|
Tweak XP Pro 3.04
Have anyone tried to unpack Tweak XP Pro 3.04 (SVPK-packed) yet? Seems like the "old" way of unpacking SVPK is useless. I have tried to do it, but with no success so far...
hobgoblin |
check here:
hxxp://tsrh.watchout.ru/index.php?act=ST&f=3&t=14125& . now check attached loader... extract it to program dir.. hide your debugger . i used SICE for this task ... run load it!.exe .. before running it .. do bpint3 on your debugger .. when SICE breaks .. you'll be at OEP (9090... because stolen bytes) write back 90 and do a eip then jmp eip and dump! this is for full version of 3.0.4 Pro ;) |
Hmmm...
Doesn't seem to work for me. When I follow your method, Sice breaks in the area 0x8xxxxxxx. Then it reboots my machine. (I'm on XP, Driverstudio 3.1 and IceExt 0.64).
Any good ideas? regards, |
then something most be wrong with your SICE or not well hidden .. then SICE detection reboots your machine somehow ... at OEP there's NOP data 9090909090 ... the loader will write CC at 00401380
when you do bpint3 SICE should break and then you'll be able to write back 90 then you'll be able to dump .. maybe you're trying with the DEMO version?? i wrote this was for full version .. i haven't try with the DEMO.. OEP location most be difference for it. :eek: anway you can try any other method to be able to reach OEP and dump.. now you know where is OEP :D |
1 Attachment(s)
I have an old script for svkp try to use it , and don't pay attention to the msg. displayed, it isn't meant for vb targets. try it.here it is.
|
@Crk, are you saying that you have dumped a working executable of the program? if so I like to have it.
|
So do I...
So do I. :)
I can't get a dump as described, and britedreams script didn't work either. The reason I wanted to dump it was to take a closer look at the protection that lies in the program code itself. As far as I understand the program is protected by a strong protection (hash code)to prevent any changes in the code. That's interesting. So if you have a dump, I would love to get my hands on a copy. :) regards, hobgoblin |
Quote:
|
Well,
Is that all? :)
Just kidding. Your answer give me the info I need. I just don't want to spend my time on a bastard like this one. I'm going back to studying the new Asprotect instead..... regards, hobgoblin |
here it is... it just miss IAT .use Imprec for IAT :D
you can use some PE realigner and PE fixer on it .. just in case |
Quote:
well body, why don't you do the IAT fix too, I am sure that you'll know then that you haven't taken a step yet. |
attached... :)
|
hmmm, thanks ... nice work but where did ordinal at rva 1094 go? I think Real|sty stuck with the same entry.ok, I'll try to find it by myself.
Thanks again Crk for the dump and the IAT tree file. |
can't find it neither.. :( maybe is invalid to fool with us ??? if invalid then just nop it
|
OK... after analyzing the working IAT for v2.07 i found out that the missing one is DllFunctionCall ... i could be wrong .. but correct me anytime if i'm mistaken ... here are attached new dumped including added IAT + IAT tree for new and old version.
btw the app. still crash always at same offset ... i believe this most be a crc check :o btw i used as OEP 0000137A to get the IAT for v3.0.4 :p |
thanks Crk again, so nice of you to complete the job. :)
I appreciate it very much. |
ok, after some analysis it seems neither is correct, the added entry or the oep. :confused:
the missing entry is away from msvbvm60.dll, perhaps it's decryption routine, or some sort on code injection routine. I think if the author of the product spent his time enhancing his product more than the time he spent to over-protect it, that would have been much much better for him.I cannot imagine that a little program to change some entries in registry, or do things that freeware program does, can have such protection. |
this is right OEP and the way it should be... check more VB. app. and you'll know why ;)
|
:D here it is some part of the code (P-Code) disasembled ... now it's possible to analyze the keyfile routine and possible to reverse without license
|
and here are all TweakXP Resources i got using VBReformer :eek: for knowledge and studies purposes only!
|
2 Attachment(s)
look closely here at image2, I think you'll know that 401380 seems like a good oep; not 40137a.
and image1 shows that ordinal at 1094 is referencing memory below than usual in regards to visual basic interepretation; it's not in the usual memory 77xxxxxx areas. @Crk, you are very good, but I want to show the facts. :) |
look closely here at image2, I think you'll know that 401380 seems like a good oep; not 40137a.
sure.. but i never said 40137a was a good OEP .. i just used to get the IAT then i wrote back 401380 to Imprec wich Insert good OEP automatically .. or you can do it by hand/manually since at the right place OEP should be only contain 909090.. data .. Imprec interprete this as invalid OEP .. but if you wrote as OEP where the last JMP API call is Imprec will read this place as valid OEP and will find almost all correct API jumps for IAT :D |
Yes DLLFunctionCall is the function that will be missing from the IAT on a dump with imprec. Also it checks for special.dll that is also imulated by the wrapper, 1 function exported SVKP_KillDebugger, so if it doesnt find this it makes an error and exits. Last one to get into the code is the call to CryptVerifySignature, if you see that file in the main directory "tweak-xp3.val" this is a prehashed value from MS crypto that checks your dumped file, so make a dll with the SVKP_KillDebugger exported, when it loads and calls this just patch the call to CryptVerifySignature to return 1. Now you can run the app and look for the reg procedure. Also OEP 401364 "push 401A68", "Call ThunRTMain".
|
mtw would you share how to do this ? do you have it (the EXE) :D running already? please. share here source or your .dll solution for this one.. we all want to see this app. finished and running :eek:
Regards |
Ooops!! sorry Crk, I didn't notice that you have used 1380 as oep in your second dumped exe, my mistake.
and I also hope that mtw share with us a working solution to this proggy, not that I like the program itself, but rather to show it tp TotalIdea.I think they deserve it. |
my previous method to dump this app. was wrong ... i think my brain is a little toasted for using many info. :eek: hehehehe...
for someone who still want to dump this app. just use the attached patch on Tweak-xp.exe original file ... note that i used this for full version exe file ... don't know if DEMO is the same or has same RVA locations ... this will write an infinitive loop (EBFE) to 0040137A (first API) because where OEP should be there are 909090 bytes ..this bytes are not used or readed by the program in any way ... SVKP simule this stolen bytes used for OEP then it will directly jump/go to 0040137A ..this first API call after OEP for VB applications... then open LOrdPE ..look for the PID process ... hit Correct Imagesize ,,as attached/included screenshot ... now you're ready to make a nice full descrypted/working dump without using any debugger ... remember to write back at 0040137A the bytes FF25 then fix IAT :) |
Yes I dumped the demo version from the site, also remember that first call you stop on is the ThunRTMain, so below that just find the string VB5!6 this is the address for the push. As for the DLL, as I said before, just create a DLL named special.dll, make 1 function exported named SVKP_KillDebugger,
and make another function to grab the PID, get the address of CryptVerifySignature, and write to that address something like mov eax, 01 retn 18. Also a note .. if your dumped file isnt the same name as the org program, change it to it. |
@mtw, may I ask you to implement your theory.
|
Implement what how to dump it, or to bypass the security checks the unpacked exe.
|
Mtw your ideas sounds very good .. but i'm trying to let you know that i don't have idea how to do this ... maybe you can attach here a sample dll with a little extra info. added which will try to explain how exactly do this with injected code example of course :D
Regards |
1 Attachment(s)
here is delphi src for the dll and the compiled dll
|
@Crk, I used your patch, created a dumped and fixed the stolen bytes and the planted infinite jump, but how can you verify that this is a working dump or not, for me it crashes at 1328e, [ModName: msvbvm60.dll
ModVer: 6.0.92.37 Offset: 0001328e], is this normal? also I have used the external signature faker (special.dll) by mtw (btw, thanks again mtw), but that leads no where!! :confused: have any of you got another a "valid" result? |
[QUOTE=BetaMaster]@Crk, I used your patch, created a dumped and fixed the stolen bytes and the planted infinite jump, but how can you verify that this is a working dump or not, for me it crashes at 1328e, [ModName: msvbvm60.dll
ModVer: 6.0.92.37 Offset: 0001328e], is this normal? also I have used the external signature faker (special.dll) by mtw (btw, thanks again mtw), but that leads no where!! :confused: That DLL is only to bypass the security checks after the ThunRTMain call, like I said this DLL just helps you out after dump so you can find the procedure for the reg check (which btw uses a machine specific key with the HKLM\Software\Classes\CLSID\"machine depend key"\InprocServer32\InprocServer32) .. if you want to crack software noone said it will be "just find a hard key and patch it" you must read on protections, and assembly, I told you how to bypass the sec's checks, and I also said after this for "YOU" to find the reg procedure, this isnt a "show me how to crack" forum, there is enough information in this thread to get a good dump, IAT rebuilt, and security bypasses so your only job is to find the reg procedure. If it is crashing then your dump is no good. Remember Crk's dumper is for full version not the demo (download) version. Look at my other posts for the OEP and stolen bytes for the download (demo) .. |
does this .dll has to be placed in the Tweak-Xp directory or system32 ?
