PDA

View Full Version : Revirgin vs VisualProtect


nikkov
October 10th, 2001, 07:13
How use Revirgin for repair import Visual Protected
programm (h**p://www.visagesoft.com/)?

Nik

+SplAj
October 11th, 2001, 04:15
Nik,

thanks for the links to this nice site. As usual they brag like crazy
about being the dogs bollocks protection system

They appear to have lots of nice toys to play with. One annoyance is that they forgot Win2K SP2 o/s !!!.......

I unpacked VisualProtect.exe & GenerateLicense.exe in 10 mins. Did not need RV as IAT /IT is intact. Just the original code is encrypted.

Next I made my own licence for the stupid system. Try the attached .vpl licence file after d/l VP.... I made a licence for RCE community

how did I do this !!!! ..... find the encryption string. They used 'vp100' and from this you can fake the licence system. So if you have atarget just run it / dump it then look for .vpl with hex editor and a few bytes back you'll see the required string.......

+Spl/\j

+SplAj
October 11th, 2001, 04:20


just delete the .txt from the end and place in your visage directory.....

Solomon
October 11th, 2001, 10:17
Hi SplAj


How to recover the imported DLL_name/function_name strings?

I just got VisualProtect & traced it. Time is stored in a file named C:\sysxxxxx.bin. Both IT & IAT can be dumped directly from memory(OEP = 593540, IT = 59F000, IT length = 1B8, IT is followed by IAT), but the imported DLL names and functions names are encrypted. Though the function names are decrypted at runtime, they are always decrypted to the same temp buffer.

thx for your help

Solomon
October 11th, 2001, 20:27
hello ArthaXerXes,

I tried your loader with the latest VisualProtect itself and it didn't work. The loader told me "Everything went fine" but VisualProtect still show me a nag

I just want to practice my unpacking skills with this baby

nikkov
October 11th, 2001, 21:34
Thanks!
I'm successful generate license file for VisaulProtect,
and other their products.
Nik

+SplAj
October 14th, 2001, 06:53
Solomon

Did you trace the api for encrypyted Kernel32 & User32 yet ? (only these two api are fully encrypyted) I'm sure you traced to the second level of redirection, yes ? There you see the answer.........

What I did was to dump the api function addresses and then paste them into exe. i.e a API memory image exe.

However at the weekend I played a little and managed to trick RV with pasting the list into the resolved.txt and then RV made an IAT/IT.

I made it for Win98 SE ...... iat attached. Paste into raw 0x19F000.

Message to tsehp ..... can you have a look at this second level redirection in Visualprotect. If you want some notes then I can help. But you know the problem immediately you run RV... and more important the solution

+Spl/\j