svkp dumping problem

#1 11-23-2003, 09:50

Hi again

I'm unpacking a svkp target and I have found the OEP and is just about to dump, but Olly can't grab the process to dump it. And the same goes for LordPE.

Is there a way around this?

Edit: PEiD reports svkp v1.3 btw

/SvensK

#2 11-26-2003, 12:24

the plug-in of olly can dump,
can you tell me how to find the oep with ollydbg.

britedream · #3 11-27-2003, 02:02

Hi,
What is the name of the program.

#4 11-27-2003, 03:10

The program is Download Accelerator Plus v7.0.

Direct d/l url: hxxp://download.speedbit.com/dap7.exe

Edit: And no, of course Olly's dump plug-in couldn't dump it. That's why I mentioned it.

Edit2: Finding the OEP is a piece of cake.
1. Just load the exe in PEiD and get the OEP from the Generic OEP Finder and write it down.
2. Load the exe in Olly and scoll down to the OEP, right-click the code and Follow Selection in Dump.
3. Right-click first byte of the OEP in Dump and BPH, on write, Byte.
4. Press F9, see the first byte in the dump changed to 55.
5. Scroll down to OEP again and press F2 while on the 55.
6. Press F9 again and you're at the OEP.
7. This is where you wanna dump.

If you know how to rebuild the IAT, please lemme know.

#5 11-27-2003, 09:07

name:OllyDump v2.20.108
you can search with google.com.

#6 11-27-2003, 09:10

maybe prodump can ,i dump with prodump ,and can see some resource,but can not run it.

#7 11-27-2003, 12:57

@SvensK

Thanks for the info you have posted,
Most Handy

Could you post a bit of info about IAT rebuilding or PM me

Thanks

R@dier

#8 11-27-2003, 18:59

Quote:

Originally posted by seee
maybe prodump can ,i dump with prodump ,and can see some resource,but can not run it.

You must be seriously retarded giving me tips like that.

Edit: To R@dier - I was hoping to get some help myself.

britedream · #9 11-27-2003, 20:14

Peid is wrong, your oep should be 4c7b90 or close to
it, this is I think ,why u are having hard time.

britedream · #10 11-27-2003, 22:51

This is my first encounter with this protection,I did
download the latest version and protected one of
my programs with it , and I did unpack it correctly,but
this is a demo version of the protection,tonight I
will try to unpack your program.
regards

#11 11-28-2003, 00:40

Ok, thanks for your feedback britedream.
As you might have guessed, this is also my first time working with svkp

#12 11-28-2003, 13:02

@SvensK
LOL, I miss read your post about IAT hehehe.

I will take a look tonight at this protector as well,

I have never seen it before, so should be interesting

Best Regards

R@dier

britedream · #13 11-28-2003, 21:09

Hi,

there is a difference between the demo and the registered version.in the demo once i stop on stack break point, eax shows the oep , and by setting bpm on the code section ,it stops on oep, while the registered version once stop on stack break point, eax shows packer code ,and if u bpm on code section it stops there, but with stolen byets as in our case , it stops at 4c7b90 with many nops above it . if u read the packer features it says,among other things, Possibility to Move code from entry point, so we truly need the
packer registered version to confirm this, and make things easier for us to find the stoln bytes if any.

britedream

#14 11-28-2003, 23:01

Hello Everybody,

For svkp we have to recover from program bytes ripped from the execution of program & some from stack manipulation.

Stack manipulation start address --> 0xEB6B385 & end address --> 0xEB6C82D

If somebody wants to practice Evaluator's Excellent Pseudo_code exercise at woodmann's forum, can have a look at it. The url for it hxxp://66.98.132.48/forum/showthread.php?t=4805

I have tried to recover the bytes but it's not perfect.

Code:

:004C7B26  55                  PUSH      EBP
:004C7B27  8BEC                MOV       EBP,ESP
:004C7B29  6AFF                PUSH      FF      
:004C7B2B  6840534F00          PUSH      004F5340
:004C7B30  68AE7C4C00          PUSH      004C7CAE
:004C7B35  64FF3500000000      PUSH      DWORD PTR FS:[00000000]
:004C7B3C  64892500000000      MOV       FS:[00000000],ESP
:004C7B43  83EC68              SUB       ESP,68

doubtful

Code:

:004C7B46  57                  PUSH      EDI
:004C7B47  50                  PUSH      EAX
:004C7B48  6800000000          PUSH      00000000
:004C7B4D  57                  PUSH      EDI
:004C7B4E  8965E8              MOV       [EBP-18],ESP
:004C7B51  33DB                XOR       EBX,EBX
:004C7B53  895DFC              MOV       [EBP-04],EBX

might be ok...

Code:

:004C7B56  50                  PUSH      EAX
:004C7B57  6A02                PUSH      02
:004C7B59  FF1570204E00        CALL      [004E2070]
:004C7B5F  59                  POP       ECX
:004C7B60  830D703D5300FF      OR        DWORD PTR [00533D70],-01
:004C7B67  89DB                MOV       EBX,EBX
:004C7B69  830D743D5300FF      OR        DWORD PTR [00533D74],-01
:004C7B70  FF156C204E00        CALL      [004E206C]
:004C7B76  87ED                XCHG      EBP,EBP
:004C7B78  8B0D3C3A5300        MOV       ECX,[00533A3C]
:004C7B7E  8908                MOV       [EAX],ECX
:004C7B80  FF1534204E00        CALL      [004E2034] <-- will call 4C7B90

R@dier / SvensK / Everybody You can use Gaia's / Zilot's excellent Import Rec Plugin which will find majority of the api some 7 or 10 not found we need to find manually.

more later...

Regards, Sope.

britedream · #15 11-28-2003, 23:23

jmp from packer to 4c7b90 I found it to be
jmp Dword ptr ss:[esp-4]

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
svkp	infern0	General Discussion	3	06-05-2011 18:34
SVKP 1.3x unpacking	codeX	General Discussion	10	01-28-2005 22:03
The new svkp 143	britedream	General Discussion	3	09-19-2004 22:22