Anybody knows how to unpack FlashFXP?

As far as i can see is it compiled with Borland Delphi 3.0.

I tried Protools and exetools for some unpackers. I can't find any prog that does the job.

When i try to unpack it with ProcDump, i get this error:

Tracer Code Failure!
Access violation occured at EIP 0x00597A41 - Terminating.

How can i unpack this proggy?

tia, TheDutchJewel

Hi TheDutchJewel,

It is packed with tElock as far as i can remember! Search for tElock tutorials, there is one good tutorial at krobar site and there are lots of unpacking information on this board. Use the search button!

Cheers,

Hi Binh:

FlashFXP previous versions was packed with tE! However, this version does not seem to be tE! (atleast not 0.90 I didn't spend much time to look at but it sure looks a lot different) There is no section trick which is the significant signature of tE!.

Anyways, this warrants a closer look. I'll see what I can find.

Signed,
-- FoxThree

It is packed with a private version of tElock. Seemed that there has been some sort of agreement between Charles and tE.

Unpacking is done in same way as with other apps, just find OEP and then dump from there.

I cant use RV however to trace imports, it does not find anything on my box, so I have to use Imprec and fix the saved tree manually as many of them are not resolved. It's an Delphie app so Imports are quite standard and it takes you only a lot of time editing the saved tree.

Easy. Just dump the full IT/IAT from memory before TELock destroying it and paste it to the dumped exe

IT is located at the beginning of .idata section. IT Length = 1CC, dump length = 30B0

Thanks for all the help posted here. But because I'm new with dumping files from memory, I've a few more questions:

1. IT=Import Table(?), but what's IAT=?

2. How to dump the full IT/IAT from memory and which prog should I use?

IAT = Import Address Table



when you find that the IT/IAT of FlashFXP is fully decrypted(but not destroied yet), suspend it with a JMP EIP or equivalent, use LordPE to make a partial dump.

Grab LordPE RoyalTS here:
http://mitglied.lycos.de/yoda2k/LordPE/info.htm

I suggest your reading some manual unpacking tuts first

Thanks Solomon. You've right with reading unpacking tutors. I'll begin next friday when i'm back from holiday. Till then...

Hi folks:

I'm dropping some findings here so that it may get eventually archived.

Unpaxed FlashFXP in question and did some analysis.

Earlier I commented that it was not the standard version of tE!. Stone() also posted the same thing. Yes, indeed it is not the standard version of tE! There is a couple of anti-bpm techniques different than the original tE!.

Also, the section tricks of FFFF is not present. In this build, it is FE1C. (Not that it matters but certain signature finders based on this value of "FFFF" may fail). Fix it and your dump is sweet

Note to Stone() and other trying to rebuild IAT of tE!.

Most Optimal way: Use IMPRect/Tracer Level 3 and save yourself some boring typing time

And yes before I forget, the OEiP sigs for this build of tE! is:

61 POPAD
FF6424D0 JMP [ESP-30]

I've added this to the next version of OEPFinder and marked it as tE! Private FFXP build

BTW, the above sigs don't help as even if you put BPMB on POPAD, tE! finds it and says "CRC Error ...."

I think this is where Clandestiny/Kayaker SICE BTrace Buffer disassembler will come handy. Yo guys! Wassup with the status. I'm itching to get some bsod

Until next time,

Signed,
-- FoxThree

Anyone knows a good tutor about unpacking? Used the search without succes.