hi,
does anybody know how i can manuell unpack a *.exe that is encrypt with the new telock (0.92-.0.96)?
i wasn't able to make a good dump, because i can't came through the encryption routine.
Does anybody know a good breakpoint?
I've test VirtualProtectEx,Loadlibrarya and Getprocaddress, but those aren't work.
tia
l_krebz

Hi lungenkrebz,

I would suggest to:

Try it again and try to bypass the protection...
If you fail then:
Try it again and try to bypass the protection...
If you'll fail again then:
Try once more and try once more to bypass the protection...
Now if you still don't succeed then my suggestion is to:
Try it again and uhm etc....

Cya...

CoDe_InSiDe

P.S. GetProcAddress doesn't work? hmm... maybe try to inc something to that breakpoint...?

me is improving telock to the maximum....

your life will get harder....
(just wait!!!)

^DAEMON^

Hi ^DAEMON^,

Yeah!
We shall all be waiting for it ...

Cya...

CoDe_InSiDe

Just dumped and rebuild a notepad locked with te 0.96
Repaired iat and works.

Before dumping adjust the anti dumping at memory 400086
in 05 00.
I dumped from the entry point (jmp eip) and hiewed later back to
push ebp ,mov ebp,esp..(pedump didn,t work i thought..)
After this repair iat with your favourit !! iat repair tool !

btw. set a getversion bpx and look at 4010cc (entry-point)
see that iat's(not all) are not encrypted..

SpeKKeL

i tried again ...
but i worked on 0.95 and getprocaddress work (don't know why) after breaking in getprocaddress i breaked on virtualprotectex and code is decrypt.
but why is 0.92a more secur than 0.95?
thx
l_krebz

First try finding the oep Set bpx getversion and tracex with icedump to the oep.
Then dump (read my post above)

Spek