PEiD tells me that the target is (definately) "tElock 0.98b1 -> tE!", and as such i have, for a while now, been trying to unpack it.

From what i've seen, it doesn't look like it is telock at all, and is a pain-in-the-ass to dump, and just as difficult to debug.

Before the unpacking code goes into play, the assembly looks like this:



With scattered code throughout.


And once the unpacking is complete, it is completly replaced with working code and all strings and references are complete.

The entrypoint is: 11BD6

It has anti-debug, anti breakpoint and crc checking, which makes a lot of it a pain. When loading it in ollydbg, 2 'unpassable' commands are executed, which can be stepped into with the 'step into' command. The application then loads fine.

Dumping the file with ollydump (latest version has IAT rebuilding, not sure if it works with telock) leaves me with a corrupt PE file, which cannot be repaired with anything. Im assuming that i have the OEP completely wrong, as without breakpoints i can't easily find it.

The checks for the CRC and Softice are executed after (non-original application) code has been unpacked, so patching is a huge problem here. Any patch that is applied is overwritten by the code itself, and any changes to the unpacking code cause problems with the entire application.

At the end of the (unpacked) application are hundreds of DB 00 lines, which i've searched for in an attempt to discover if the file is legitimately telock, which hit no results.

The question(s) i have are short, and the above information may help in answering them.

1) Does the file <look> like it is telock? I haven't had any experience with anything from 0.98+ and can't find any documentation which conclusively proves if it is or is not.

2) Is there a way to mask the exe protector used? ie. Make scanners detect asprotect as upx, or otherwise?

3) Are there any tools that detect anti-softice tricks that work with windows 2000? I checked and the only results were old tools for 9x systems.

4) Any suggestions as to how i would unpack telock 0.98b1 and rebuild the IAT? I read here that telock scrambles parts and they need to be repaired, but as of yet no tool has worked and that may be the reason my dumps are incomplete.

5) Are there any tools that can find the OEP of a packed executable (telock) without using softice? I can't skip the softice protection at this time so i can't use tools that require it.

Thanks in advance.

hm... analysis of packed code is not good have you tried the OEP-finder from peid? and for imports, there's a plugin for telock. which program is it?

i attached it

Never knew that existed. Thanks.

Just tried, no OEP found.



What is this plugin for? PEiD doesn't load it, so ?



I was under the impression that target specific questions were off limits, but eh, i'm not doing this to try to crack a program, merely to get a better understanding of how more advanced packing techniques function.

The application is @ hxxp://www.mousepad-d2.com

I'm trying to unpack the loader (d2maphack.exe) and not the dll that contains all of the functionality. I was referred to it because apparantly the author claimed that it took him months to get it as secure as possible, and it sounded like a dare to me

Also, the section names change on a per-version basis, so im thinking that maybe he is trying to (or has) masked the protection. PEiD always detects it as telock, though.

oh sorry! that plugin is for ImportRec. forgot it to say. should fix all imports.

Tried the dll with imprec just after i posted, all i get is 'FAILED' repeatedly. Maybe i was right about this file not being telock.

EDIT: When using trace level3, without telock dll, it successfully resolves some of the imports, others hang imprec, crash the application im scanning, and require you to restart the scan. If i understand correctly telock files wouldn't resolve any without the dll?

yes, you are right... but if this dll doesn't work... maybe it's newer version of telock? retool also says it's telock. i tried to skip the window who says crc-error... but then it doesn't unpack

I don't think its telock at all, it might well be a homemade creation by the author and friends (who happen to know more than enough about cracking themselves).

I tried to step through the unpacking code but it gets painful after a few repetitions, seems like it writes its code on-the-fly, then jumps to the newly written code and overwrites the original, unpacking a few proper lines per pass. Even tracing it proved fruitless as the code changes so often that commenting an address is only valid *at that moment*. Commenting and reading through later just ends up with overwritten comments and only documentation of the final pass.

In the end i think every single line was changed at least once.

i tried it long time and i came to no result. if you change in olly the code (i tried to kill the message-box which shows crc-error) the unpacking-routine completely changes (all red in olly) and it doesn't unpack correct. i think this is a target for an unpacking-expert like britedream (exetools forum)

I definately set my sights higher than i could reach with this one. Guess i'll have to read up on it a bit more or find some ways to modify the code without corrupting the dependant algorithms.

Thanks for the help.

well, guys, i downloaded d2maphack_61b.zip & EXEs are packed by tElock.
So, somewhere here I wrote easy way for MANUAL dumping-unpaking tElock.
...
using automating-rebuilders not upgrades your knowlidge.
So i recommend you: learn howto manually doing all.
...
if you very need this prog unpaked(for better future of world),
i can do it for you.

I tried following your 'easy' telock unpack method, but i didn't understand parts of it (might be my lack of competant debugger knowledge, or some dubious wording, i'm not sure).

Anyway, i managed to unpack it a lot easier than i first expected it to be.

Steps i took were:

1. Use ollydump to dump the file after the program had fully loaded.
2. Used imprec with the following settings:
- Creat new IAT
- Level 3 (Dumb Mode)

This repaired the IAT to working condition.

4. Modified the OEP to a value that ollydbg broke on second (no bp's set).




All unpacked and runs fine.

I'm still not convinced this was a telock file, as the telock plugin for imprec failed totally at repairing (or even finding) the imports. If anyone else has a telock .98 file they need to unpack (or have before?) that you know for certain is a telock file, can you please try what i tried and report back on its success?

Thanks for all the help.

on what point you have truble, when tried in my way?

I assume that this is the easy method that you posted, it is the only complete one i could find on the forum:



I've never been an avid user of softice, so a lot of this is foreign to me.

I'm assuming that to load the executable into softice i use the symbol loader, because just running the app doesn't give a chance to debug it's startup ;P

Have the commands for doing this changed in ds 2.7 and 3.0, because no matter what i try i always end up with problems.

Step 4, what method should i use to dump? I'm on windows2k so icedump doesn't work, should i "a; jmp eip" then dump using lordpe? I tried using iceext but that was only partially dumping no matter what settings i used.
[edit] yes, a; jmp eip is a stupid idea, as it would lock the kernel.

Step 6, enter it where in lordpe? What exactly am i doing at this stage?

Step 7, i'm not sure what you mean by 'loader section start'.

On second glance, its more my misunderstanding of softice technicalities than your description, but of course any pointers would be helpful to me. Im about to grab some total beginners softice docs and check through them.

-evn

well

maybe if you will firstly try learn LordPE,
so it quick enlarges your knowlidge about many things!?

I actually know how to use LordPE, my query was more of a "ok so i've dumped the import table, but haven't dumped the unpacked code yet. What exactly am i editing in LordPE". I didn't know that it would dump both the original IT and the unpacked code, if this is what it does? In that case, i'd be editing the IT values of the dump i made?

I thought the import table would need to be fixed after a complete dump, but the steps you outlined omit some parts i thought would be critical.