I need help with tELock [Archive] - RCE Messageboard's Regroupment

View Full Version : I need help with tELock

Nebob

November 17th, 2002, 03:05

I'm working with an application packed with tE, and I'm not having much luck dumping it properly. Here's what I've done:

Used procdump to dump the image. Segments still encrypted at this point.

Attach ollydbg to the app and dump memory for each of the segments. These are not encrypted, but they may be obfuscated like the IAT redirection and padding.

Use procdump to replace encrypted segments in image with decrypted dumps from ollydbg, then rename the segments from PCGW32 to .text, .data, etc.

My question is, what should I do now to get this working? The tE version used appears to be an internal one, because tE unpackers can't deal with it.

Also, I have two code segments and two data segments. How do I go about rejoining these?

Any help you can give me is greatly appreciated.

esther

November 17th, 2002, 04:48

First you didn't try executable tools to verify the proctection.
Second You didn't bother ot search the web.
Third you didn't read the FAQ.
Fourth you don't even bother to search the threads in this forum.
Fifth you didn't show more effort and post some codes here

Its packed with Pcguard....

evaluator

November 17th, 2002, 12:41

1. upgrade your tools: procdump -> LORDPE
2. you NEEED to learn&use tool: DEBUGGER
3. Show little start code of protector.. (can you?)

**
esther, [you WILL insane]..

esther

November 17th, 2002, 17:10

I am insane

Nebob

November 17th, 2002, 17:36

Quote:

Originally posted by esther
First you didn't try executable tools to verify the proctection.
Second You didn't bother ot search the web.
Third you didn't read the FAQ.
Fourth you don't even bother to search the threads in this forum.
Fifth you didn't show more effort and post some codes here

Its packed with Pcguard....

I realize my post was not thorough enough. I apologize.

(1) Yes, I did try PE-Scan 3.31. It told me the compressor is tELock 0.98 with 100% certainty. Look:

http://members.rogers.com/nbozovic/pescan.gif

(2) I indeed did search both these forums and the web. Of the four unpackers I found, one claimed to work with .98; that one didn't work under XP, so I installed 98 using VirtualPC to try it out. When I try to use it, it simply reboots the machine. I think this is probably tELock's mutex protection. The main site I saw mentioned with tELock unpacking tutorials is "discompress.com", which won't load for me (down?)

(3) Yes, you're right I did miss the FAQ, and fail to post code, something I should not have done.

Quote:

1. upgrade your tools: procdump -> LORDPE
2. you NEEED to learn&use tool: DEBUGGER
3. Show little start code of protector.. (can you?)

I did stumble across LordPE while searching for a solution last night. When I used it to dump the program, it basically achieved the three steps I had done, automatically. The executable still wouldn't run.

In the compressed executable, we have:

Code:



.PCGW32:005BDBD6 

.PCGW32:005BDBD6                 public start

.PCGW32:005BDBD6 start:

.PCGW32:005BDBD6                 jmp     loc_0_5BC000

then

Code:



.PCGW32:005BC000 loc_0_5BC000:                           ; CODE XREF: .PCGW32:005BDBD6j

.PCGW32:005BC000                 nop

.PCGW32:005BC001                 pusha

.PCGW32:005BC002                 call    near ptr loc_0_5BC007+2

.PCGW32:005BC007 

.PCGW32:005BC007 loc_0_5BC007:                           ; CODE XREF: .PCGW32:005BC002p

.PCGW32:005BC007                 call    near ptr 5CA80Ch

That call is outside the compressed codesegment, clearly meant for runtime.

In my semi-uncompressed exe, we have startup code that looks like this:

Code:



.idata:005BDBD6                 public start

.idata:005BDBD6 start           proc near

.idata:005BDBD6                 jmp     loc_0_5BC000

.idata:005BDBD6 start           endp

followed by:

Code:



.idata:005BC000 loc_0_5BC000:                           ; CODE XREF: startj

.idata:005BC000                 jmp     loc_0_41B630

^^ This is at the beginning of the imports segment. Following it are a couple of hundred bytes of zeroes, then what I assume is the actual imports data. From there we jump to the actual program.

Code:



.text:0041B630 loc_0_41B630:                           ; CODE XREF: .idata:005BC000j

.text:0041B630                 push    ebp

.text:0041B631                 mov     ebp, esp

.text:0041B633                 push    0FFFFFFFFh

.text:0041B635                 push    offset unk_0_4262D0

.text:0041B63A                 push    offset sub_0_41A938

.text:0041B63F                 mov     eax, large fs:0

.text:0041B645                 push    eax

.text:0041B646                 mov     large fs:0, esp

.text:0041B64D                 sub     esp, 58h

.text:0041B650                 push    ebx

                                 .

                                 .

                                 .

Obviously there are some unresolved references that IDA can't deal with here, most likely calls to GetSystemInfo and such.

I'm still learning (who isn't), so please take it easy with me

esther

November 17th, 2002, 17:53

Hi,

It's pcguard not telock!
Search through the forums using this PCGW32.
There is a tutorial on this pcguard written by BlackB
http://www.woodmann.net/fravia/blackb_iris.html

1)You need to find correct the OEP.If you are sung win9x try icedump with this command /tracex.
2)Fix the IAT using Revirgin or Imprec

Regards

evaluator

November 17th, 2002, 19:45

Hi! Nebob

It is TELOCK

***
esther, [you WILL insane]..

evaluator

November 17th, 2002, 20:16

tElock unpacks original ImportTable, redirects & than strips.
So if you can work with debugger, try catch moment, when IT unpacked & dump there.
You found correct OEP. tE is cool guy & keeps for us "JUMP OEP" at loader segment start

Quick tutor for tElock dumping:
1. Load program in debugger
2. tape in debugger:
"U VirtualFree"
3. set BPX on 2-3 instruction below "VirtualFree"
4. each time debugger breaks, dump prog.
5. in one dump SURE you will have original ImportTable.
6. you need to determine in dump Address & SIZE of IT & enter it in LordPE.
7. OEP you can determine by JUMP instruction at loader section start in dumped image from running task.
8. LordpPE using: Always use "Correct Image Size" option before dumping.
Also I attached screen for Options>Rebuilder I always use.
You can use "dump full" (or "dump partial" & then Rebuilder).

Nebob

November 17th, 2002, 20:44

edit: n/m all that

Thanks for your time, I'm going to play around with this some more...