View Full Version : eeyelic.dll
crUsAdEr
February 23rd, 2002, 09:11
Hi guys,
Now that i am trying my hand on iris (3.70 is the current version)... i have unpacked iris.exe but i am having problem with eeyelic.dll...
as i understand it is packed with tELock and tracing is not possible... i kinda guess the OEP of the dll, i found a copy of IAT while eeyelic.dll decrypting itself and dump it but it doesnt seem to be very accurate... it kind of look weird...
all in all, i have something but i do not know whther any of my resylts are accurate.. so i am like sitting on lots of stuff and dont know which one is right...
I need some help, evaluator i know u have unpacked it (*hint :>*)
first question is why does dll have an OEP at the first place, when is this OEP called? when OS load the dll or when an import function is called? I tried to look around for info on this dll thing works but to no avail so far...
second, is there anyway i can verify my dll dump format, whether it si correct? as in for exe file when u disassemble it w32dasm will tell me that something si wrong etc... but not dll....
that's all for now,
thanx folks....
i am really confused now about the whole thing, maybe i should look into tELock itself first...
DakienDX
February 23rd, 2002, 09:27
Hello binh81 !
A DLL's OEP is called when a DLL is loaded and when it is unloaded, both in a process or in a thread. This makes four different call situations in total. The reason why it is called is given to the DLL by the Reason parameter. Here are the values:
0 = DLL_PROCESS_DETACH
1 = DLL_PROCESS_ATTACH
2 = DLL_THREAD_ATTACH
3 = DLL_THREAD_DETACH
When attaching, the DLL can return "0" or "1". "1" means DLL load OK, "0" means DLL load failed.
Normally W32DASM tells you if your DLL is OK or not. One way would be by loading the DLL, but for this you should have replaced the OEP with it's original value, else the DLL will try to decrypt itself again and crash. But if this works, your DLL dump is OK most time, only some missing/messed up imports could keep you from a fully working DLL.
crUsAdEr
February 23rd, 2002, 16:48
Yep, thanx, Dakien... i see the picture now
Think i have a working IAT for the dll, but when i disassemble eeyelic.dll w32dasm doesnot recognise any export functions, however if i use PEditor to check, it display 12 export function alright... what do I have to change to make it work properly.
I still get the massage : 'Application fails to initialise properly" .. does that mean my Import is still wrong???
or my dll PE header... could it be an export problem??
Thanx....
evaluator... u around?
DakienDX
February 23rd, 2002, 17:46
Hello binh81 !
Import Table and Export Table have nothing to do with each other. Their structure is completely different and missing exports don't crash a program, only the application using the DLL says an export is missing.
Since the export table is not messed up in any way, it shouldn't make a dump working or not.
A .DLL's import table works the same way as a .EXE's import table. But in DLLs you have also to take care about relocations. If the .DLL was relocated, you must change the .DLL's image base to the new value, else the .DLL will not work the next time it's loaded. Or you'll need to create a new relocation table, which is a hard task.
crUsAdEr
February 23rd, 2002, 21:40
Wonder why it is so hard to find a tutorial on unpacking dll, so far I have only found ONE!!!!!!!
I tried packing another iris's dll with telock to unpack it but no matter what option i choose, iris just refuse to run and stating that it can not initialise properly! I removed the packed dll and put back the orginal then it runs again!!! is this a teLock bug or something???
think i will put this aside for a moment and get some rest... shall come back to iris another time.. gonna get some sleep...
Thanx anyway, Dakien for your prompt reply :>
ThrawN
February 23rd, 2002, 22:52
Maybe it has a mutex check