maybe we'll have to share with you the installer for full version.. to finally check if this method you used works with the full version ..... also which method you used to dump the DEMO version?? most be the same technique for full version since is the same VB app. + same protector used on the exe to have a working dump. BetaMaster if you already have full version ... maybe you have a place to upload it so mtw will get it. if not i could upload it somewhere if someone share some FTP or space to upload it to.... btw Betamaster i told you it crash for me too always at the same location.. but i believe the dump is ok.. that most be part of the integrity check program does ...let's wait for mtw comment about it. Regards |
@mtw, I really appreciated your comments in this thread, but when I read your comments, it's like that you tell us that you have worked every thing, I am not having that impression by illusions, and secondly, this is a discussion and I suppose you had some discussions before.I also like to remind you that I didn't ask for your help to bypass the registration routines or the demo limitations, actually I have a full version and a key.
@Crk, the crash that is supposed to be after a crc invalidation is in kernel32.dll, just try to change the txp3.val or make a little change to the file tweak-xp.exe and see it. I guess there is something wrong with the dump. any help is really appreciated. :) |
Quote:
Quote:
|
Place for Full version --> hxxp://forum.andr.net/viewtopic.php?t=42283
|
you're a strange guy, you want to help, but words don't come out off your mouth "enough", as if you're afraid to uncover critical information.I guess if that was the general case, then this forum would have never seen the light, and people who have some knowledge now, wouldn't have aquired that knowledge in the first place.
I really liked some help on this topic, as I don't consider myself unpacker at all (perhaps only some simple packers like upx, aspack, pecompact, thinstall, and some cases of asprotect and svkp), not to mention of course that I don't see any tool to disassemble vb6, or any intermediate/advanced tutorial on the subject. I am sorry that you felt that way towards me, and I apologize if I hurt your feelings. I was just trying to learn something I don't know from someone who seemed to know better than me. Thanks again, and peace. :) |
relax guys .. we all are here to learn from each other something new every day... :)
keep the knowledge and sharing spirit alive! Regards |
1 Attachment(s)
@Crk: LOL. I am relaxed all the time, if you get frustrated just by a thread, then there is no point in going through miles of code in a debugger, as this is more frustrating.
@BetaMaster: No I dont have feelings to get hurt, and no Im not hiding anything, I just told you how to get past the protection check. Now for dumping the Demo version: Get rid of S-ice and fire up olly. You know the drill, hide the debugger, and at all times dont use F9 use Shift+F9 to run the app. Now when its loaded goto MemoryMap and Press F2 on the Resources section and Press "Shift+F9" When it breaks set goto options a set Break On new DLL load. Press Shift+F9 and watch the DLL's second Shift+F9 you will see it loads the VB runtime DLL. Now select the runtime DLL and select "View Names". Find the ThunRTMain, and double click it, you will be back in the CPU window. Select the PUSH EBP and press F2. Remove the "Break on new DLL load". Then Shift+F9. When you break your in the veryfirst call from this app, the initialization of the VB "Native Code" app, which is the ThunRTMain. Before you go on look at the second line in your stack window. "Picture include so you know what Im talking about".You'll see a line like this 0012FFC0 00401A68 ASCII "VB5!6&*" that 401A68 (or whatever yours is) is the push 00401A68 before the call to ThunRTMain. This is the first line from the stolen bytes (all those NOPS "90h" at the OEP. The second line (of the NOPS) is the call to ThunRTMain (second line of stolen bytes). Now in the CPU window Press CTRL-G and put in 401364 for the address to jmp to. you'll be looking at an NOP. Press Ctrl+A. Now you will see all the MSVBVM60 calls, where that first 90 is, is your OEP, now that address I said to look at in the stack window (mine 00401A68) starts here so highlight that first 90h and press space bar enter Push (your address) (like I said mine was 00401A68), and then Call (the address for the first JMP before the NOP's) (mine is 40135E) That is the call to ThunRTMain. Now you can fire up LordPE, CorrectImageSize and dump it. Fire up ImpRec and put your OEP here (mine is 00001364), select IAT AutoSearch then GetImports. You will notice it gets them all except for 1 which is DLLFunctionCall. Make this one DLLFunctionCall then fix your dump. Now you can do traces etc with that dll, now memory might change from machine to machine, like all apps do. I run XP SP1 so you know. Now load the dumped.exe into olly and set a bp on the DLLFunctionCall, you'll see the veryfirst call is to the special.dll, but if its not there it makes an exception. So from here you can see what the protection does (not the registration code) but the checks for the modified.exe |
| All times are GMT +8. The time now is 01:50. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX