Tweak XP Pro 3.04
 

Have anyone tried to unpack Tweak XP Pro 3.04 (SVPK-packed) yet? Seems like the "old" way of unpacking SVPK is useless. I have tried to do it, but with no success so far...

hobgoblin

check here:

hxxp://tsrh.watchout.ru/index.php?act=ST&f=3&t=14125&

. now check attached loader... extract it to program dir.. hide your debugger . i used SICE for this task ... run load it!.exe .. before running it .. do bpint3 on your debugger .. when SICE breaks .. you'll be at OEP (9090... because stolen bytes) write back 90 and do a eip then jmp eip

and dump! this is for full version of 3.0.4 Pro ;)

Hmmm...
 

Doesn't seem to work for me. When I follow your method, Sice breaks in the area 0x8xxxxxxx. Then it reboots my machine. (I'm on XP, Driverstudio 3.1 and IceExt 0.64).
Any good ideas?

regards,

then something most be wrong with your SICE or not well hidden .. then SICE detection reboots your machine somehow ... at OEP there's NOP data 9090909090 ... the loader will write CC at 00401380

when you do bpint3 SICE should break and then you'll be able to write back 90 then you'll be able to dump .. maybe you're trying with the DEMO version?? i wrote this was for full version .. i haven't try with the DEMO.. OEP location most be difference for it. :eek:

anway you can try any other method to be able to reach OEP and dump.. now you know where is OEP :D

I have an old script for svkp try to use it , and don't pay attention to the msg. displayed, it isn't meant for vb targets. try it.here it is.

@Crk, are you saying that you have dumped a working executable of the program? if so I like to have it.

So do I...
 

So do I. :)
I can't get a dump as described, and britedreams script didn't work either. The reason I wanted to dump it was to take a closer look at the protection that lies in the program code itself. As far as I understand the program is protected by a strong protection (hash code)to prevent any changes in the code. That's interesting. So if you have a dump, I would love to get my hands on a copy. :)

regards,
hobgoblin

external hash, code injection, visual basic 6 crap, encrypted segments, advanced antidebugging, very long license with more than 12 long long attributes online serial check, and online bad serial check.what do you need more?

Well,
 

Is that all? :)
Just kidding. Your answer give me the info I need.
I just don't want to spend my time on a bastard like this one.
I'm going back to studying the new Asprotect instead.....

regards,
hobgoblin

here it is... it just miss IAT .use Imprec for IAT :D

you can use some PE realigner and PE fixer on it .. just in case

you say it as if it is trivial! :p

well body, why don't you do the IAT fix too, I am sure that you'll know then that you haven't taken a step yet.

attached... :)

hmmm, thanks ... nice work but where did ordinal at rva 1094 go? I think Real|sty stuck with the same entry.ok, I'll try to find it by myself.

Thanks again Crk for the dump and the IAT tree file.

can't find it neither.. :( maybe is invalid to fool with us ??? if invalid then just nop it

OK... after analyzing the working IAT for v2.07 i found out that the missing one is DllFunctionCall ... i could be wrong .. but correct me anytime if i'm mistaken ... here are attached new dumped including added IAT + IAT tree for new and old version.

btw the app. still crash always at same offset ... i believe this most be a crc check :o

btw i used as OEP 0000137A to get the IAT for v3.0.4 :p