View Full Version : PELock
mR_gANDALF
October 21st, 2002, 22:49
I`m trying with the latest PeLock protect scheme that has the follow dificulties:
- Doesn`t allow any debbuger to run (SICE, TRW, Olly)
- With FrogIce I saw it makes 3 attempts to detect Sice (without it running): First a code 2 (see frogice.txt) and then 2 MeltIce.
- Tracing through the Code 2 zone I saw it makes a HLT instruction (in the example of FrogIce.txt there is an INT3 instead) and then gives the control to VMM. After that there is hang-up of the program and you can`t restart it. I`ve been looking for that Code 2 antidebbuging detection but found nothing.
Excuse me for my bad english.
Anybody has a clue oto this?
tHANKS
mR_gANDALF
evaluator
October 22nd, 2002, 13:15
for info:
PELock has absoletely NO debugger detection against XP (W2k).
So you can try unpacking there & also you will fail!
because I see you are newbie in unpacking.
So I recommend to you: learn unpacking on easy targets.
Also you can find little info in another post.
Search.
mR_gANDALF
October 22nd, 2002, 21:45
Estimated friend:
I dont consider myself an expert in unpacking but have descompressed manually several schemes included ASprotect 1.23, Aspack, Armadillo 2.60 and others.
You say that there is no DEBBUGER detection for XP. What do you mean, that Drive Studio 2.7 wont be detected running in XP?
I have not tried that, in fact (BUT I WILL), because I use to debbug with SICE 4.05 under W98 that let me use FrogIce to detect antidebbuger code. Anyway it surprise me an egg.
You say that in XP it wont be unpacked either. So, what you suggest?
Grateful
mR_gANDALF
foxthree
October 22nd, 2002, 22:58
Eval:
Under Win2K with SICE 2.6 DS loaded, PELock exits quietly. Maybe not XP but definitely debugger detection on Win2K
Signed,
-- FoxThree
evaluator
October 23rd, 2002, 20:35
I checked it on XP.
It not uses INT1 or INT3 & other for detect NTICE.
It uses CraeteFileA > NTICE
But XP not gives right answer

So probably W2k gives right answer. Check it.
For W9x. It uses "silent" debugger detection;
In IDT it will check, if C0 is first byte in INT1 address.
So catch it here. Also for easy catching IDT access,
you can use IceDump with command
/protect on
Hey, Mister!
Why you think I WAS your friend ?:0
mR_gANDALF
October 24th, 2002, 18:10
I tried aldo in XP...but nothing.
I will check that suggestions you give me.
Anyway I already Know how to trace this program and get the registration
Try if yoy want
http://www.quickmenubuilder.com/files/download.php3?Fichier=qmb.exe
Thank you... FRIENDS
sv
October 25th, 2002, 10:50
Hi Reversers !!
Pelock is a very insteresting one !
I have rebuilded qmb and i have found some interesting things.
Perhaps everybody already knows that !!!
Before landing in code section memory (EOP) some target opcode have been executed.
(QMB : 5 instructions or 12 bytes 5133a8 isn't right EOP).
Be carefull to found real EOP. Then you have to dump process and paste these bytes.
Rebuild IT (There is garbages bytes between thunks.)
More difficult : There is some parts of code decrypted at runtime.
You have to decrypt it and jump over recrypt call.
After that you can rebuild a clean exe
Regards
SV
mR_gANDALF
October 25th, 2002, 23:11
I have tried with /protect on and it is a childs game to avoid debbuger detection.
In fact I am newbie :-(
Anyway with TRW2000 loading after the program you can trace the registration code and its easy to find the registration serial. There is no obfuscation at all. Also with SICE /protect on.
Another question is how to find the oep. I have tried with bpr but it seems it never comes the oep. Also with getprocaddress, but there are almost 40 calls to this before the program runs.
How do you get this oep?
SpeKKeL
October 26th, 2002, 16:56
Believe me,
It reaches the oep, a quick manner ?? just trace till you fall a sleep...yes it took me some time.
Use tracex command 400000 500000 and you'll will break a looot of times.
If you once know where it crypts and decrypts you can easily bpx
there.
Just finished my imports resolver for this (1 entry unresolved)
SpeKK
SpeKKeL
October 31st, 2002, 17:04
Pffff,
Yep costed some time to decrypt "all"without executing the main
prog.
After that patched all those re-crypting stuff and rebuilded
the imports.
My thanks to s.v for giving some insight !
But finally rebuilded pelock..
SpeKK.
(Alex, you must study this protection...)

Kayaker
October 31st, 2002, 17:30
Quote:
Originally posted by SpeKKeL
(Alex, you must study this protection...) |
Ouch

SpeKKeL
November 4th, 2002, 15:18
quick menu builder
Looks that this is done with an earlier version (less decryption)
the rest is the same..
Oep>uncrypt all>dump>rebuild iat>patch all high calls >done.
sv : oep 5133a8...

...(just pushed the right value in eax and no prob.)
Ciao,\
SpeKK
sv
November 5th, 2002, 09:29
Hi Spekk
Yes it may works, but some other target not !
Here is code executed in Pelock memory before landing 'EOP'.
.0051339C: 55 push ebp
.0051339D: 8BEC mov ebp,esp
.0051339F: 83C4F4 add esp,-00C
.005133A2: 53 push ebx
.005133A3: B8C42F5100 mov eax,000512FC4
Here there is nothing really needed other than eax value !
Regards
SV
mR_gANDALF
November 9th, 2002, 23:34
Thank you very much for your replies.
Do you know where can I download any tutorial about descompresing a target protected with PELock?
Thanks
+SplAj
November 10th, 2002, 17:22
a tut.....
Here is Win2K notepad.exe protected with PeLock1.04 until I get my notes together on full 'PeLock1.04 demo' unpacking
As it's std Notepad.exe u know OEiP is...... IAT is .........
Look out for 'fake OEiP' entry
See IAT redirection takes some 1st section of api call
no 'decryption/encrypton' markers tho.....
size is 0 for dumping......etc etc
good old notepad.exe .... best unpackers tool around
BTW get the PElock demo NOW......
+SplAj
November 10th, 2002, 17:24
holy missing target batman.....
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.