Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

PELock 1.0x -> Bartosz Wojcik [PlugIn needed]

Bugs/suggestions/scripts/... for OllyScript plugin
Locked
phil8900

PELock 1.0x -> Bartosz Wojcik [PlugIn needed]

Post by phil8900 »

Hi,
i'd need a script which can:
PELock 1.0x - Auto fix IAT,remove junk code,find stolen code

Possible?
joe

PELock 1.0x -> Bartosz Wojcik [PlugIn needed]

Post by joe »

Try to use script for OllyScript (PELock 1.0x.txt or with other extension).

// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com

/*
//////////////////////////////////////////////////
PELock 1.0x -> Bartosz Wojcik Unpack script v0.1
Author: loveboom
Email : [email protected]
OS : WinXP sp1,Ollydbg 1.1,OllyScript v0.85
Date : 2004-7-19
Action: Auto fix IAT,Remove Junk code,Found stolen code
Config: Ignore other exceptions except 'Memory access violation'
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/


start:
msgyn "Setting:Ignore other exceptions except 'Memory access violation',Continue?"
cmp $RESULT,0
jne lbl1
ret

lbl1:
//Declare
var count
var espval //Esp value
var addr //address
var addr1

mov count,9
dbh //Hide debugger
run

lblloop:
cmp count,0
je lbl2
dec count
esto
jmp lblloop

lbl2:
find eip,#EB02#
bp $RESULT
esto

lbl3:
bc $RESULT
find eip,#F6C180# //Found 'Test cl,80'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
cmt addr,"Running!please wait......!"
bphws addr,"x"

lbl4:
eoe lbl5
run
mov ecx,80
jmp lbl4

lbl5:
bphwc addr
find eip,#EB01??EB02#
mov addr,$RESULT
bp addr
esto

lbl6:
bc addr
mov addr,esp
bphws addr,"r"
run
bphwc addr

lblClearJunkCode:
repl eip,#E801000000??#,#E80100000090#,1000
repl eip,#EB01??#,#909090#,1000
repl eip,#EB02????#,#90909090#,1000
repl eip,#EB03??????#,#9090909090#,1000
repl eip,#EB04????????#,#909090909090#,1000
repl eip,#C1??00#,#909090#,1000
repl eip,#72037301??#,#9090909090#,1000
repl eip,#7C037D01??#,#9090909090#,1000
msg "Junkcode has been removed!"

lbl7:
find eip,#5D#
go $RESULT
sto

lbllogcode:
find eip,#C3#
bp $RESULT
eob lblgoOEP
ti

lblgoOEP:
bc $RESULT
sto
an eip
dbs
cmt eip,"Now,press ALT+V+N open trace window,you will find stolen code!"

lblend:
msg "Script by loveboom[DFCG[FCG],Thank you for using my script!"
ret

lblabort:
msg "Error,Script aborted!,Meybe target is not protect by PELock 1.0x -> Bartosz."
ret
Ricardo Narvaja
Senior Member
Posts: 943
Joined: Tue Mar 11, 2003 12:45 pm

PELock 1.0x -> Bartosz Wojcik [PlugIn needed]

Post by Ricardo Narvaja »

any more? hehehe

nobody make a so complicated plugin

A plugin can find oep, other different can repair iat, but other work is necesary make manually

Ricardo Narvaja
ALiAS_2005

PELock 1.0x -> Bartosz Wojcik [PlugIn needed]

Post by ALiAS_2005 »

Still I have problems to unpack a Pelocked application.
Who can help, with more information Please ?
mr haggar

PELock 1.0x -> Bartosz Wojcik [PlugIn needed]

Post by mr haggar »

What more information? That is very good protector. Can you find OEP with above script? If it works, than IAT should be good and half job is done.

Then search for tutorial on old biw site, crusader there wrote great tutorial.

But if you are not good with unpacking, then don't waste time trying.
ALiAS_2005

PELock 1.0x -> Bartosz Wojcik [PlugIn needed]

Post by ALiAS_2005 »

Hi mr haggar ;)

With the above script OEP was found but IAT is not good, imprec reports some missing ones and Sotlen bytes not found also.
Crusader tutorial deal with Softice not OllyDBG.
My Problem is to find a valid IAT for the dump obtained.

Thank you very much mr haggar :)
Ricardo Narvaja
Senior Member
Posts: 943
Joined: Tue Mar 11, 2003 12:45 pm

PELock 1.0x -> Bartosz Wojcik [PlugIn needed]

Post by Ricardo Narvaja »

in cracklatinos there are tuts of pelock with ollydbg but are in spanish, but i think if you have a tutorial in softice and you are not capable of make the same steps in ollydbg, PELOCK will be veru hard for you, maybe i´m wrong.

Ricardo Narvaja
mr haggar

PELock 1.0x -> Bartosz Wojcik [PlugIn needed]

Post by mr haggar »

It doesn't matters SoftICE or Olly, tricks are the same. I have unpacked target with demo options enabled and that is IAT and stolen bytes. But full version have some more tricks like encrypted sections and god knows what more. May I know what target you traying to unpack? Maybe I could take look (if it's not too big for download).
ALiAS_2005

PELock 1.0x -> Bartosz Wojcik [PlugIn needed]

Post by ALiAS_2005 »

Thank you mr haggar :)

I am trying to unpack PELock 1.06 it self.
Download here :
http://pelock.pac.pl/pelock.zip

or
http://pelock.pac.pl/pelock.exe


I have not find any full version in the Internet !!!
shERis

PELock 1.0x -> Bartosz Wojcik [PlugIn needed]

Post by shERis »

This script is not for P E L o c k 1 . 0 6 !
It only finds OEP, but all API calls are redirected and the code is decrypted and encrypted in runtime !!!
I don´t if there is a script for solving these problems.
Locked