Results 1 to 5 of 5

Thread: Any unpacking guru please help

  1. #1

    Any unpacking guru please help

    I am trying to unpack Deep Paint it is packed with vtcyberpack.It is very similar to vbox usual trial,buy stuff.I run the program when dialog appears bpx with getprocaddress in trw run the program.It stopped and I am in some temp file after some tracing I cam back to vpack24.dll.
    Code:
    0167:02483503  CALL     `KERNEL32!FreeLibrary`
    0167:02483509  LEA      ECX,[EBP+FFFFF418]
    0167:0248350F  PUSH     ECX
    0167:02483510  CALL     `MSVCRT!_unlink`
    0167:02483515  ADD      ESP,BYTE +04
    0167:02483518  CMP      DWORD [EBP+FFFFF2D4],BYTE +00
    0167:0248351F  JNZ      02483526
    0167:02483521  JMP      0248364D
    0167:02483526  CMP      DWORD [02491744],BYTE +01
    0167:0248352D  JNZ      0248354C
    0167:0248352F  MOV      EAX,[02491738]
    0167:024834F0  CALL     `KERNEL32!LoadLibraryA`
    0167:024834F6  MOV      [EBP+FFFFF2D4],EAX
    0167:024834FC  MOV      EAX,[EBP+FFFFF2D4]
    0167:02483502  PUSH     EAX
    0167:02483503  CALL     `KERNEL32!FreeLibrary`
    0167:02483509  LEA      ECX,[EBP+FFFFF418]
    0167:0248350F  PUSH     ECX
    0167:02483510  CALL     `MSVCRT!_unlink`
    0167:02483515  ADD      ESP,BYTE +04
    0167:02483518  CMP      DWORD [EBP+FFFFF2D4],BYTE +00
    0167:0248351F  JNZ      02483526
    0167:02483521  JMP      0248364D
    0167:02483526  CMP      DWORD [02491744],BYTE +01
    0167:0248352D  JNZ      0248354C
    0167:0248352F  MOV      EAX,[02491738]
    0167:02483534  PUSH     EAX
    0167:02483535  MOV      EAX,[02491720]
    0167:0248353A  PUSH     EAX
    0167:0248353B  MOV      EAX,[02491768]
    0167:02483540  PUSH     EAX
    0167:02483541  MOV      EAX,[02491770]
    0167:02483546  CALL     EAX
    0167:02483548  TEST     EAX,EAX
    0167:0248354A  JZ       02483558
    0167:0248354C  POP      ESI
    0167:0248354D  POP      EBP
    0167:0248354E  POP      EBX
    0167:0248354F  MOV      ESP,EBP
    0167:02483551  POP      EBP
    0167:02483552  JMP      NEAR [02491754]  ;here is OEP I guess
    I run this jump JMP NEAR [02491754] I am in again real exe.Makepe in trw made unpacked exe with string.When I run it runs but it gives error that it cant find fileio.dll whcih is located program directory.Any help or suggestion wiil be greatly appreciated
    Thanks
    program is located at htt*//www.righthemisphere.com/

  2. #2
    tsehp
    Guest
    just before I check the prog,
    did you checked the dll's imports into your dumped app ? The dll's import should appear normally in the iat is well rebuilt.
    If yes, did you use filemon to see where it searches the dll ?
    if yes, in what dir ?

    tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3

    Yes I checked it

    I guess every import is here.It loads but file operations doesnt work open save etc.It looks this dll in programs own directory which is already there.Maybe loading dll is done with vtpack24.dll and when I unpacked it it doesnt work I dont know

  4. #4
    Sab
    Guest
    Im no unpacking guru.. but ive ran into vtccyberpack and as i recall.. it didnt really encrypt anything in the exe. If you go to program entrypoint ull notice a call smack right there. That call from what i remember calls the vboxish looking screen. Also about 20 lines of code down from that ull see several mov eax, valuehere and followed by a jmp to location . Find the one that is either equivalent to buying and set it to jump there so it thinks its still good trial and and nop the vboxish looking screen in the program entry p oint. Also there are like 2 checks it makes really easy to patch ull get a message box just backtrace and change the bytes to jump over it and keep running. That should work.. maybe heh unless theyve changed the protection .
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5

    Finally Unpacked

    I found that my unpacking is working but you should change filename to original name (deeppaint.exe) otherwise it crashes.It is very easy to unpack no import rebuild no sice check like in old days

Similar Threads

  1. question for olly guru's
    By NeOXOeN in forum OllyDbg Support Forums
    Replies: 5
    Last Post: August 18th, 2006, 05:43
  2. From newbie to guru crackme
    By ZaiRoN in forum Mini Project Area
    Replies: 47
    Last Post: April 5th, 2006, 21:43
  3. Need a Javascript/IE setup guru
    By roocoon in forum Off Topic
    Replies: 8
    Last Post: February 2nd, 2005, 03:10
  4. Can any guru give me some hints on ClearCase?
    By Daemon in forum Off Topic
    Replies: 4
    Last Post: February 2nd, 2004, 16:37
  5. RegOrganizer 1.3B4: Questions and More Questions (sv / +spl/\j guru!)
    By foxthree in forum Malware Analysis and Unpacking Forum
    Replies: 17
    Last Post: March 9th, 2002, 06:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •