PDA

View Full Version : telock 0.90


telexxingou
September 14th, 2001, 10:42
please, someone know if an unpacker for telock0.90 exist ?
i really need it

very thanks for your help

Byebye

+SplAj
September 16th, 2001, 04:25
Hajo

Best unpacking tool is BRAIN :-)

Other tools to assist:-

SI
Icedump
LordPE
RV

TE! tricks - anti SI, Anti dump (section count =FFFF and IAT is mapped, relocated then destroyed)

Solution :-
========
Load target in SI (after running Icedump)
BPX VirtualProtectEx
F5
F12
S CS:EIP L EIP+100 EB,02,CD,20,61
Set a BPX on the memory were the 61 (POPAD) is. F5
Press F8 carefully cos your nearly at the OEiP

At OEiP change bytes from 55 8B to EB FE (loop)
Use LordPE to dump (with load section header from disk on to solve the section count FFFF trick)

Then use RV to rebuild the IAT/IT (or stop TE from destroying the
IAT/IT once you know the VA offset)

Fix up your dump (OEiP pointer, EB FE -> 55 8B, IAT pointer etc)
and TE! is gone :-)

+Spl/\j

nchanta
September 16th, 2001, 06:47
hola unpax0r king

thanks for the compressed telock essay, will come in handy

your student...

NchantA

telexxingou
September 19th, 2001, 07:21
very thanks for your help

do you have url for BRAIN ?
Icedump is working with Win2k ?

thanks
byebye

+SplAj
September 19th, 2001, 08:09
http://www.vh.org/Providers/Textbooks/BrainAnatomy/BrainAnatomy.html


telexxingou
September 19th, 2001, 08:27
LOL
sorry my english is very not perfect !!!

maybe Brain is near my head, isn't it ? ahahahaha
Thanks

+SplAj
September 19th, 2001, 09:17
Near your head....
---------------------
yes you are getting warmer .... roll your eyes upwards

Ok one last thing about tE!lock is the 'Mutex' feature which MOST programmers have not a clue and think it is a Teletext alternative to find cheap holidays.....

But some are clever enough to implement this in the tE! packed ( protected ) exe.

To bypass this feature (if the programmer took Egoiste advice)
is to set BPX CreateMutexA and see if a check is made on existence of tE!lock code. Usually they give a big clue by giving easy name like 'my_Mutex_check' duh. A simple JMP instead of JE is all that is required - Maybe tE! codes some encrypt/decrypt code soon around his mutex ?

Hope that helps some more. You can see this feature in the target Iris 3.x from eEye.com - search for my oh um 'super tut' on the MB describing tE! unpacking and Sheriff Licence butt fucking in Iris 3 a couple of months ago.... ppl here have such short memories

+Spl/\j

telexxingou
September 19th, 2001, 11:17
really thanks

My level on packed/crypted exe is very low
now i'm begin with your help

thanks
byebye

SpeKKeL
September 19th, 2001, 12:29
Just watch that api's that contain a "0"-dword and delete them .

just try on a te-locked notepad !!

Spek.

Bengaly
September 23rd, 2001, 01:13
heya +P ;D

just wanted to say hi ;D
i love +reversers i am contacting everybody i can
till now:
+Sandman
+Tsehp

and now you ?