svkp dumping problem
 

Hi again

I'm unpacking a svkp target and I have found the OEP and is just about to dump, but Olly can't grab the process to dump it. And the same goes for LordPE.

Is there a way around this?

Edit: PEiD reports svkp v1.3 btw

/SvensK

olly can dump
 

the plug-in of olly can dump,
can you tell me how to find the oep with ollydbg.

Hi,
What is the name of the program.

The program is Download Accelerator Plus v7.0.

Direct d/l url: hxxp://download.speedbit.com/dap7.exe

Edit: And no, of course Olly's dump plug-in couldn't dump it. That's why I mentioned it.

Edit2: Finding the OEP is a piece of cake.
1. Just load the exe in PEiD and get the OEP from the Generic OEP Finder and write it down.
2. Load the exe in Olly and scoll down to the OEP, right-click the code and Follow Selection in Dump.
3. Right-click first byte of the OEP in Dump and BPH, on write, Byte.
4. Press F9, see the first byte in the dump changed to 55.
5. Scroll down to OEP again and press F2 while on the 55.
6. Press F9 again and you're at the OEP.
7. This is where you wanna dump.

If you know how to rebuild the IAT, please lemme know.

OllyDump v2.20.108
 

name:OllyDump v2.20.108
you can search with google.com.

maybe
 

maybe prodump can ,i dump with prodump ,and can see some resource,but can not run it.

@SvensK

Thanks for the info you have posted,
Most Handy

:)

Could you post a bit of info about IAT rebuilding or PM me

Thanks

R@dier

Re: maybe
 

You must be seriously retarded giving me tips like that.

Edit: To R@dier - I was hoping to get some help myself. :)

Peid is wrong, your oep should be 4c7b90 or close to
it, this is I think ,why u are having hard time.

This is my first encounter with this protection,I did
download the latest version and protected one of
my programs with it , and I did unpack it correctly,but
this is a demo version of the protection,tonight I
will try to unpack your program.
regards

Ok, thanks for your feedback britedream.
As you might have guessed, this is also my first time working with svkp :)

@SvensK
LOL, I miss read your post about IAT hehehe.

I will take a look tonight at this protector as well,

I have never seen it before, so should be interesting ;)


Best Regards

R@dier

Hi,

there is a difference between the demo and the registered version.in the demo once i stop on stack break point, eax shows the oep , and by setting bpm on the code section ,it stops on oep, while the registered version once stop on stack break point, eax shows packer code ,and if u bpm on code section it stops there, but with stolen byets as in our case , it stops at 4c7b90 with many nops above it . if u read the packer features it says,among other things, Possibility to Move code from entry point, so we truly need the
packer registered version to confirm this, and make things easier for us to find the stoln bytes if any.

britedream

Hello Everybody,

For svkp we have to recover from program bytes ripped from the execution of program & some from stack manipulation.

Stack manipulation start address --> 0xEB6B385 & end address --> 0xEB6C82D

If somebody wants to practice Evaluator's Excellent Pseudo_code exercise at woodmann's forum, can have a look at it. The url for it hxxp://66.98.132.48/forum/showthread.php?t=4805

I have tried to recover the bytes but it's not perfect.

doubtful

might be ok...


R@dier / SvensK / Everybody You can use Gaia's / Zilot's excellent Import Rec Plugin which will find majority of the api some 7 or 10 not found we need to find manually.

more later...

Regards, Sope.

jmp from packer to 4c7b90 I found it to be
jmp Dword ptr ss:[esp-4]

That looks about right britedream, ImpREC finds the IAT just fine after dumping at that OEP you mentioned.
Still 23 unresolved pointers after Trace Level 1, but it's a start.

Thanks

code at ab89c4 is the one that fills out that area and put
909090.. in there, the main thing is the missing code,for Iat in the demo version I copied the original along
with sections it needs , and it worked fine. so I don't
think the Iat is gonig to be a problem.

in programs packed by the demo ,I found out that breaking at mov dword ptr ds:[edi],eax in the packer code,
and following [edi] address in the dump, will get u the whole
Iat nice and clean . so copying that and repasting it back
once u stop on the oep, ImpoRTrec will solve it all. I
tested it with Iat from the program before protecting it,
and both are exactly the same. so as I said before for
us to unpack your program we need the packer registered
version to learn from.

britedream

Hi
I managed to unpack svkp1.3 , I wanted to check info
gained form svkp demo , so I downloaded program
called formik , protected by svkp1.3, and I did unpack it
so , if u want to check this one here is the info
oep= 4d5af8
dump at oep .
here is my Iat.

britedream

To Svensk:
here is the Iat for dap:

Very nice work britedream :)

I've set the project aside for while to play with PCGuard v5, but I'll check those IATs and get back to you.

