Deep Paint v.1.1b

h**p://w*w.righthemisphere.com/products/dpaint/downloads/_dpdldemo.php3

Wrapped with ViaTech e-License (vtcpak33d.dll)

With Softice :
bpx bff6430d if (ax==9001)
F5
bff6430d jmp eax
f10
xxxx9001 (02319001 or 021f9001)

g 0222ffad or g 0210ffad (xxxx - 000f)

if your 30-day trial period is not over :
at xxxxffad nag screen (TRY, BYE, QUIT)
f10
xxxxffad
xxxxffb2
g 02483bff (or xxxx + 0022)
02483bff jmp [024a2024] = jump to 52ac00 (OEP)
a
jmp eip
/dump 400000 3e7000 dpdump1.exe
------------------------------------------

if your 30 day trial period is over :
r eip xxxxffb2
g 0223145c : don't jump to 022388e
g 0223388e : jump to 022333dc
g 0223464b : wrapper does unpacking
g 0223465d : wrapper works upon PEHeader (changes it, moves it (?) and zeroes part of it (4000xx to 4002xx)
g 02483bff jmp [024a2024] = jump to 52ac00 (OEP)
a
jmp eip
/dump 400000 3e7000 dpdump1.exe

-------------------------------------------

Dump crashes (is has a zeroed PEHeader) and I can't do more !

Artifex

Hi Artifex:

Try fixing the PEHeader in the dump from the one in the file on disk. If that doesn't work, try bpx VirtualProtect. Surely the packer must call this (or VirtualProtectEx) to write into PE Header area!

A whooping 18MB download is too much for my dial-up . I'll try this target later.

Success!

Signed,
-- FoxThree

Open program when dialog box appears go to softice and put bpx on freelibrary
F11 and step it you will see the OEP.Dump with pedump and it will be ok.

Whatever method you try it works with this protection scheme.Secret key is rename unpacked program to back to its orignal.So it will work Hehe sometimes answer i so simple.

to Foxthree : I dug into this peheader zeroing call at 0223465d and dumped 400000 400 before it does its job, and I pasted it in dumped file, but it keeps crashing.

to LapTonic : I read your answers in another thread in 2001 about earlier version of e-License. I know you use pedump from TRW, and I remember about not renaming dumped file. I project to try with TRW but haven't done yet.
ProcDump refuses to dump this file. Only icedump accepts.

Many thanks for the help.

Artifex

Just an encryptor?

From my experience with e-licence it is just an encryptor , not packed at all and the OEiP == OEiP already so you just open up the target with SI and set BPX OEiP, then F5 and the bloody thing decrypts itself

Then you just dump and rebuilt IAT with LordPE ? (or catch it in memory and dump .idata section) rename the exe as the original filename and it is busted.

Simple as that ! maybe they did something more these days , but I doubt it.

I think there was a question about DeepPaint3D on the G-rom bored .....but there was a bit of *censorship* going on.

Spl/\j

Artifex

It is now version 2.0 ???? +25 megs

zzz.righthemisphere.com/products/dp3d/downloads/dp3d20.exe


Spl/\j

noop,

nothing has changed...............just busted it under Win2K in 15 mins.

OEiP, IT & IAT stay the same. Just look at the PE header with LordPE, use RV or imprec to remap IT in it's existing place and rename dumped_exe to Deep3D.exe and it's done.

Thats an interesting RCE point about the name of the exe...if it's any other name than 'Deep3d.exe' the dll FileIO.dll fails to load and exe exits......FileIO.dll is NOT part of regular Imports in IAT at all but is dynamically loaded.

BTW a $995 product deserves a better protection than e-licence, if it's really worth $995 ??? I use MS Paint


Spl/\j

Hi, SplAj, and many thanks for helping.

Deep Paint 1.10b is not an older version of Deep Paint3d 2.0.
They are two different softwares.

The question is about Deep Paint 1.10b.

eLicense dll is now vtcpak33d.dll and no longer vtcpak24.dll

Artifex

Silly me

Deep Paint v. Deep paint 3D.... now I get it

Spl/\j

+SplAj wrote :
>OEiP, IT & IAT stay the same. Just look at the PE header with >LordPE, use RV or imprec to remap IT in it's existing place and >rename dumped_exe to Deep3D.exe and it's done.

I will let you know if I can apply this method to Deep1.10b.

My next project was Deep3D !

>BTW a $995 product deserves a better protection than e->licence, if it's really worth $995 ??? I use MS Paint

I can't say because I don't paint :-)

Many thanks again, +SplAj

Artifex

Well....

It appears that since vtcpak32.dll in DP3D v2.02 and vtcpak33.dll in DP1.1 the IAT is encrypted and decrypted one API at a time

Something to play with later

Makes a change from ASPR LOL.


Spl/\j

on further look it must be an option in the v3 toolkit cos the dll are really same. On DP3D they did not protect IAT and on DP1.1 they did.

I am d/l some more targets from the 'news' section of e-licence site........nice of them to give us target practice

Hello, +SplAj

I tried to dump Deep Paint 3D v.2.0 Demo :

bpx FreeLibrary
f12
g 2483acf (OEP 5cfaec)
a
jmp eip
f5

LordPE.exe
full dump
(options :
-paste header from disk
-fix header)

Header and Import Table seem OK

IAT : RVA 00000000 Size 00000000 (I don't know that yet, I will read about it)

renamed dumped.exe Deep3D.exe
ran it and got "invalid data"

If the problem is in IAT, what OEP, RVA and Size have I to feed Revirgin with ?

Artifex

Hello

I attach some notes about DeepPaint 1.1b cos this had a very interesting IAT redirerector with a XOR to establish API value.

See the attachmenet....

Read the notes and see what I did with e-licence while the wife was doing her hair.... jeez women take tooooo long on their quifs


Real simple for DP3Dv2.... just get a BPMB OEiP X somehow
and wait......then when SI pops just EB FE and then use LordPE to DUMP and RV to re-resolve the IAT and it's done......all infos are in the PE header already

Spl/\j

i'm off to the pub....

Congratulations +SplAj, and many thanks for the tutorial. It is one more step in this art.
I will study it and learn.

I couldn't get a running dump of Deep3D yet :-( but I am trying hard !
Then I will try with DeepPaint 1.10b.

Artifex

Sjit spla/\ your're to fast for me....hehehe

JUst when to reply you made a whole tut..Think my wife has a shorter hair cut.


Yes seems they upgraded the vtc-pack, must think back about 2 or 3 years when i asked you to look at their encryption system.

Made a few modifications on an existing plugin (some simple xoring with 10 bytes further) and all is resolved.

See you all,

SpekK

After tens of attempts, I finally got a running dump of Deep3D.

First step was to get sections fixed.
I failed with ProcDump and IceDump, and only get them fixed using LordPro.

Then I used Revirgin 1.3 (my OS is Windows ME). It found RVA and Length, added a section, filled it with IT and fixed the import table entry point and size. But when I ran the dumped file, I got a message about a "SIN.dll" missing.

So I used Import Reconstructor, got the dump running OK at first attempt..., and uninstalled Deep3d !

----------------------

Now I will follow +SplAj's tutorial and try with Deep Paint 1.1b

Artifex

Hello, +SplAj !

With your tutorial, I got a running OK dump of Deep Paint 1.1b.
I used LordPE and Import Recuperator.

Address xxxx:029F63b0 in your PC, is xxx:022063b0 in mine.
I found it using :
s 0 l ffffffff 8b 95 ac fd ff ff 89 11

Deep Paint 1.1b is now uninstalled and I will rest a bit until next project :-)

CacheX 4.51 is also an interesting target.

Artifex

Hi Spekk

I knew the mention of PLUGIN would get you going

Can I suggest you make some notes available for the rest of us on patching some new redirector-emulation code into an existing plugin dll ???? Like you said it was a simple xor with 0x10bytes along plus the decrypt-code was a consistent formula so an automatic approach was possible.

Artifex, congrats

BTW ALWAYS use LordPE for dumping etc etc... I keep repeating that

Amen

Spl/\j

Well just some simple notes:

I use the "standerd" plugin telock.dll delivered by imprec/r.v.
First look at the source code(included) and you will see it is not a tracer but an opcode checker: so after tracing the address, the plugin checks
for an opcode: cmp byte ptr[ebx], 0FFh < ebx is the address to where was called. FFh the opcode.
At this point you can paste your own code like in vtcpak you can
check if cmp byte ptr[ebx], 050h if so then

mov eax,[ebx+2]
mov eax,[eax]
mov ebx,[ebx+8] < total 10 bytes from ebx
xor eax,[ebx]
jmp back ( api= found in eax )

So for this target it was a verry simple solution.

Changes and pasting i did with Hiew.Better is to rewrite the
(T)asm-source but i still can't copile the original gives some errors...
Try using the telock.dll plugin on a target , set bpx readfile give 1 time F5 and 1 time F12 and see what,where is stored.

Okee so far this reversing note and like i said earlier: All the credits go to the author of the original dll !!

SpeKK.

Hajo

I attach the source code (with comments) and ready built vtcpak33.dll plugin for RV/Imprec plugin folder.....compliments of Spl/\j and SpeKK

hav phun


... I attach updated zip with makefile for dll + resource now

Okeeeee !!!!!!!

Seems familair to me..

Let's pLug It In...

((H'm wonder how long she did this time about her hair......))

mov ebx!, dword ptr[ebx+2]

hehehe LOL ebx,ebx,ebx ...!!!



See you,

Spekk.

Sorry but i'm a newba.
What is BPMB OEiP X ?

Ok folks, I think we have a new record...

And i promise that i went to search and look at FAQ ok?

I'm surprised that dELTA is surprised (he loves it when people resurrect 3 year old threads )

Damn, BPMB OEiP X is not in the FAQ?? We've got to fix that.

While it probably makes no sense when you first see it, you *could* have done a more effective search and come closer to the answer.

BPMB is easily searchable to identify it as a Softice command of the form:
bpmb <address> x
The Softice docs explain it further and what the x stands for.

The OEiP is more of a subculture term methinks, but again it turns up in something like 91 threads on this board. Read a few of these posts and by osmosis if nothing else, you should be able to learn what OEP stands for.

I'm not trying to not answer your question, but instead give you a strategy for answering it for yourself.

Guy, i love the mode of you answer the question. You make me understand this.
Another thing: I try to use SoftIce at WindowsXP and SoftIce doesn't load (message from SoftIce Symbols Loader).
And in Windows98SE, SoftIce load but i can't make anything at SoftIce symbols loader (i read the FAQ but i didn't find anything about how make it works for what all of you are telling at this forum).
I really want to know how unpack e-licence system. It's a hard system to unpack but i want.

Yeah, sure, we really believe that you read all the threads about softice problems on this board, and tried all the suggestions in them, especially after the demonstration of your amazing searching skills in the first post... Nice way to follow up an undeservingly helpful answer (not to mention the final touch "I really want to know how unpack e-licence system"...

In "other words" your "excuses" are not selling very well.

Regards,

Lol lol.
Now i see how much you love me.

Bloody Hell

Not another, there is enough info on this board to give you all you need to unpack elic in <5mins

/hobferret