#1
|
|||
|
|||
Visual Protect
I have a target that is protected with visual protect and I havent found very much info on unpacking it, if someone could point me in the right direction I would be most grateful.
I found one tut on unpacking with TRW and i'm using Olly |
#2
|
||||
|
||||
I have a tut for OllyDbg, but it's in french, I'll upload it if you want it, it's easy to understand, the screenshots explain everything. If not, post the target here, I'm sure someone will right one for you or guide you on how to unpack it.
|
#3
|
|||
|
|||
Thanks
I cant download it if you posted it here( the tut), i dont have enough posts to make downloads !
The target is Stormpredator it can be downloaded from here h**p://www.stormpredator.com Many thanks bukkake Last edited by Spotted Horse; 09-10-2004 at 10:55. |
#4
|
||||
|
||||
Must be your lucky day, the tut I have is for an old version of StromPredator, but still works for the new version, I just tried it.
Since you can't download, I'll try to explain here. Run Olly, and set it like this (Options->Debugging options): In SFX: "Trace entry real blockwise", and enable "Pass exceptions to SFX extractor" Load the target, press F9, you get that "Visual Protect trial" box, click "try" button, then let OllyDbg trace it, it will land in the EOP (0047CAE0), then dump the target. Start ImportRec, enter the EOP (7CAE0), then press "Get import", then "show invalid", then click "Autotrace", it will take a few seconds, so just be patient. Delete the thunk at RVA 00083818, double click thunk RVA 003B00E0, choose module "kernel32.dll", then scroll down to "Kernel32.GetProcAdress", should be "ord:0191", select it then click ok, then click "Fix dump", and choose the file you dumped with OllyDbg, target unpacked and no more nag window |
#5
|
|||
|
|||
I made license for VisualProtect self and XNView DeLuxe (first version).
It's very easy and need only VisualProtect and all!!! |
#6
|
|||
|
|||
I have a bug in windows xp and imprec gives me a message that it cant run tracer !?!?!? I followed your to post to a tee, but this damn windows xp is the biggest pain in the ass after you have a virus in the system!!! snag it, evidence eliminator, internet explorer ( i'm running Opera) and 4 other programs have the same problem as imprec...........they dont run right !
Thanks a million for the tut bukkake its just turned out to be a waste of time for us all until i get windows fixed Last edited by Spotted Horse; 09-11-2004 at 05:11. |
#7
|
|||
|
|||
nikkof...can you explain how do you make licenses? do you have a tutorial or so?
|
#8
|
|||
|
|||
Quick instruction for generate VisualProtect license.
1. Download Visual Protect self. 2. Run visual protect, press Try button. 3. Dump file any tools (for example lordpe). 4. Search in dump string vp100 ( for other prog other string ) 5. In visual protect select "create new project", in "crypto string" set value vp100, trial restrictions - 30 executables, select any exe-file for protect and save project as visualprotect.vpj. 6. In command line run GLCmd.exe with options: GLCmd.exe -a g -p visualprotect -r UserName -x 01.01.2010 press Try in MessageBox and you will have visualprotect.vpl - license with expiration date 01.01.2010. Copy created license in work directory VisualProtect and start it. |
#9
|
|||
|
|||
Hi bukkake,
I enjoyed reading your solution for unpacking Visual Protect . But almost at the finals steps I got stuck. You said : "Delete the thunk at RVA 00083818" Ok I have this thunk and I can delete it. Then you said: "double click thunk RVA 003B00E0" Unfortunately I don't have this thunk and I don't know what to do. Instead I have 2 other invalids thunks which are 1-000836B8 (Has 65 invalid imports) 2-000830D0 (Has 25 invalid imports) in short,I have 3 Invalid FThunk that I don't know what to do with them 1-000836B8 2-000830D0 3-00083818 The last one will be deleted. So what to do with other ones. Also the address you methined can't be found. I mean ( 003B00E0 ) By the way,Let me know how you know the we have to delete 00083818 and why we should search for ( 003B00E0 ) I need some explanation. Could you please let me know what your configuration in IMPREC is? I look forward to hearing from you. Regards, Android. |
#10
|
|||
|
|||
Quote:
You asked me on AR forums today how to fix the remainig unresolved pointers. it's easy to find the correct imports (Kernel32 and User32). When I finish my current pending work. I'll post steps on Ar forums on how to correct the invalid imports. I have attached my fixed IAT so that u can compare. Target runs clean. Regards. |
#11
|
|||
|
|||
Another quick way to get OEP:
Press Shift F9 -> 16 times till you get the NAG diallog. Press Try button and Shift F9 till target runs. Now look in Stack window. Scroll down till you see: 0012F6B8 00B63BC4 ASCII "Finalizing 0x0047CAE0" So OEP is 47CAE0. Ok restart the target in olly. Ctrl G and type 47CAE0. Right click and Breakpoint Hardware on execution. Now repeat Shift F9 till NAG dialog and after click on try button Shift F9 2 times and u at OEP. |
|
|