Regards

what about making DAP regged? i see even if you unpack it still there are many limitations while been unregistered! if someone knows how to patch this registration scheme i will be really apreciated and we can have a DAP registered and Patched. i know a way to inline patch it and will be full functional without IAT rebuild needed.. information i got so far...

after validating a serial online it makes a file called: dapreg.key

this file depends of some machine ID and depends of reg. key

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName]
"ComputerName"="........."

it also writes to registry -->

[HKEY_LOCAL_MACHINE\Software\SpeedBit\Registration]
"DAP7"="........"

maybe we can find a way to make it work in All OS using a similar dapreg.key

i tried in winXP using a key that was registered in Win9x ( Same PC) but didn't work even if Computer name has the same name so depends of something else i guess

if someone knows where and how to defeat the registration ( MD5) post your results here explaining HOW and i'll tell you how to inline patch it.....i don't want to give more details about it because i know authors are reading this :p so please don't ask me

Regards!

To svensk:
I did unpack dap, here the info:
oep and Iat is given earlier,but stolen bytes are:

004C7B2A > $ 55 PUSH EBP
004C7B2B . 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
004C7B32 . 83EC 68 SUB ESP,68
004C7B35 . 64:FF35 00000000 PUSH DWORD PTR FS:[0]
004C7B3C . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004C7B3F . 33DB XOR EBX,EBX
mov dword ptr ss:[ebp-4],ebx ; [missed]
004C7B41 . FF15 70204E00 CALL NEAR DWORD PTR DS:[<&msvcrt.__set_app_type>] ; msvcrt.__set_app_type
pop ecx [missed]
004C7B47 . 830D 703D5300 FF OR DWORD PTR DS:[533D70],FFFFFFFF
004C7B4E . 830D 743D5300 FF OR DWORD PTR DS:[533D74],FFFFFFFF
004C7B55 . FF15 6C204E00 CALL NEAR DWORD PTR DS:[<&msvcrt.__p__fmode>] ; msvcrt.__p__fmode
004C7B5B . 8B0D 3C3A5300 MOV ECX,DWORD PTR DS:[533A3C]
004C7B61 . 8908 MOV DWORD PTR DS:[EAX],ECX
004C7B63 . FF15 34204E00 CALL NEAR DWORD PTR DS:[<&msvcrt.__p__commode>] ; msvcrt.__p__commode
004C7B69 . 8B0D 383A5300 MOV ECX,DWORD PTR DS:[533A38]
004C7B6F . 8908 MOV DWORD PTR DS:[EAX],ECX
004C7B71 . A1 3C204E00 MOV EAX,DWORD PTR DS:[<&msvcrt._adjust_fdiv>]
mov eax,dword ptr ds:[eax] ; missed
004C7B76 . A3 6C3D5300 MOV DWORD PTR DS:[533D6C],EAX

at address :48bc63 = push 48bd65 ,retn
copy section 00C00000 from orignal file to the unpacked
and svkp1.3 will be history.

britedream
Regards

To crk

please check this:
set address 533350=1
address 48c6dd jnz--->jmp
save changes
[note]
there are many refrences to 533350, I only gave the
one that takes out unregistered from about menu,
so check them and choose.

Hello britedream

Have few questions if you don't mind.

(1) if you can clarify how did you find the missing api
E1170 / E117C / E1180 / E118C / E1198 / E1224 / E124C

I was able to find E117C i.e. LoadLibraryA but rest was not able to identify. I need to understand how you got the True api.

(2)

>at address :48bc63 = push 48bd65 ,retn
Do you mean we have to assemble the bytes or we have to reach uptil 0x7CFAF9 where we see Push 48BD65 & a Ret.

(3)

>copy section 00C00000 from orignal file to the unpacked
I don't see any section below is section i can see. Which part you are mentioning.

(4) Stolen Bytes
How did you find the stolen bytes from which part of the code you understood & put back in the required offset.

Regards, Sope.

My pleasure ,but your list is long ,so I will try to be short


1. set break point on 00ab4fa4, and u will see apies stored in the iat , the ones that don't show, trace and
they will be in the trace easly identified.

2. at address 48bc63 u will find pushad ,replace it
with push 48bd65 and incode retn to jump to 48bd65.

3. view memory when the original program is running
and u will see 00C00000 imagebase with size 16000.

4. when u stop on the stack break point , look at
the eax ,if u see an address that within the code section
that will be your oep, if not then that is the address where you should be looking for the stolen bytes.

Regards.
britedream

Hello britedream,

Thank you for all the clarification of my doubts. I'll dig into it & try to understand the stuff.

We all have understood a lot about svkp now. :)

Regards, Sope.

Clarification:
for gentlemen who ask, for copying region
back from the original to dump,I didn't mean you paste it , I meant inline patch to read it back.this is just trying to avoid protection, but you can do it some other ways.
regards

I absolutely don't know anything about svkp, but if once dumped Dap7 we go through code and patch each single limitation? I mean: I haven't looked into it dumped yet, but I think that it would be something like

jne (address of Registered)

push (text of "This Feature is only available to registered users")
call ("Message box to pop up")

I may be wrong..please tell me if so..

Britedream
أتمنى أن تعرفني على المزيد من شخصك وكم يسرني التعرف عليك والمواصلة معك
هذه كلمات كتبتها بسرعة .. إن شاء الله لنا لقاء قريب
أخوك
أبو عبد الله
السعودية

CRACKSARABICz:

As I said in your other post:

Apparently you missed or are ignoring the directions for this Forum, which state "English only."

Regards,