Hi,
i'd need a script which can:
PELock 1.0x - Auto fix IAT,remove junk code,find stolen code

Possible?

Try to use script for OllyScript (PELock 1.0x.txt or with other extension).

// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com
("http://ollyscript.apsvans.com
")
/*
//////////////////////////////////////////////////
PELock 1.0x -> Bartosz Wojcik Unpack script v0.1
Author: loveboom
Email : bmd2chen@tom.com
OS : WinXP sp1,Ollydbg 1.1,OllyScript v0.85
Date : 2004-7-19
Action: Auto fix IAT,Remove Junk code,Found stolen code
Config: Ignore other exceptions except 'Memory access violation'
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/


start:
msgyn "Setting:Ignore other exceptions except 'Memory access violation',Continue?"
cmp $RESULT,0
jne lbl1
ret

lbl1:
//Declare
var count
var espval //Esp value
var addr //address
var addr1

mov count,9
dbh //Hide debugger
run

lblloop:
cmp count,0
je lbl2
dec count
esto
jmp lblloop

lbl2:
find eip,#EB02#
bp $RESULT
esto

lbl3:
bc $RESULT
find eip,#F6C180# //Found 'Test cl,80'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
cmt addr,"Running!please wait......!"
bphws addr,"x"

lbl4:
eoe lbl5
run
mov ecx,80
jmp lbl4

lbl5:
bphwc addr
find eip,#EB01??EB02#
mov addr,$RESULT
bp addr
esto

lbl6:
bc addr
mov addr,esp
bphws addr,"r"
run
bphwc addr

lblClearJunkCode:
repl eip,#E801000000??#,#E80100000090#,1000
repl eip,#EB01??#,#909090#,1000
repl eip,#EB02????#,#90909090#,1000
repl eip,#EB03??????#,#9090909090#,1000
repl eip,#EB04????????#,#909090909090#,1000
repl eip,#C1??00#,#909090#,1000
repl eip,#72037301??#,#9090909090#,1000
repl eip,#7C037D01??#,#9090909090#,1000
msg "Junkcode has been removed!"

lbl7:
find eip,#5D#
go $RESULT
sto

lbllogcode:
find eip,#C3#
bp $RESULT
eob lblgoOEP
ti

lblgoOEP:
bc $RESULT
sto
an eip
dbs
cmt eip,"Now,press ALT+V+N open trace window,you will find stolen code!"

lblend:
msg "Script by loveboom[DFCG[FCG],Thank you for using my script!"
ret

lblabort:
msg "Error,Script aborted!,Meybe target is not protect by PELock 1.0x -> Bartosz."
ret

any more? hehehe

nobody make a so complicated plugin

A plugin can find oep, other different can repair iat, but other work is necesary make manually

Ricardo Narvaja

Still I have problems to unpack a Pelocked application.
Who can help, with more information Please ?

What more information? That is very good protector. Can you find OEP with above script? If it works, than IAT should be good and half job is done.

Then search for tutorial on old biw site, crusader there wrote great tutorial.

But if you are not good with unpacking, then don't waste time trying.

Hi mr haggar

With the above script OEP was found but IAT is not good, imprec reports some missing ones and Sotlen bytes not found also.
Crusader tutorial deal with Softice not OllyDBG.
My Problem is to find a valid IAT for the dump obtained.

Thank you very much mr haggar

in cracklatinos there are tuts of pelock with ollydbg but are in spanish, but i think if you have a tutorial in softice and you are not capable of make the same steps in ollydbg, PELOCK will be veru hard for you, maybe i´m wrong.

Ricardo Narvaja

It doesn't matters SoftICE or Olly, tricks are the same. I have unpacked target with demo options enabled and that is IAT and stolen bytes. But full version have some more tricks like encrypted sections and god knows what more. May I know what target you traying to unpack? Maybe I could take look (if it's not too big for download).

Thank you mr haggar

I am trying to unpack PELock 1.06 it self.
Download here :
http://pelock.pac.pl/pelock.zip
("http://pelock.pac.pl/pelock.zip
")
or
http://pelock.pac.pl/pelock.exe
("http://pelock.pac.pl/pelock.exe
")

I have not find any full version in the Internet !!!

This script is not for P E L o c k 1 . 0 6 !
It only finds OEP, but all API calls are redirected and the code is decrypted and encrypted in runtime !!!
I don´t if there is a script for solving these problems.