Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-10-2004, 09:42
Spotted Horse
 
Posts: n/a
Visual Protect

I have a target that is protected with visual protect and I havent found very much info on unpacking it, if someone could point me in the right direction I would be most grateful.

I found one tut on unpacking with TRW and i'm using Olly
Reply With Quote
  #2  
Old 09-10-2004, 10:01
bukkake's Avatar
bukkake bukkake is offline
VIP
 
Join Date: Aug 2004
Location: /usr/home
Posts: 127
Rept. Given: 2
Rept. Rcvd 14 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 1 Post
bukkake Reputation: 14
I have a tut for OllyDbg, but it's in french, I'll upload it if you want it, it's easy to understand, the screenshots explain everything. If not, post the target here, I'm sure someone will right one for you or guide you on how to unpack it.
Reply With Quote
  #3  
Old 09-10-2004, 10:52
Spotted Horse
 
Posts: n/a
Thanks

I cant download it if you posted it here( the tut), i dont have enough posts to make downloads !

The target is Stormpredator it can be downloaded from here h**p://www.stormpredator.com


Many thanks bukkake

Last edited by Spotted Horse; 09-10-2004 at 10:55.
Reply With Quote
  #4  
Old 09-10-2004, 11:22
bukkake's Avatar
bukkake bukkake is offline
VIP
 
Join Date: Aug 2004
Location: /usr/home
Posts: 127
Rept. Given: 2
Rept. Rcvd 14 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 1 Post
bukkake Reputation: 14
Must be your lucky day, the tut I have is for an old version of StromPredator, but still works for the new version, I just tried it.
Since you can't download, I'll try to explain here.
Run Olly, and set it like this (Options->Debugging options):
In SFX: "Trace entry real blockwise", and enable "Pass exceptions to SFX extractor"

Load the target, press F9, you get that "Visual Protect trial" box, click "try" button, then let OllyDbg trace it, it will land in the EOP (0047CAE0), then dump the target. Start ImportRec, enter the EOP (7CAE0), then press "Get import", then "show invalid", then click "Autotrace", it will take a few seconds, so just be patient. Delete the thunk at RVA 00083818, double click thunk RVA 003B00E0, choose module "kernel32.dll", then scroll down to "Kernel32.GetProcAdress", should be "ord:0191", select it then click ok, then click "Fix dump", and choose the file you dumped with OllyDbg, target unpacked and no more nag window
Reply With Quote
  #5  
Old 09-10-2004, 14:06
nikkov
 
Posts: n/a
I made license for VisualProtect self and XNView DeLuxe (first version).
It's very easy and need only VisualProtect and all!!!
Reply With Quote
  #6  
Old 09-10-2004, 23:57
Spotted Horse
 
Posts: n/a
I have a bug in windows xp and imprec gives me a message that it cant run tracer !?!?!? I followed your to post to a tee, but this damn windows xp is the biggest pain in the ass after you have a virus in the system!!! snag it, evidence eliminator, internet explorer ( i'm running Opera) and 4 other programs have the same problem as imprec...........they dont run right !


Thanks a million for the tut bukkake its just turned out to be a waste of time for us all until i get windows fixed

Last edited by Spotted Horse; 09-11-2004 at 05:11.
Reply With Quote
  #7  
Old 09-11-2004, 06:38
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 284
Rept. Given: 1
Rept. Rcvd 13 Times in 7 Posts
Thanks Given: 2
Thanks Rcvd at 10 Times in 8 Posts
TmC Reputation: 13
nikkof...can you explain how do you make licenses? do you have a tutorial or so?
Reply With Quote
  #8  
Old 09-14-2004, 12:01
nikkov
 
Posts: n/a
Quick instruction for generate VisualProtect license.

1. Download Visual Protect self.
2. Run visual protect, press Try button.
3. Dump file any tools (for example lordpe).
4. Search in dump string vp100 ( for other prog other string )
5. In visual protect select "create new project",
in "crypto string" set value vp100, trial restrictions - 30 executables,
select any exe-file for protect and save project as visualprotect.vpj.
6. In command line run GLCmd.exe with options:

GLCmd.exe -a g -p visualprotect -r UserName -x 01.01.2010

press Try in MessageBox and you will have visualprotect.vpl - license
with expiration date 01.01.2010.
Copy created license in work directory VisualProtect and start it.
Reply With Quote
  #9  
Old 09-15-2004, 15:35
Android
 
Posts: n/a
Hi bukkake,
I enjoyed reading your solution for unpacking Visual Protect .
But almost at the finals steps I got stuck.

You said :
"Delete the thunk at RVA 00083818"
Ok I have this thunk and I can delete it.
Then you said:
"double click thunk RVA 003B00E0"
Unfortunately I don't have this thunk and I don't know what to do.
Instead I have 2 other invalids thunks which are

1-000836B8 (Has 65 invalid imports)
2-000830D0 (Has 25 invalid imports)




in short,I have 3 Invalid FThunk that I don't know what to do with them

1-000836B8
2-000830D0
3-00083818

The last one will be deleted.
So what to do with other ones.
Also the address you methined can't be found.
I mean ( 003B00E0 )

By the way,Let me know how you know the we have to delete 00083818
and why we should search for ( 003B00E0 )

I need some explanation.

Could you please let me know what your configuration in IMPREC is?

I look forward to hearing from you.
Regards,
Android.
Reply With Quote
  #10  
Old 09-17-2004, 14:31
ferrari
 
Posts: n/a
Quote:
Originally Posted by Android
Hi bukkake,
Instead I have 2 other invalids thunks which are

1-000836B8 (Has 65 invalid imports)
2-000830D0 (Has 25 invalid imports)
@Android,

You asked me on AR forums today how to fix the remainig unresolved pointers. it's easy to find the correct imports (Kernel32 and User32). When I finish my current pending work. I'll post steps on Ar forums on how to correct the invalid imports. I have attached my fixed IAT so that u can compare. Target runs clean.

Regards.
Attached Files
File Type: txt iat.txt (18.1 KB, 7 views)
Reply With Quote
  #11  
Old 09-17-2004, 14:58
ferrari
 
Posts: n/a
Another quick way to get OEP:

Press Shift F9 -> 16 times till you get the NAG diallog. Press Try button and Shift F9 till target runs. Now look in Stack window. Scroll down till you see:

0012F6B8 00B63BC4 ASCII "Finalizing 0x0047CAE0"

So OEP is 47CAE0. Ok restart the target in olly. Ctrl G and type 47CAE0. Right click and Breakpoint Hardware on execution. Now repeat Shift F9 till NAG dialog and after click on try button Shift F9 2 times and u at OEP.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 09:56.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )