PDA

View Full Version : telock >0.92 unpacking


lungenkrebz
October 20th, 2001, 06:36
hi,
does anybody know how i can manuell unpack a *.exe that is encrypt with the new telock (0.92-.0.96)?
i wasn't able to make a good dump, because i can't came through the encryption routine.
Does anybody know a good breakpoint?
I've test VirtualProtectEx,Loadlibrarya and Getprocaddress, but those aren't work.
tia
l_krebz

CoDe_InSiDe
October 20th, 2001, 08:39
Hi lungenkrebz,

I would suggest to:

Try it again and try to bypass the protection...
If you fail then:
Try it again and try to bypass the protection...
If you'll fail again then:
Try once more and try once more to bypass the protection...
Now if you still don't succeed then my suggestion is to:
Try it again and uhm etc....

Cya...

CoDe_InSiDe

P.S. GetProcAddress doesn't work? hmm... maybe try to inc something to that breakpoint...?

^DAEMON^
October 20th, 2001, 09:18
me is improving telock to the maximum....

your life will get harder....
(just wait!!!)

^DAEMON^

CoDe_InSiDe
October 20th, 2001, 09:29
Hi ^DAEMON^,

Yeah!
We shall all be waiting for it ...

Cya...

CoDe_InSiDe

SpeKKeL
October 20th, 2001, 10:09
Just dumped and rebuild a notepad locked with te 0.96
Repaired iat and works.

Before dumping adjust the anti dumping at memory 400086
in 05 00.
I dumped from the entry point (jmp eip) and hiewed later back to
push ebp ,mov ebp,esp..(pedump didn,t work i thought..)
After this repair iat with your favourit !! iat repair tool !

btw. set a getversion bpx and look at 4010cc (entry-point)
see that iat's(not all) are not encrypted..

SpeKKeL

lungenkrebz
October 20th, 2001, 10:44
i tried again ...
but i worked on 0.95 and getprocaddress work (don't know why) after breaking in getprocaddress i breaked on virtualprotectex and code is decrypt.
but why is 0.92a more secur than 0.95?
thx
l_krebz

SpeKKeL
October 20th, 2001, 12:05
First try finding the oep Set bpx getversion and tracex with icedump to the oep.
Then dump (read my post above)

Spek