Results 1 to 12 of 12

Thread: PCGuard 4.03 demo unprotecting

  1. #1
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1

    PCGuard 4.03 demo unprotecting

    This protector have very hard anti-debuger
    code. But I catch in memory original IT (before
    it was erased) and then found oeip.

    I am interesting:
    1. How analise and set correct IT values
    (generally).
    2. Can you do debug PCGuard.

  2. #2
    DakienDX
    Guest
    Hello evaluator !

    What do you mean by "analysing" IT values in general? Could you be more specified and tell us what you would like to know exactly.

    I remember once debugging PCGuard for DOS. It nearly used no real anti-debugging code, just many time-consuming loops when deprotecting the next 30 bytes where the next decryptor was located )

    Could you tell me where to download the target or PCGuard? I've only found a firewall, a password-lock for you computer and an old version 3.0 with the name "PCGuard".
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1
    goto url
    http://www.sofpro.com
    direct url is
    http://www.sofpro.com/files/demo/pcgw32d.zip

  4. #4
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1

    How analise and set correct IT values?

    So I catch original IT in memory, insert it
    in dump file and now I need IT RVA address
    & size, IAT size (IAT RVA not a problem).
    So maybe you know some tools for
    analyzing those IT values?
    Or easy for understanding tutorial?
    I read r!scs tutorials but they are not easy.(

    I treed many variants and found maybe good
    values, but I'm not sure.
    Program runs and successfully "Wdasmed".
    This is my check. Is it enough?

    If somebody know interesting program
    protected with PCGuard, please tell me!
    I already deprotect IRISv3.50.2 (PCGuarded)
    and now working "hard" for crack! It has
    grandiose IT! Section size 133 Kbytes!
    Who want to join me?

  5. #5
    Is IRIS v3.502 protected by PCGuard or TELock?

    Last edited by Solomon; September 23rd, 2001 at 00:45.

  6. #6
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1
    By PCGuard.
    In header you see "wrong" protector name

  7. #7
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    Greetz guys,

    esp. Solomon who is VERY active ...............be careful with diagnosing a certain protector/packer or Egoiste will be laughing too loud ....

    extract from rebuilt te!lock .exe :-

    --------------
    tElockv085.Reminder.Another instance of tElock is already running!.Licensed to: Public.A TMG production. (c) 2000-2001 by tE!..aspack..pklstb..PCGW32.PEPACK!!.CryptX.BitArts..BJFnt..PELOCKntUPX!.....shrink..neolite.peco... .WWPACK..petite.PESHiELD.aspr... Contact:.. WWW:.http://egoiste.cjb.net.. Email:.tmgfreaks@softhome.net.Error.Please do not drop more than -one- file.
    -------------

    Yes protector is fake -> PCGW32 section name == tE!lock.

    BUT having said that the code IS ALSO using PCGuard as the timelimit feature on 'wrapped' exe. Once unwrapped this .lic check is gone and only the stupid 'sheriff' system remains...

    Remember Laurentio (eEye/Iris programmer) will also be laughing cos it is an eval version. Those graph functions disappeared after v3 released.

    Please refer to previous threads on 'Iris' v2 - v3.5 over the last 5 months or so. The search engine is fully working . Best full info thread is started by hOrn_dOg.

    BTW my Iris 3.501 is protected with 'Neolite' duh NOT . That damn tE! again.................If you don't believe me try my tE!lock dumping quick tut from a few days ago. BPX VirtualProtectEx...............whatever

    .....and of course a good tool for IT stuff is 'Revirgin' !!! and again I recommend LordPE FX cos it defeats most lame anti-dump tricks.....

    +Spl/\j
    Carve my name into your arm :)

  8. #8
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1
    Dear Solomon, Dear +SplAj!!!
    Thank you for replays.

    1. Forgirvme, but section names in iris.exe is "PELOCKntT".
    Maybe you have another version?? I downloaded it in 2001/08/30 from
    http://www.eEye.com/html/Products/Iris/IrisDemo.exe size=3295589 byte.
    File iris.exe size=841728 crc32=E49C94FC, date-27.08.01

    2. +SplAj, my english is bad and maybe you don't understand me when you
    wrote: good tool for IT stuff is 'Revirgin'...
    I wrote: "I catch original IT in memory" (before it will erased)! Why I need Revirgin?
    So will be good if some greet (you!) master will write little tutorial about:
    "How analyze and set correct values in PE header for original ("virgin") IT"
    Or little program!

    3. About cracking demo. I think, this is not full demo because for today I crack
    2 restricted functions: Decoder and address book 10 entry limit. For me it's enough!
    But I'm tired to trace inside MFC42.DLL (shit:( I think it will be non solid to publish
    this partial crack. Or no?
    +SplAj! That is your serials for IRISv1.01 beta I have? (Can't believe!) Thanks for it.
    So if you want, I will upload for you those virgin IT section or full unprotected iris.exe
    for proffy crack!!!

    Sorry for eNgLiSh!

  9. #9
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    Hi evaluator

    I have a good story about the serials, yes 'splaj' was banned from registering iris so I released some in the name of 'Laurentiou' (eEye programmer). Then when he was online in the GRC.com forums about scanners he was always bugged for new serials by those lamers that don't know a sniff from a cold

    Ok, lets step back from this current Iris3.502. Please download all previous versions of te!lock from .05 to 0.90 from w*w.exetools.com and practise ....... you will see from the later versions a nice 'fake known packer' option. This is what Laurentiou is doing with each build of Iris now. The section names will be random selection of ASpack, Neolite, PCGW32, etc etc. See my previous snippet above. Thats what tricks most ppl ..... good idea from Egoiste

    It's still same old te!lock and you can unpack in 10 mins if you know about the te! tricks like mapping the IAT and destoying and the FFFF section count etc. I have repeated myself many times explaining how to MANUALLY fix tE! locked targets.... and others .That's why I am here !. I made several tuts for discompress.com on many different protectors/packers (sadly gone from the server since woodmann changed ISP a few weeks ago)

    So yes, for tE!locked targets maybe you don't need RV but sometimes it's quicker to tag on a new IAT/IT instead of catching
    the real one and copy+pasting it .... or even do both methods for practise ,whatever

    I will NEVER release any Keygens or Auto-unpackers for the masses. Thats my policy now. Maybe a few select cracks for
    some anal retentive programmers targets ??? They know who they are

    But I think you fixed Iris3.5 now anyway ...............congrats.

    +Spl/\j
    Carve my name into your arm :)

  10. #10
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1
    Dear +SplAj!
    I am shaked! So I jumped over two protection?!! Comic!
    Please, excuse me, tE!Lock.

    +SplAj, tell me please, were I can find tutorials about assemblers instructions,
    for better understanding debug process. I can understand only jmp and call instructions (& nop:),
    but what means these pop, push, xor, etc.?
    By the way, from what country are you?

  11. #11
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    Ok ASM.... the masters are Hutch , EliCZ , Iczelion etc etc........ and they hang out at W32asm.cjb.net

    Get MASM and the tuts from Iczelion and your away. The forum is super duper too....but DONT say your into RCE cos they are a bit anal about our fine art (regardless of the fact that they do it as well but not in public) . Make a new handle for that forum ....... they are ace guys and many others are there willing to help with ASM as well....


    BTW do a search in google and you'll find the Great Me

    Spl/\j
    Carve my name into your arm :)

  12. #12
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    Originally posted by +SplAj

    BTW do a search in google and you'll find the Great Me

    Spl/\j

    Hey Spl/\j, what's the radio frequency?

Similar Threads

  1. PCGuard
    By Crimson Sunset in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: December 19th, 2004, 12:36
  2. Defeating PCGuard v5.0
    By SvensK in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: June 14th, 2004, 16:20
  3. About PCGuard 5.0
    By javier in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: March 6th, 2004, 07:42
  4. new PCGuard Unpacker/Dumper
    By sirius in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: May 27th, 2003, 14:00
  5. Viva, manual unprotecting!
    By evaluator in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: September 28th, 2001, 10:01

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •