Hi guys,

Now that i am trying my hand on iris (3.70 is the current version)... i have unpacked iris.exe but i am having problem with eeyelic.dll...

as i understand it is packed with tELock and tracing is not possible... i kinda guess the OEP of the dll, i found a copy of IAT while eeyelic.dll decrypting itself and dump it but it doesnt seem to be very accurate... it kind of look weird...

all in all, i have something but i do not know whther any of my resylts are accurate.. so i am like sitting on lots of stuff and dont know which one is right...

I need some help, evaluator i know u have unpacked it (*hint :>*)

first question is why does dll have an OEP at the first place, when is this OEP called? when OS load the dll or when an import function is called? I tried to look around for info on this dll thing works but to no avail so far...

second, is there anyway i can verify my dll dump format, whether it si correct? as in for exe file when u disassemble it w32dasm will tell me that something si wrong etc... but not dll....

that's all for now,
thanx folks....

i am really confused now about the whole thing, maybe i should look into tELock itself first...

Hello binh81 !

A DLL's OEP is called when a DLL is loaded and when it is unloaded, both in a process or in a thread. This makes four different call situations in total. The reason why it is called is given to the DLL by the Reason parameter. Here are the values:
0 = DLL_PROCESS_DETACH
1 = DLL_PROCESS_ATTACH
2 = DLL_THREAD_ATTACH
3 = DLL_THREAD_DETACH

When attaching, the DLL can return "0" or "1". "1" means DLL load OK, "0" means DLL load failed.

Normally W32DASM tells you if your DLL is OK or not. One way would be by loading the DLL, but for this you should have replaced the OEP with it's original value, else the DLL will try to decrypt itself again and crash. But if this works, your DLL dump is OK most time, only some missing/messed up imports could keep you from a fully working DLL.

Yep, thanx, Dakien... i see the picture now

Think i have a working IAT for the dll, but when i disassemble eeyelic.dll w32dasm doesnot recognise any export functions, however if i use PEditor to check, it display 12 export function alright... what do I have to change to make it work properly.

I still get the massage : 'Application fails to initialise properly" .. does that mean my Import is still wrong???
or my dll PE header... could it be an export problem??

Thanx....

evaluator... u around?

Hello binh81 !

Import Table and Export Table have nothing to do with each other. Their structure is completely different and missing exports don't crash a program, only the application using the DLL says an export is missing.

Since the export table is not messed up in any way, it shouldn't make a dump working or not.

A .DLL's import table works the same way as a .EXE's import table. But in DLLs you have also to take care about relocations. If the .DLL was relocated, you must change the .DLL's image base to the new value, else the .DLL will not work the next time it's loaded. Or you'll need to create a new relocation table, which is a hard task.

Wonder why it is so hard to find a tutorial on unpacking dll, so far I have only found ONE!!!!!!!

I tried packing another iris's dll with telock to unpack it but no matter what option i choose, iris just refuse to run and stating that it can not initialise properly! I removed the packed dll and put back the orginal then it runs again!!! is this a teLock bug or something???

think i will put this aside for a moment and get some rest... shall come back to iris another time.. gonna get some sleep...

Thanx anyway, Dakien for your prompt reply :>

Maybe it has a mutex check

Yeppie....


Thanx, Dakien :>>>.... you are the man!!!!!! :>

I must be too shagged not to figured it out... re-read bit of Pe.txt and read your post again :>... then I realise that what you meant was just to change the base location :>..

Got it to load alright, had a few glitches here and there but as long as it loads, it can be fixed :>>>>>

Yep, thanx a lot :>...

Final Question

Since the relocation section has become useless, i have removed it from the dll, does that mean that the prog will crash if it runs on some other computer that relocation is required?

Thanx,

Hello, binh81!

1. As I understand, DLL_base location was problem.
This means, you dumped DLL in runtime or after RELOCATIONs was done by telock.
So try again dump it when all sections will unpacked, but before RELOCATIONs will done.
So you can keep DLL_base as 10000000.
Also then you MUST set in PE-HEADER original values for relocation!

2. IRIS.EXE & EEYELIC.DLL are two times protected. First time by telock, then PCGUARD.

3. For DLL_unpacking I use this easy trick(exsept if CRCcheck presents):
In PE-HEADER change DLL characteristic to EXE(use LORDPE),
rename DLL to EXE & unpack as EXE...

Hi, evaluator...

Thanx for the tip... it's all done alredi... but i will remmeber that neat trick of changing dll into exe :>>>... neva tot of that myself....

Maybe i shall try it again tomorrow... probably faster than fixing everything manually :<...

Hello binh81!

After all, sorry for my poor english, it's not my first language .

There is some days i have to try of unpacking iris 3.7 but without success, he is antidump, antisoftice, antiTRW ..
it seem a good protection.

With PeEdit i have find Aspack sections, I have to try with Aspackdie 1.2 ( yoda), I obtained a unpacked file, but he don't run correctly, he crash in kernel API .

I read that you have succeeded to obtain a functional dump, I tightened thankful if you can give me some information how the unpack it.

Thank's.

Hi the curious :>...

yeah as you have read evaluator's post, it is not Aspack but PcGuard and tELock... you have to try to fin the OEP, finding the OEP is tricky but it can be done, i do not want to give it away bofre you try a bit first then it's more fun :>... try to search the board for more information about manual unpackign as well as read a few tutorials.. try something simpler first, aftwer u succeed you will feel more confident to try this one... it has anti-tracer protection but the IAT can be found raw in memory...

Hmm, that probably sounds confusing right now, but I dont really know how to hint you without giving the answer away and kill the fun, well manual unpacking is about finding OEP, dumping IAt and rebuild so you should approach it systematically in that manner..

Try first and then tell me exactly where your problem is then i can help :>

Cheers...

Hi binh81!

Thank you for your answer, I am going to try to work more.

I have to try to trace the soft with icdump for finfing the OEP, but without success iris shows me an "error 00000000", it is anti-trace also as you said it.

I am going to read of other one of the tut's and manual unpacking.

Be right it is necessary work more and more, better to have solution..

Thank you for the answer my friends .

Hi binh81!

Thank you for your answer, I am going to try to work more.

I have to try to trace the soft with icdump for finfing the OEP, but without success iris shows me an "error 00000000", it is anti-trace also as you said it.

I am going to read of other one of the tut's and manual unpacking.

Be right it is necessary work more and more, better to have solution..

Thank you for the answer my friends .

Lets try this first step:
Load IRIS.EXE in WINICE+ICEDUMP, then
bpx 587000

and dump program. Now you have un_PCGUARDED but tELocked IRIS.EXE
Rebuild dump and set tELock-EIP 587000, try set correct IT for telock yourself
then we will continue..

Hi, evaluator ..

Thank's for this information.
I appreciate your replay.
I have to try ...but the soft not break at this address 587000.
don't accept "bpm"as u know it ,(it force u to restar PC)...

it's not the same version... !!?

I have version 3.7.0.1.

If you can tell me how to make to find OEP?
tools to use?

I have trying to trace the soft with Revergin but, he don't give me a good result.

any idea.
thankx

Why BMP??

I sad BPX 587000

Hi evaluator !

I know u said BPX..it's not work also..!!
the soft don't break at 58700 with bpx ...

I said bpm, because i have try with it, that's all... :>

Thanks..

Do you use ICEDUMP?

yeah , ICEDUMP is loaded..
i have the last version 6.025

You do something wrong.
Write here IRIS.EXE size,data, crc32

IRIS.EXE V 3.7.0.1

Size: 815 Ko (835 072 octets)

CRC32: ?? i don't know with which tool to detect

bpm works fine on my win2k with DS2.5.. no icedump loaded....

you have to set the breakpoint in the right context maybe, or else it will not break...

for CRC32
http://www.damn.to/files/dm_hc151.zip

Hello evaluator !

Very interesting...
The HTMLs are down, but the ZIPs are still available.

If it should not work anyway, please try here (http://www.woodmann.net/forum/showthread.php?threadid=2126). I already attached it to a post some time ago.

Entries are closed!
But I remembered!!!!!!!!!
www.damn.to/news.html

Hello evaluator !

Good you remembered the link.
I never tried to access any files on the page, since I thought the DAMN page was down and the current index page was the only file on their server.

Then I noticed your link was working, but I didn't remember their page's structure and ended up in their current index page.

I noticed their page is rarely slow, so it might be better to download the file as thread attachement from here instead of bringing them high traffic.

Hi, evaluator..

thankx for the tools link of DAMN.
CRC-32 : 67A9CF50 of IRIS.EXE V 3.7.0.1

I have exceed the 15 days of evalutions, Now he show me the message box "Demonstration period has exceeded".
I think that for this cause the BPX 587000 does not work !!

Hi binh81...
I have WIN98SE.
Softice 4.05 build 334.

possibly the soft don't detect the new version of softice in DS2.5.

Thankx.

Hehe!
Of course, BPX587000 will not work if you see
that MessageBox.
PCGUARD uses "license file + registry key" for
time ckeck. Use RegMon for detect regKey.
license file = vmm32b1.dll

You forget to write IRIS.EXE time stamp.
(Or when you dld-ed)

Hi, evaluator!!

TimeDateStamp: 3C05426D

What do u mean :
"Of course, BPX587000 will not work if you see that MessageBox. "

After the end of the period of evaluation, will be impossible to make a BPX under the soft or unpack PcGuard protection. ?!!! it's that !!?

for the registry, I have trying to delete the key of the base of registre, IRIS show me with message box "licence file error"

I have dld the soft 01-11-02.

thankx for ur patience.

I sad:
"Use program REGMON for locate needed registry key in [HKEY_CLASSES_ROOT]"

I said, i have locate the key in :
[HKEY_CLASSES_ROOT] is {029005E5-1AB953A0-4BCE90FD},

after what i can make with it ?

I have deleted it !
The soft regenerate it after runing ..!!

So if you delete this key & vmm32b1.dll,
IRIS again not runs?

Do something, do anything MUTTLEY!

Don't more post here before you will BPX587000