I`m trying with the latest PeLock protect scheme that has the follow dificulties:

- Doesn`t allow any debbuger to run (SICE, TRW, Olly)
- With FrogIce I saw it makes 3 attempts to detect Sice (without it running): First a code 2 (see frogice.txt) and then 2 MeltIce.
- Tracing through the Code 2 zone I saw it makes a HLT instruction (in the example of FrogIce.txt there is an INT3 instead) and then gives the control to VMM. After that there is hang-up of the program and you can`t restart it. I`ve been looking for that Code 2 antidebbuging detection but found nothing.

Excuse me for my bad english.
Anybody has a clue oto this?

tHANKS

mR_gANDALF

for info:

PELock has absoletely NO debugger detection against XP (W2k).
So you can try unpacking there & also you will fail!
because I see you are newbie in unpacking.
So I recommend to you: learn unpacking on easy targets.

Also you can find little info in another post.
Search.

Estimated friend:

I dont consider myself an expert in unpacking but have descompressed manually several schemes included ASprotect 1.23, Aspack, Armadillo 2.60 and others.

You say that there is no DEBBUGER detection for XP. What do you mean, that Drive Studio 2.7 wont be detected running in XP?
I have not tried that, in fact (BUT I WILL), because I use to debbug with SICE 4.05 under W98 that let me use FrogIce to detect antidebbuger code. Anyway it surprise me an egg.

You say that in XP it wont be unpacked either. So, what you suggest?

Grateful
mR_gANDALF

Eval:

Under Win2K with SICE 2.6 DS loaded, PELock exits quietly. Maybe not XP but definitely debugger detection on Win2K

Signed,
-- FoxThree

I checked it on XP.
It not uses INT1 or INT3 & other for detect NTICE.
It uses CraeteFileA > NTICE
But XP not gives right answer
So probably W2k gives right answer. Check it.

For W9x. It uses "silent" debugger detection;
In IDT it will check, if C0 is first byte in INT1 address.
So catch it here. Also for easy catching IDT access,
you can use IceDump with command
/protect on

Hey, Mister!

Why you think I WAS your friend ?:0

I tried aldo in XP...but nothing.

I will check that suggestions you give me.

Anyway I already Know how to trace this program and get the registration

Try if yoy want

http://www.quickmenubuilder.com/files/download.php3?Fichier=qmb.exe

Thank you... FRIENDS

Hi Reversers !!

Pelock is a very insteresting one !
I have rebuilded qmb and i have found some interesting things.
Perhaps everybody already knows that !!!

Before landing in code section memory (EOP) some target opcode have been executed.
(QMB : 5 instructions or 12 bytes 5133a8 isn't right EOP).
Be carefull to found real EOP. Then you have to dump process and paste these bytes.

Rebuild IT (There is garbages bytes between thunks.)

More difficult : There is some parts of code decrypted at runtime.
You have to decrypt it and jump over recrypt call.

After that you can rebuild a clean exe

Regards

SV

I have tried with /protect on and it is a childs game to avoid debbuger detection.

In fact I am newbie :-(

Anyway with TRW2000 loading after the program you can trace the registration code and its easy to find the registration serial. There is no obfuscation at all. Also with SICE /protect on.

Another question is how to find the oep. I have tried with bpr but it seems it never comes the oep. Also with getprocaddress, but there are almost 40 calls to this before the program runs.

How do you get this oep?

Believe me,

It reaches the oep, a quick manner ?? just trace till you fall a sleep...yes it took me some time.
Use tracex command 400000 500000 and you'll will break a looot of times.
If you once know where it crypts and decrypts you can easily bpx
there.
Just finished my imports resolver for this (1 entry unresolved)

SpeKK

Pffff,

Yep costed some time to decrypt "all"without executing the main
prog.
After that patched all those re-crypting stuff and rebuilded
the imports.
My thanks to s.v for giving some insight !

But finally rebuilded pelock..

SpeKK.

(Alex, you must study this protection...)

Ouch

quick menu builder

Looks that this is done with an earlier version (less decryption)
the rest is the same..

Oep>uncrypt all>dump>rebuild iat>patch all high calls >done.

sv : oep 5133a8... ...(just pushed the right value in eax and no prob.)

Ciao,\

SpeKK

Hi Spekk

Yes it may works, but some other target not !
Here is code executed in Pelock memory before landing 'EOP'.

.0051339C: 55 push ebp
.0051339D: 8BEC mov ebp,esp
.0051339F: 83C4F4 add esp,-00C
.005133A2: 53 push ebx
.005133A3: B8C42F5100 mov eax,000512FC4

Here there is nothing really needed other than eax value !

Regards

SV

Thank you very much for your replies.

Do you know where can I download any tutorial about descompresing a target protected with PELock?

Thanks

a tut.....

Here is Win2K notepad.exe protected with PeLock1.04 until I get my notes together on full 'PeLock1.04 demo' unpacking


As it's std Notepad.exe u know OEiP is...... IAT is .........

Look out for 'fake OEiP' entry
See IAT redirection takes some 1st section of api call
no 'decryption/encrypton' markers tho.....
size is 0 for dumping......etc etc

good old notepad.exe .... best unpackers tool around

BTW get the PElock demo NOW......

holy missing target batman.....