phil8900
July 12th, 2005, 15:22
Hi,
i'd need a script which can:
PELock 1.0x - Auto fix IAT,remove junk code,find stolen code
Possible?
joe
July 12th, 2005, 16:17
Try to use script for OllyScript (PELock 1.0x.txt or with other extension).
// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com
("http://ollyscript.apsvans.com
")
/*
//////////////////////////////////////////////////
PELock 1.0x -> Bartosz Wojcik Unpack script v0.1
Author: loveboom
Email : bmd2chen@tom.com
OS : WinXP sp1,Ollydbg 1.1,OllyScript v0.85
Date : 2004-7-19
Action: Auto fix IAT,Remove Junk code,Found stolen code
Config: Ignore other exceptions except 'Memory access violation'
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
start:
msgyn "Setting:Ignore other exceptions except 'Memory access violation',Continue?"
cmp $RESULT,0
jne lbl1
ret
lbl1:
//Declare
var count
var espval //Esp value
var addr //address
var addr1
mov count,9
dbh //Hide debugger
run
lblloop:
cmp count,0
je lbl2
dec count
esto
jmp lblloop
lbl2:
find eip,#EB02#
bp $RESULT
esto
lbl3:
bc $RESULT
find eip,#F6C180# //Found 'Test cl,80'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
cmt addr,"Running!please wait......!"
bphws addr,"x"
lbl4:
eoe lbl5
run
mov ecx,80
jmp lbl4
lbl5:
bphwc addr
find eip,#EB01??EB02#
mov addr,$RESULT
bp addr
esto
lbl6:
bc addr
mov addr,esp
bphws addr,"r"
run
bphwc addr
lblClearJunkCode:
repl eip,#E801000000??#,#E80100000090#,1000
repl eip,#EB01??#,#909090#,1000
repl eip,#EB02????#,#90909090#,1000
repl eip,#EB03??????#,#9090909090#,1000
repl eip,#EB04????????#,#909090909090#,1000
repl eip,#C1??00#,#909090#,1000
repl eip,#72037301??#,#9090909090#,1000
repl eip,#7C037D01??#,#9090909090#,1000
msg "Junkcode has been removed!"
lbl7:
find eip,#5D#
go $RESULT
sto
lbllogcode:
find eip,#C3#
bp $RESULT
eob lblgoOEP
ti
lblgoOEP:
bc $RESULT
sto
an eip
dbs
cmt eip,"Now,press ALT+V+N open trace window,you will find stolen code!"
lblend:
msg "Script by loveboom[DFCG[FCG],Thank you for using my script!"
ret
lblabort:
msg "Error,Script aborted!,Meybe target is not protect by PELock 1.0x -> Bartosz."
ret
Ricardo Narvaja
July 12th, 2005, 16:18
any more? hehehe
nobody make a so complicated plugin
A plugin can find oep, other different can repair iat, but other work is necesary make manually
Ricardo Narvaja
ALiAS_2005
November 30th, 2005, 10:05
Still I have problems to unpack a Pelocked application.
Who can help, with more information Please ?
mr haggar
November 30th, 2005, 13:59
What more information? That is very good protector. Can you find OEP with above script? If it works, than IAT should be good and half job is done.
Then search for tutorial on old biw site, crusader there wrote great tutorial.
But if you are not good with unpacking, then don't waste time trying.
ALiAS_2005
December 1st, 2005, 05:16
Hi mr haggar
With the above script OEP was found but IAT is not good, imprec reports some missing ones and Sotlen bytes not found also.
Crusader tutorial deal with Softice not OllyDBG.
My Problem is to find a valid IAT for the dump obtained.
Thank you very much mr haggar

Ricardo Narvaja
December 1st, 2005, 15:17
in cracklatinos there are tuts of pelock with ollydbg but are in spanish, but i think if you have a tutorial in softice and you are not capable of make the same steps in ollydbg, PELOCK will be veru hard for you, maybe i´m wrong.
Ricardo Narvaja
mr haggar
December 1st, 2005, 17:02
It doesn't matters SoftICE or Olly, tricks are the same. I have unpacked target with demo options enabled and that is IAT and stolen bytes. But full version have some more tricks like encrypted sections and god knows what more. May I know what target you traying to unpack? Maybe I could take look (if it's not too big for download).
ALiAS_2005
December 2nd, 2005, 06:32
Thank you mr haggar
I am trying to unpack PELock 1.06 it self.
Download here :
http://pelock.pac.pl/pelock.zip
("http://pelock.pac.pl/pelock.zip
")
or
http://pelock.pac.pl/pelock.exe
("http://pelock.pac.pl/pelock.exe
")
I have not find any full version in the Internet !!!
shERis
December 2nd, 2005, 13:07
This script is not for P E L o c k 1 . 0 6 !
It only finds OEP, but all API calls are redirected and the code is decrypted and encrypted in runtime !!!
I don´t if there is a script for solving these problems.
Powered by vBulletin® Version 4.2.2 Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.