted by +SplAj

BTW do a search in google and you'll find the Great Me

Spl/\j



Hey Spl/\j, what's the radio frequency?