Tweak XP Pro 3.04

my previous method to dump this app. was wrong ... i think my brain is a little toasted for using many info. hehehehe...

for someone who still want to dump this app. just use the attached patch on Tweak-xp.exe original file ... note that i used this for full version exe file ... don't know if DEMO is the same or has same RVA locations ... this will write an infinitive loop (EBFE) to 0040137A (first API) because where OEP should be there are 909090 bytes ..this bytes are not used or readed by the program in any way ... SVKP simule this stolen bytes used for OEP then it will directly jump/go to 0040137A ..this first API call after OEP for VB applications... then open LOrdPE ..look for the PID process ... hit Correct Imagesize ,,as attached/included screenshot ... now you're ready to make a nice full descrypted/working dump without using any debugger ... remember to write back at 0040137A the bytes FF25 then fix IAT

[mtw]

Yes I dumped the demo version from the site, also remember that first call you stop on is the ThunRTMain, so below that just find the string VB5!6 this is the address for the push. As for the DLL, as I said before, just create a DLL named special.dll, make 1 function exported named SVKP_KillDebugger,
and make another function to grab the PID, get the address of CryptVerifySignature, and write to that address something like
mov eax, 01
retn 18.

Also a note .. if your dumped file isnt the same name as the org program, change it to it.

[BetaMaster]

@mtw, may I ask you to implement your theory.

[mtw]

Implement what how to dump it, or to bypass the security checks the unpacked exe.

Mtw your ideas sounds very good .. but i'm trying to let you know that i don't have idea how to do this ... maybe you can attach here a sample dll with a little extra info. added which will try to explain how exactly do this with injected code example of course

Regards

[mtw]

here is delphi src for the dll and the compiled dll

[BetaMaster]

@Crk, I used your patch, created a dumped and fixed the stolen bytes and the planted infinite jump, but how can you verify that this is a working dump or not, for me it crashes at 1328e, [ModName: msvbvm60.dll
ModVer: 6.0.92.37 Offset: 0001328e], is this normal?

also I have used the external signature faker (special.dll) by mtw (btw, thanks again mtw), but that leads no where!!

have any of you got another a "valid" result?