Log in

View Full Version : I need help with tELock


Nebob
November 17th, 2002, 03:05
I'm working with an application packed with tE, and I'm not having much luck dumping it properly. Here's what I've done:

Used procdump to dump the image. Segments still encrypted at this point.

Attach ollydbg to the app and dump memory for each of the segments. These are not encrypted, but they may be obfuscated like the IAT redirection and padding.

Use procdump to replace encrypted segments in image with decrypted dumps from ollydbg, then rename the segments from PCGW32 to .text, .data, etc.

My question is, what should I do now to get this working? The tE version used appears to be an internal one, because tE unpackers can't deal with it.

Also, I have two code segments and two data segments. How do I go about rejoining these?

Any help you can give me is greatly appreciated.

esther
November 17th, 2002, 04:48
First you didn't try executable tools to verify the proctection.
Second You didn't bother ot search the web.
Third you didn't read the FAQ.
Fourth you don't even bother to search the threads in this forum.
Fifth you didn't show more effort and post some codes here

Its packed with Pcguard....

evaluator
November 17th, 2002, 12:41
1. upgrade your tools: procdump -> LORDPE
2. you NEEED to learn&use tool: DEBUGGER
3. Show little start code of protector.. (can you?)

**
esther, [you WILL insane]..

esther
November 17th, 2002, 17:10
I am insane

Nebob
November 17th, 2002, 17:36
Quote:
Originally posted by esther
First you didn't try executable tools to verify the proctection.
Second You didn't bother ot search the web.
Third you didn't read the FAQ.
Fourth you don't even bother to search the threads in this forum.
Fifth you didn't show more effort and post some codes here

Its packed with Pcguard....


I realize my post was not thorough enough. I apologize.

(1) Yes, I did try PE-Scan 3.31. It told me the compressor is tELock 0.98 with 100% certainty. Look:

http://members.rogers.com/nbozovic/pescan.gif

(2) I indeed did search both these forums and the web. Of the four unpackers I found, one claimed to work with .98; that one didn't work under XP, so I installed 98 using VirtualPC to try it out. When I try to use it, it simply reboots the machine. I think this is probably tELock's mutex protection. The main site I saw mentioned with tELock unpacking tutorials is "discompress.com", which won't load for me (down?)

(3) Yes, you're right I did miss the FAQ, and fail to post code, something I should not have done.

Quote:

1. upgrade your tools: procdump -> LORDPE
2. you NEEED to learn&use tool: DEBUGGER
3. Show little start code of protector.. (can you?)


I did stumble across LordPE while searching for a solution last night. When I used it to dump the program, it basically achieved the three steps I had done, automatically. The executable still wouldn't run.

In the compressed executable, we have:

Code:

.PCGW32:005BDBD6
.PCGW32:005BDBD6 public start
.PCGW32:005BDBD6 start:
.PCGW32:005BDBD6 jmp loc_0_5BC000


then

Code:

.PCGW32:005BC000 loc_0_5BC000: ; CODE XREF: .PCGW32:005BDBD6j
.PCGW32:005BC000 nop
.PCGW32:005BC001 pusha
.PCGW32:005BC002 call near ptr loc_0_5BC007+2
.PCGW32:005BC007
.PCGW32:005BC007 loc_0_5BC007: ; CODE XREF: .PCGW32:005BC002p
.PCGW32:005BC007 call near ptr 5CA80Ch


That call is outside the compressed codesegment, clearly meant for runtime.

In my semi-uncompressed exe, we have startup code that looks like this:

Code:

.idata:005BDBD6 public start
.idata:005BDBD6 start proc near
.idata:005BDBD6 jmp loc_0_5BC000
.idata:005BDBD6 start endp


followed by:

Code:

.idata:005BC000 loc_0_5BC000: ; CODE XREF: startj
.idata:005BC000 jmp loc_0_41B630


^^ This is at the beginning of the imports segment. Following it are a couple of hundred bytes of zeroes, then what I assume is the actual imports data. From there we jump to the actual program.

Code:

.text:0041B630 loc_0_41B630: ; CODE XREF: .idata:005BC000j
.text:0041B630 push ebp
.text:0041B631 mov ebp, esp
.text:0041B633 push 0FFFFFFFFh
.text:0041B635 push offset unk_0_4262D0
.text:0041B63A push offset sub_0_41A938
.text:0041B63F mov eax, large fs:0
.text:0041B645 push eax
.text:0041B646 mov large fs:0, esp
.text:0041B64D sub esp, 58h
.text:0041B650 push ebx
.
.
.


Obviously there are some unresolved references that IDA can't deal with here, most likely calls to GetSystemInfo and such.

I'm still learning (who isn't), so please take it easy with me

esther
November 17th, 2002, 17:53
Hi,

It's pcguard not telock!
Search through the forums using this PCGW32.
There is a tutorial on this pcguard written by BlackB
http://www.woodmann.net/fravia/blackb_iris.html

1)You need to find correct the OEP.If you are sung win9x try icedump with this command /tracex.
2)Fix the IAT using Revirgin or Imprec

Regards

evaluator
November 17th, 2002, 19:45
Hi! Nebob

It is TELOCK

***
esther, [you WILL insane]..

evaluator
November 17th, 2002, 20:16
tElock unpacks original ImportTable, redirects & than strips.
So if you can work with debugger, try catch moment, when IT unpacked & dump there.
You found correct OEP. tE is cool guy & keeps for us "JUMP OEP" at loader segment start

Quick tutor for tElock dumping:
1. Load program in debugger
2. tape in debugger:
"U VirtualFree"
3. set BPX on 2-3 instruction below "VirtualFree"
4. each time debugger breaks, dump prog.
5. in one dump SURE you will have original ImportTable.
6. you need to determine in dump Address & SIZE of IT & enter it in LordPE.
7. OEP you can determine by JUMP instruction at loader section start in dumped image from running task.
8. LordpPE using: Always use "Correct Image Size" option before dumping.
Also I attached screen for Options>Rebuilder I always use.
You can use "dump full" (or "dump partial" & then Rebuilder).

Nebob
November 17th, 2002, 20:44
edit: n/m all that

Thanks for your time, I'm going to play around with this some more...