crUsAdEr
February 24th, 2002, 05:23
Yeppie....
Thanx, Dakien :>>>.... you are the man!!!!!! :>
I must be too shagged not to figured it out... re-read bit of Pe.txt and read your post again :>... then I realise that what you meant was just to change the base location :>..
Got it to load alright, had a few glitches here and there but as long as it loads, it can be fixed :>>>>>
Yep, thanx a lot :>...
crUsAdEr
February 24th, 2002, 07:56
Final Question
Since the relocation section has become useless, i have removed it from the dll, does that mean that the prog will crash if it runs on some other computer that relocation is required?
Thanx,
evaluator
February 24th, 2002, 09:17
Hello, binh81!
1. As I understand, DLL_base location was problem.
This means, you dumped DLL in runtime or after RELOCATIONs was done by telock.
So try again dump it when all sections will unpacked, but before RELOCATIONs will done.
So you can keep DLL_base as 10000000.
Also then you MUST set in PE-HEADER original values for relocation!
2. IRIS.EXE & EEYELIC.DLL are two times protected. First time by telock, then PCGUARD.
3. For DLL_unpacking I use this easy trick(exsept if CRCcheck presents):
In PE-HEADER change DLL characteristic to EXE(use LORDPE),
rename DLL to EXE & unpack as EXE...
crUsAdEr
February 24th, 2002, 12:30
Hi, evaluator...
Thanx for the tip... it's all done alredi... but i will remmeber that neat trick of changing dll into exe :>>>... neva tot of that myself....
Maybe i shall try it again tomorrow... probably faster than fixing everything manually :<...
thE Cur!ouZ
February 26th, 2002, 14:23
Hello binh81!
After all, sorry for my poor english, it's not my first language

.
There is some days i have to try of unpacking iris 3.7 but without success, he is antidump, antisoftice, antiTRW ..
it seem a good protection.
With PeEdit i have find Aspack sections, I have to try with Aspackdie 1.2 ( yoda), I obtained a unpacked file, but he don't run correctly, he crash in kernel API

.
I read that you have succeeded to obtain a functional dump, I tightened thankful if you can give me some information how the unpack it.
Thank's.
crUsAdEr
February 26th, 2002, 18:15
Hi the curious :>...
yeah as you have read evaluator's post, it is not Aspack but PcGuard and tELock... you have to try to fin the OEP, finding the OEP is tricky but it can be done, i do not want to give it away bofre you try a bit first then it's more fun :>... try to search the board for more information about manual unpackign as well as read a few tutorials.. try something simpler first, aftwer u succeed you will feel more confident to try this one... it has anti-tracer protection but the IAT can be found raw in memory...
Hmm, that probably sounds confusing right now, but I dont really know how to hint you without giving the answer away and kill the fun, well manual unpacking is about finding OEP, dumping IAt and rebuild so you should approach it systematically in that manner..
Try first and then tell me exactly where your problem is then i can help :>
Cheers...
thE Cur!ouZ
February 27th, 2002, 14:04
Hi binh81!
Thank you for your answer, I am going to try to work more.
I have to try to trace the soft with icdump for finfing the OEP, but without success iris shows me an "error 00000000", it is anti-trace also as you said it.
I am going to read of other one of the tut's and manual unpacking.
Be right it is necessary work more and more, better to have solution..
Thank you for the answer my friends

.
thE Cur!ouZ
February 27th, 2002, 14:18
Hi binh81!
Thank you for your answer, I am going to try to work more.
I have to try to trace the soft with icdump for finfing the OEP, but without success iris shows me an "error 00000000", it is anti-trace also as you said it.
I am going to read of other one of the tut's and manual unpacking.
Be right it is necessary work more and more, better to have solution..
Thank you for the answer my friends

.
evaluator
February 27th, 2002, 15:42
Lets try this first step:
Load IRIS.EXE in WINICE+ICEDUMP, then
bpx 587000
and dump program. Now you have un_PCGUARDED but tELocked IRIS.EXE
Rebuild dump and set tELock-EIP 587000, try set correct IT for telock yourself

then we will continue..
thE Cur!ouZ
February 27th, 2002, 19:24
Hi, evaluator ..
Thank's for this information.
I appreciate your replay.
I have to try ...but the soft not break at this address 587000.
don't accept "bpm"as u know it ,(it force u to restar PC)...
it's not the same version... !!?
I have version 3.7.0.1.
If you can tell me how to make to find OEP?
tools to use?
I have trying to trace the soft with Revergin but, he don't give me a good result.
any idea.
thankx
evaluator
February 28th, 2002, 02:49
Why BMP??
I sad BPX 587000
thE Cur!ouZ
March 1st, 2002, 11:47
Hi evaluator !
I know u said BPX..it's not work also..!!
the soft don't break at 58700 with bpx ...
I said bpm, because i have try with it, that's all... :>
Thanks..
evaluator
March 1st, 2002, 12:10
Do you use ICEDUMP?
thE Cur!ouZ
March 1st, 2002, 12:18
yeah , ICEDUMP is loaded..
i have the last version 6.025
evaluator
March 1st, 2002, 14:25
You do something wrong.
Write here IRIS.EXE size,data, crc32
thE Cur!ouZ
March 1st, 2002, 17:43
IRIS.EXE V 3.7.0.1
Size: 815 Ko (835 072 octets)
CRC32: ?? i don't know with which tool to detect
crUsAdEr
March 1st, 2002, 17:50
bpm works fine on my win2k with DS2.5.. no icedump loaded....
you have to set the breakpoint in the right context maybe, or else it will not break...
evaluator
March 1st, 2002, 20:24
for CRC32
http://www.damn.to/files/dm_hc151.zip
DakienDX
March 1st, 2002, 21:08
Hello evaluator !
Very interesting...
The HTMLs are down, but the ZIPs are still available.
If it should not work anyway, please try here (http://www.woodmann.net/forum/showthread.php?threadid=2126). I already attached it to a post some time ago.
evaluator
March 1st, 2002, 21:27
Entries are closed!
But I remembered!!!!!!!!!
www.damn.to/news.html
DakienDX
March 1st, 2002, 21:40
Hello evaluator !
Good you remembered the link.

I never tried to access any files on the page, since I thought the DAMN page was down and the current index page was the only file on their server.
Then I noticed your link was working, but I didn't remember their page's structure and ended up in their current index page.
I noticed their page is rarely slow, so it might be better to download the file as thread attachement from here instead of bringing them high traffic.

thE Cur!ouZ
March 1st, 2002, 22:14
Hi, evaluator..
thankx for the tools link of DAMN.
CRC-32 : 67A9CF50 of IRIS.EXE V 3.7.0.1
I have exceed the 15 days of evalutions, Now he show me the message box "Demonstration period has exceeded".
I think that for this cause the BPX 587000 does not work !!
Hi binh81...
I have WIN98SE.
Softice 4.05 build 334.
possibly the soft don't detect the new version of softice in DS2.5.
Thankx.
evaluator
March 1st, 2002, 23:06
Hehe!
Of course, BPX587000 will not work if you see
that MessageBox.
PCGUARD uses "license file + registry key" for
time ckeck. Use RegMon for detect regKey.
license file = vmm32b1.dll
You forget to write IRIS.EXE time stamp.
(Or when you dld-ed)
thE Cur!ouZ
March 2nd, 2002, 19:10
Hi, evaluator!!
TimeDateStamp: 3C05426D
What do u mean :
"Of course, BPX587000 will not work if you see that MessageBox. "
After the end of the period of evaluation, will be impossible to make a BPX under the soft or unpack PcGuard protection. ?!!! it's that !!?
for the registry, I have trying to delete the key of the base of registre, IRIS show me with message box "licence file error"
I have dld the soft 01-11-02.
thankx for ur patience.
evaluator
March 2nd, 2002, 22:15
I sad:
"Use program REGMON for locate needed registry key in [HKEY_CLASSES_ROOT]"
thE Cur!ouZ
March 2nd, 2002, 22:38
I said, i have locate the key in :
[HKEY_CLASSES_ROOT] is {029005E5-1AB953A0-4BCE90FD},
after what i can make with it ?
I have deleted it !
The soft regenerate it after runing ..!!

evaluator
March 3rd, 2002, 09:15
So if you delete this key & vmm32b1.dll,
IRIS again not runs?
Do something, do anything MUTTLEY!
Don't more post here before you will BPX587000
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.