Nebob
November 17th, 2002, 17:36
Quote:
Originally posted by esther
First you didn't try executable tools to verify the proctection.
Second You didn't bother ot search the web.
Third you didn't read the FAQ.
Fourth you don't even bother to search the threads in this forum.
Fifth you didn't show more effort and post some codes here
Its packed with Pcguard.... |
I realize my post was not thorough enough. I apologize.
(1) Yes, I did try PE-Scan 3.31. It told me the compressor is tELock 0.98 with 100% certainty. Look:
http://members.rogers.com/nbozovic/pescan.gif
(2) I indeed did search both these forums and the web. Of the four unpackers I found, one claimed to work with .98; that one didn't work under XP, so I installed 98 using VirtualPC to try it out. When I try to use it, it simply reboots the machine. I think this is probably tELock's mutex protection. The main site I saw mentioned with tELock unpacking tutorials is "discompress.com", which won't load for me (down?)
(3) Yes, you're right I did miss the FAQ, and fail to post code, something I should not have done.
Quote:
1. upgrade your tools: procdump -> LORDPE
2. you NEEED to learn&use tool: DEBUGGER
3. Show little start code of protector.. (can you?)
|
I did stumble across LordPE while searching for a solution last night. When I used it to dump the program, it basically achieved the three steps I had done, automatically. The executable still wouldn't run.
In the compressed executable, we have:
Code:
.PCGW32:005BDBD6
.PCGW32:005BDBD6 public start
.PCGW32:005BDBD6 start:
.PCGW32:005BDBD6 jmp loc_0_5BC000
then
Code:
.PCGW32:005BC000 loc_0_5BC000: ; CODE XREF: .PCGW32:005BDBD6j
.PCGW32:005BC000 nop
.PCGW32:005BC001 pusha
.PCGW32:005BC002 call near ptr loc_0_5BC007+2
.PCGW32:005BC007
.PCGW32:005BC007 loc_0_5BC007: ; CODE XREF: .PCGW32:005BC002p
.PCGW32:005BC007 call near ptr 5CA80Ch
That call is outside the compressed codesegment, clearly meant for runtime.
In my semi-uncompressed exe, we have startup code that looks like this:
Code:
.idata:005BDBD6 public start
.idata:005BDBD6 start proc near
.idata:005BDBD6 jmp loc_0_5BC000
.idata:005BDBD6 start endp
followed by:
Code:
.idata:005BC000 loc_0_5BC000: ; CODE XREF: startj
.idata:005BC000 jmp loc_0_41B630
^^ This is at the beginning of the imports segment. Following it are a couple of hundred bytes of zeroes, then what I assume is the actual imports data. From there we jump to the actual program.
Code:
.text:0041B630 loc_0_41B630: ; CODE XREF: .idata:005BC000j
.text:0041B630 push ebp
.text:0041B631 mov ebp, esp
.text:0041B633 push 0FFFFFFFFh
.text:0041B635 push offset unk_0_4262D0
.text:0041B63A push offset sub_0_41A938
.text:0041B63F mov eax, large fs:0
.text:0041B645 push eax
.text:0041B646 mov large fs:0, esp
.text:0041B64D sub esp, 58h
.text:0041B650 push ebx
.
.
.
Obviously there are some unresolved references that IDA can't deal with here, most likely calls to GetSystemInfo and such.
I'm still learning (who isn't), so please take it easy with me
