hello, please i have problems to umpack this applicatiosn

http://www.visagesoft.com/downloads/vp.exe

its packet whit visual protect.. (the program its visual protect too )

please i whant to learn how unpack this protection.. thanks.

SiLvEr StOrM

+SplAj made a license for it long time ago. Please search.

thanks for answer.. frien.. but i want to know how unpack a application packed whit that program.. please can you teachme...

thanks..

which version of VP is it?

version 3.1.6

It's been a long time since I looked at VP, so I'll take a look tonight and let ya know.

In the mean time do some searching for tutorials on older versions as they might give you a clue as to how to proceed

Hi Silver Storm,

Where are you having problem with? It is fairly simple to unpack.. here are some hint

find IT table, bpm it
then bpx getprocaddress
watch the IAT deciphered, yeah interestingly, the IAT AsCII are ciphered :> (gosh, or am i reading gtoo much crypto :>?/)
after you exit the IAT updating loop, F12 once or twice then trace with F10, you will see soon enough a jump [ebp-4], or something liek that :>

Good luck...

Hmm, really obscure protector, i have yet to find any app protected with it yet... the license file doesnot seem a problem when i wrap my notepad...?? Do you know any app protected with it?

All the products from the same company of VP are protected with VPhyyp://www.visagesoft.com

Hello binh81 !

If the license file doesn't seem to be a problem, try the applications from Visage.
Start with VisualProtect, then try Easy PDF. They will work fine.
But now try Windows Help Designer, both WinHelp and HTMLHelp edition. A wrong license file will say "Invalid License", a correct license file will crash the program.
And I don't think they make nonworking copies of their software availbable for download.

HI Dakien, solomon...

Just curious... the website is f****** slow... i have been downloading for an hour, 0.50kb/s???? nah but that is beside the point...

Correct me if i am wrong, but it seems that this protection is useless as a general protection as if we use VP to wrap another exe file, not developed by Visage, then once unwrapped, the license file and VP.dll aint gonna matter anymore? They only matter for Visage product itself because these features are integrated into the exe...

Maybe this why it is not used by any other software developing company? :>

Cheers, i will post here again should i encounter any difficulties... man, 1:5:49 more... this company CAN NOT MAKE IT... even slower than M$ website...

Hello binh81 !

You're right, but this happens not only with Visual Protect, but with any protector using just a wrapper and no callback functions the program could call or environment variables which could be checked.

I don't think they've implemented anything special in their help designer programs, but when I've tried to generate a license for them, they crashed.
I tried all options available, but I couldn't get them to accept my registered license file. They accepted my license file with a 500 day trial with no problems, but crashed when trying to use my registered license file.

I had no problem with registering Visual Protect itself and Easy PDF.

Hee Dakien...

You are too fast for me... i am still figuring out how to generate the license file... i have been living with patchign alone... cos i was hoping that it will be more generic to remove the need for license file and VP.dll altogether....

Hi binh/Dakien:

Okay, glad to join the party of VisualProtect .

Yes, binh81, this one is doing the decryption via VP.DLL. Somewhere in the code woods it loads the VP.DLL and GetProcAddresses the exports 1, 2, 3, 5 and then checks for valid address values. I also managed to find the OEiP (just by tracing manually this time ).

Found the "magic bytes" - FF,65,FC JMP [EBP-4] 00*92304

But what baffles me is that when I run the the dumped file, it gives me "License File Error. Could not locate license file, please reinstall the software" (whereas the .vpl file is very much present)

So, I debugged ...

I found that the VP.DLL is being called and there are a lot of code snippets that do this:

CMP EAX, [EDX]
JZ/JNZ etc

I bypassed all this successfully and reach the point where the original app puts the Nag box. Ofcourse, we wouldn't have it in the unpacked proggie right? So i bypassed this and noted that on clicking Try in the original app, it puts EAX = 1 in the original app. So I patched this place to

MOV EAX, 1

But when I run this, VP crashes on me

Any tips/pointers on how you guys avoided the license not found dialog and other tricks? Just tips will do

Signed,
-- FoxThree

PS: I don't find the IAT redirected or encrypted. Do we need to run RV on this. I don't think so but just in case

Hi Fox3,

welcome on board, have not much time and inspiration to look into this yet, but well..

IAT ASCII was encrypted.... decrypted in memory and loaded, revirgin wont work... the redirected scheme is simple
mov eax, xxxxxxxx
jmp eax

Yet revirgin fails to trace... think Tsehp not working on this cos VP isnt a popular protector....

Regarding license file, i have yet to manage to make a full license like SplAj said in his post last year, was Feb 2001 :>.... dig out the forum archives :>... yeah i patched as you said, and continue patching :>.. i trace witht he orginal exe and my dumped exe, find the different jumps and patched accordingly, think i made 3 or 4 patches for it to work.. not very neat though... (hint : dump VP.dll and use IDA, you will see a lot clearer... with lots of nitty check made in VP.dll)

I tried unpack VP.dll itself but somehow unsuccessful... dont know why... maybe someone can shed some light???

Regards,

P.S : fox3, do check your IT cos i am pretty sure that IAT ASCII are encrypted.... have fun

VP, licence & unpacking

Ok, I found the target from my archive. I 'did' v 3.1.5 . First of the licence scheme is easy to fool. My RCE licence trick still works.

Unpacking was a bit trickier. I remember that KERNEL32 API calls were decrytped to a lookup table. RV did not manage to trace them.......but now with 'plugins'

Ok, I dumped the exe at oeip, dumped the best part of IAT with 'save resolved'. Then dumped the whole KERNEL32 API calls from memory to disk and used UltraEdit to get them in a usable linear format , Pasted this into RV resolved.txt output , reloaded RV and target, loaded rv resolved.txt , Resolve again and rebuilt complete IAT.

It was a coupla hours to do that.

Hope that helps.

Spl/\j

Hi +SplAj guru:


Welcome back. Hope you're feeling fine. As usual, your "succint" remarks on unpacking VP

Glad to have your post on the VP problem. Give me confidence you know

Okey, Lots of Copy+Paste work looming ahead of me

Hang around, man...

Signed,
-- FoxThree

ppl

......don't do it the hard way.....it takes a few hours not 10 mins as i erm originally boasted ...and the target is crap anyway. I see the v3.1.6 is still there from October last year so they did not learn from us !

The best/future proof way is to 'auto' resolve that api lookuptable....HOW !...well SpeKKel has discussed using a plugin for RV......it makes sense. This is what plugins are for


Spl/\j

Hi SplAj, Fox3,

Hopefully this helps you save a couple of hours :>... this is not exactly how i did it but an improve idea..

sicne the redirected scheme is like
B8xxxxxx mov eax, xxxxxxxx
FFE0 jmp eax

this is repeated a few times until finally eax points to the correct API address...

SO here is the idea, at jmp [ebp-4], before the OEP do
a eip
mov ebx, IATstart_offset
(1) cmp ebx, IATend_offset + 4
je itself ; eb fe
mov eax, [ebx]
test eax, eax
je (3)
cmp eax, 70000000 ;is IAT redirected
jge (3)
(2) mov eax, [eax+1]
cmp eax, 70000000 ; is original IAT found
jl (2)
mov [ebx], eax ; update IAT
(3) add ebx, 4
jmp (1)

I cant remeber my code exactly, but the idea is there... now after a few millisecond Revirgin should do the job :>

Cheers,


P.S : hey what happenned to my indentation ??? ah well... i spent sometimes indeting the code to make it look neat but.. sorry not my fault :>....

Hey SplAj,

Hmm, so where is that plug-in for RV? or is this underdevelopment?

hi binh81,

u have to use VBB CODE to keep the indent

you guys kill me.....

i luv this place...gimme gimme gimme

this shitty protection has been hangin around unused for months and now we need the plugin this afternoon !

hahaha.....necessity is the mother of all inventions

I cannot steal the thunder of my friend SpeKKel. He did a lot of work on this plugin and I leave it to him to make the world bow down at his feet and say 'oh master, please let us destroy this visual protection......... give us yer plugin mate'


BTW heer is rebuilt (Win98SE) IAT from VP 3.1.5 for examination...
I think it is the right one ????

CYA

Spl/\j

Hhahaha who said he was sad ???lol

Well about the plugin:

I just took an original plugin, made some litlle modifications, and
yes it worked,,,,,, BUt only used it on vp.exe and don't know it will
work on other targets (you have to try )
H'mm no credits to me but all to the auther who made the original source...
So try and tell me if it works.
BTW on w98 the plugin(s) aren't working on R.V; you have to try it
with imprec.
Still one or two api's aren't resolved but here you've to trace
yourself..

Happy Eastern,

Spekk

Hi +SplAj/SpeKKel/binh81:

+SplAj: Guess what, the IAT hasn't even been "touched" between the version you unpacked and the current one I did. It is "ditto"

SpeKKel: Thanks for the great plugin. It rocks!!! However around 30 APIs had to resolve manually as you said. Nevertheless we can defeat VP in 1/2 the time +SplAj guru took (No offense to you +SplAj guru ). Awesome !!! (Psst. mind sharing the source ...)

binh81: Yet another commerical protector defeated, my friend.

Good work guys and most of all, thanks a lot for giving a heads up on this one.

Eventhough, this was quite a "dead target", it still has a couple of significant trick for newbies.

See ya all until the next packer

Signed,
-- FoxThree

PS: I must try to unpack GenerateLicense.exe ... Yawn !

h*tp://www.doculex.com/

Another instances. All softwares are protected by the Visual Protected v3.?.?.

or just use unpacker...try google:
"de-visual protect 3.1.6"