PDA

View Full Version : Any unpacking guru please help


LaptoniC
October 28th, 2000, 06:10
I am trying to unpack Deep Paint it is packed with vtcyberpack.It is very similar to vbox usual trial,buy stuff.I run the program when dialog appears bpx with getprocaddress in trw run the program.It stopped and I am in some temp file after some tracing I cam back to vpack24.dll.
Code:

0167:02483503 CALL `KERNEL32!FreeLibrary`
0167:02483509 LEA ECX,[EBP+FFFFF418]
0167:0248350F PUSH ECX
0167:02483510 CALL `MSVCRT!_unlink`
0167:02483515 ADD ESP,BYTE +04
0167:02483518 CMP DWORD [EBP+FFFFF2D4],BYTE +00
0167:0248351F JNZ 02483526
0167:02483521 JMP 0248364D
0167:02483526 CMP DWORD [02491744],BYTE +01
0167:0248352D JNZ 0248354C
0167:0248352F MOV EAX,[02491738]
0167:024834F0 CALL `KERNEL32!LoadLibraryA`
0167:024834F6 MOV [EBP+FFFFF2D4],EAX
0167:024834FC MOV EAX,[EBP+FFFFF2D4]
0167:02483502 PUSH EAX
0167:02483503 CALL `KERNEL32!FreeLibrary`
0167:02483509 LEA ECX,[EBP+FFFFF418]
0167:0248350F PUSH ECX
0167:02483510 CALL `MSVCRT!_unlink`
0167:02483515 ADD ESP,BYTE +04
0167:02483518 CMP DWORD [EBP+FFFFF2D4],BYTE +00
0167:0248351F JNZ 02483526
0167:02483521 JMP 0248364D
0167:02483526 CMP DWORD [02491744],BYTE +01
0167:0248352D JNZ 0248354C
0167:0248352F MOV EAX,[02491738]
0167:02483534 PUSH EAX
0167:02483535 MOV EAX,[02491720]
0167:0248353A PUSH EAX
0167:0248353B MOV EAX,[02491768]
0167:02483540 PUSH EAX
0167:02483541 MOV EAX,[02491770]
0167:02483546 CALL EAX
0167:02483548 TEST EAX,EAX
0167:0248354A JZ 02483558
0167:0248354C POP ESI
0167:0248354D POP EBP
0167:0248354E POP EBX
0167:0248354F MOV ESP,EBP
0167:02483551 POP EBP
0167:02483552 JMP NEAR [02491754] ;here is OEP I guess

I run this jump JMP NEAR [02491754] I am in again real exe.Makepe in trw made unpacked exe with string.When I run it runs but it gives error that it cant find fileio.dll whcih is located program directory.Any help or suggestion wiil be greatly appreciated
Thanks
program is located at htt*//www.righthemisphere.com/

tsehp
October 28th, 2000, 07:21
just before I check the prog,
did you checked the dll's imports into your dumped app ? The dll's import should appear normally in the iat is well rebuilt.
If yes, did you use filemon to see where it searches the dll ?
if yes, in what dir ?

tsehp

LaptoniC
October 28th, 2000, 11:44
I guess every import is here.It loads but file operations doesnt work open save etc.It looks this dll in programs own directory which is already there.Maybe loading dll is done with vtpack24.dll and when I unpacked it it doesnt work I dont know

Sab
October 28th, 2000, 22:48
Im no unpacking guru.. but ive ran into vtccyberpack and as i recall.. it didnt really encrypt anything in the exe. If you go to program entrypoint ull notice a call smack right there. That call from what i remember calls the vboxish looking screen. Also about 20 lines of code down from that ull see several mov eax, valuehere and followed by a jmp to location . Find the one that is either equivalent to buying and set it to jump there so it thinks its still good trial and and nop the vboxish looking screen in the program entry p oint. Also there are like 2 checks it makes really easy to patch ull get a message box just backtrace and change the bytes to jump over it and keep running. That should work.. maybe heh unless theyve changed the protection .

LaptoniC
October 29th, 2000, 06:51
I found that my unpacking is working but you should change filename to original name (deeppaint.exe) otherwise it crashes.It is very easy to unpack no import rebuild no sice check like in old days