Poor newbies are under protectors attack!
During IRISv3.60.1 unpacking I found PCGUARD and tELock much enhanced.
1. PCGUARD became untraceble with ICEDUMP's "tracex". Messagebox: "Error code: 000000"
2. PCGUARD with TRW2000 [INT41 OFF] stops my system (without any BP)
2. tElock96 now not allows breakpoints BPM, BPX. BPR yet can be...

Check guys, if this happens also on your systems.

Wasn't it 'Poor software developers under crackers attack' ?
Seems times have changed. Maybe I'm too old for this buiz :]

hehe, humorous

Why don't try Win2K? In Win2K, privileged operations are not allowed under the context of normal users. It's not an easy task to switch from ring 3 to ring 0 unless some security vulnerabilities of M$ have been found. This will disable some nasty anti-debug tricks of the exe protectors.

Hi tE!

Yet your protection is traceble,
I can unpack telocked files without
any BP. (I mean virgin unpacking)
By the way, tE check my deprotected
tElock96.exe, all is OK? What IT size has
original file?

Hi Solomon!

1. So under w2000 you telock's anti-BPM-BPX future not works? But ICEDUMP works under w2000?
2. telock yet isn't major problem. How about PCGUARD? If you have IRIS v3.6,
check this: can you set BPM for example on 401000?

Hi again tE!

Little question:
Why you not protect your tElock.exe files with tElock? You not trust tElock!?
Will be good, if next release you will do it! (& I will submit here depro..

have not tried latest tELock yet. IceDump has WinNT/2K versions.

h**p://w**.eeye.com/html/Products/Iris/IrisDemo.exe

I just checked IRIS 3.6. Seems that it is packed twice. Yes I can't set BPM, but I can use BPX.

the first layer:

001B:010C526B LEA EDI,[EBP+0040AE01]
001B:010C5271 MOV ECX,0000002C
001B:010C5276 REPZ STOSB <-----------------self-destroy
001B:010C5278 STOSW
001B:010C527A JMP 010C527E
001B:010C527C INT 20 VXDJmp 2464,7F61
001B:010C527F JMP [ESP-30] <-------------------OEP of 2nd layer?

the second layer:

001B:00586283 LEA EDI,[EBP+0040AE01]
001B:00586289 MOV ECX,0000002C
001B:0058628E REPZ STOSB
001B:00586290 STOSW
001B:00586292 JMP 00586296
001B:00586294 INT 20 VXDJmp 2464,7F61
001B:00586297 JMP [ESP-30] <------------------OEP of IRIS

OEP = 47D766.
Correct ImageSize with LordPE before a full dump.
It's a bit hard to rebuild IT(don't forget to correct ImageSize first). Both RV 1.25 & ImportREC 1.3 failed. does anyone know how?

Hi, Solomon!

Iris 3.60.1 is protected with two protector: tElock & PCGUARD.
BPX you can set because tElock is not latest version.
Please, confirm iris.exe file size and crc32. My is 821760 byte, crc32=C4A33CE8.
If your is same, I will upload for you virgin RDATA section.

That addresses you wrote is not IRIS.EXE but is EEYELIC.DLL! Wich is also
protected in same way!

Also test this! Don't set any BPM (if you already set, restart PC), start
IRIS.EXE from "SYMBOL LOADER" and try /TRACEX 401000 490000.
In my case IRIS displays error messagebox. If you have same result, this means:
TRACEX engine now can't handle new PCGUARD protection.

my IRIS.exe(v3.60 build 2) is 821760 bytes, just the same as yours.Currently I have no tool to calculate the CRC. I registered in their site & d/l yesterday. The URL I wrote above is for exe, not a DLL. Or try this URL:
hx*p://xxx.eEye.com/html/Products/Iris/Download.htm?id=0529.225946.952095

I can't find a corresponding IceDump version to work with my SoftICE from DriverStudio v2.01 build 57. I'm using Win2K. So what I do is manually finding the OEP.

OK!
You have newest version. I will download it now.
For CRC32: goto http://damn.to , find and download program
"HASH CALCULATOR". Good prog.

About tElock96: you can download it from AARON's page or grab my "unpacked" one,
then protect (with anti-debuger option) for example NOTEPAD and
test if bpm-bpx allowed.

You unpacking wizards....Admirations....lol

Hi Solomon!
OK!
I downloaded and unprotected IRIS.EXE
For you here I put virgin RDATA and DATA sections.
And don't forget:
NOTEPAD is GREAT!

About telock96.exe IT size. Hehe! I forget hexadecimal, not 100 but A0 is correct.
Also tE's anti-CASPR trick "unlocked"!

so you leeto unpacked tElock96.exe ?
as far as i remember i packed that one with aspack 2.11.

good job, congratz!

Hi tE!
When I sad: tElock is protected with tElock?
I know it is Aspack + your 1 byte anti-Caspr
trick. Simple tell me A0 is correct IT size?

And once again!
Why you not protect your telock with self-telock?
Don't trust your SON?
In next release do it & I will deprotEto your
SON!

--quote-------------------------------------
By the way, tE check my deprotected
tElock96.exe, all is OK?
--end----------------------------------------

your 'deprotected' telock96.exe. a bit
confusing imo, or do you call aspack
a protector ?

ah, yes. and to make 1 thing clear:

DAEMON has *nothing* to do with
all existing tElock versions. He said
he will improve it. this only means
that i gave him the tElock source
and that there might be a new pe-
protector coming up soon. but for
sure its name will not be 'tElock'.

hi DAEMON btw

Hi Guys!

Today I am very happy! I finished deprotecting DLL!
This is EEYELIC.DLL, which comes with newest versions of IRIS.
As IRIS.EXE this DLL also protected with two protectors: PCGUARD & tElock.
This DLL has little export table, which is moved by tElock. & I restore also
this export table. So probably 99% my deprotected one is like original.
Newbies!!! Do it! Hi CoDe_InSiDe! You, as Turbo Newbie...
Here I uploaded archive with three deprotected EEYELIC.DLL, latest DLL (yesterday DLDed)
is encrypted. Let's make competition! Also I included 1MB tutor Have pFun!
http://www.geocities.com/teset_dowonlad/eeyelicdll.zip
File size 348756 byte

Hi tE!

I forgot to change word. Forgive me or I will cry

Hi Solomon!

Have you problem with my package?

hi evaluator,

This one gave me some headache , so I decided to put it aside for several days.

Today I successfully dumped the whole IT/IAT from memory and make a working exe for IRIS 3.602

IT RVA = A18B8 (the same as your result)
IT length = 17C
dump length = 5710

Thx!

just paste the attachment to raw offset A18B8 and fix PE header.
(rename *.rar.txt to *.rar first)

The guys of eEye changed the ver to v3.603

Hi!
Seems, I understand PCGUARD - ICEDUMP problem!
So PCGUARD displays error messagebox if I set TRACEX range
from 400000. But if I set TRACEX range outside of EXE,
PCGUARD not detects tracer. So PGGUARD hasn't true anti-TRACEX future,
probably it is "lame" trick.

Hi Solomon!
Why you submit your dumped IT? I already submitted whole RDATA section
in my attachment! (i3602.zip)
Seems, you not read my previous replay.
More interesting is deprotecting EEYELIC.DLL! Read previous replay.

Hi!

Good news about TRW2000 and PCGUARD protection:
Since yesterday TRW2000 not crashes! (Don't know why8)
So my alert is in false. Eh, windws,windws...

Hi, tE!

I found interesting "bug" in telock98.
If section's RAW size is like this number:
0000C248 (as sets PROCDUMP)
telocked file will broken!
Then if I correct number like this:
0000C400 OR 0000B000,
telocked file will good.

So if telock will correct RAW sizes before locking, all will OK!

P.S.
If you will release new version, please self protect it,
or farser more: protect it with some your unknown-internal protector!
& when I will UNPACK-DEPROTETO it, I will very happy

In monday DAMN release keygen for
IRISv3.60.3 Retail!
Seems IRIS authors became very angry
and they changed download URL for demo.
SCANDAL!