Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   SVKP 1.3x unpacking (https://forum.exetools.com/showthread.php?t=6301)

codeX 01-08-2005 15:05
SVKP 1.3x unpacking
 
Hi,

I'm trying to unpack the Speed Optimizer from Speedbit.

http://speedoptimizer.com/

It's packed with SVKP 1.3x & i managed to find oep as 4604b2.

What about it and the stolen bytes. Pls help.

The UC2004's SVKP explorer don't works.

evaluator 01-08-2005 18:17
i-speed optimizers are trush, forget tham;
is other any good program protected with svkp..

about stolen bytes many times explaned, use search;

hosiminh 01-08-2005 19:36
Formik maybe (dunno what is for you "good program")
_http://www.formik.rksoft.sk/
_http://www.rksoft.sk/Download/formik.exe

hosiminh 01-10-2005 00:10
speedoptimizer

Looks like 89 stolen bytes , oep == 00460459

evaluator 01-27-2005 00:02
sorry, forgot about this thread..
so i dld-ed Formik. That was Delphi-app, so at OEP are ripped just few
Delphi-standart instructions..

also there are 2 SVKP_Imported calls; (1st= mov eax,1; ret4; 2nd = ret)
some decryptor calls, from where last 2 decrypted code conteins PE-header check.

imagin 01-27-2005 01:10
Formik
 
Code:
....stolen bytes
004F9B79    90              NOP                           
004F9B7A    90              NOP
004F9B7B    90              NOP
004F9B7C    90              NOP
004F9B7D    90              NOP     
004F9B7E    90              NOP
004F9B7F    90              NOP
004F9B80    90              NOP
004F9B81    90              NOP
004F9B82    90              NOP
004F9B83    90              NOP
004F9B84    E8 97D7F0FF    CALL Formik.00407320
004F9B89    8B1D F8F04F00  MOV EBX,DWORD PTR DS:[4FF0F8]            ; Formik.00500C8C
004F9B8F    E8 603EFEFF    CALL Formik.004DD9F4
004F9B94    84C0            TEST AL,AL

...and restore this bytes

004F9B79    55              PUSH EBP
004F9B7A    8BEC            MOV EBP,ESP
004F9B7C    83C4 F0        ADD ESP,-10
004F9B7F    B8 40974F00    MOV EAX,Formik.004F9740
004F9B84    E8 97D7F0FF    CALL Formik.00407320
004F9B89    8B1D F8F04F00  MOV EBX,DWORD PTR DS:[4FF0F8]            ; Formik.00500C8C
004F9B8F    E8 603EFEFF    CALL Formik.004DD9F4
004F9B94    84C0            TEST AL,AL
004F9B96    75 05          JNZ SHORT Formik.004F9B9D

hosiminh 01-28-2005 19:27
If someone has "Formik v2.16a" please PM me. Can't find that version anywhere (stolen bytes above are for this version)

evaluator 01-28-2005 21:11
hosiminh,

you want learn unpacking, or only unpack that program?
look at any Delphi567 program & you will able discover OEP
bytes without any tracing-debugging..
(i can upload unpacked.ace 466kb, but is it correct for forum?)

britedream 01-28-2005 21:21
2.16b stolen
 
I did check the stolen for the last version; 2.16b, and the correct stolen are:

004F9B9C 55 PUSH EBP
004F9B9D 8BEC MOV EBP,ESP
004F9B9F 83C4 F0 ADD ESP,-10
004F9BA2 53 PUSH EBX
004F9BA3 B8 64974F00 MOV EAX,Formik.004F9764

the two versions are right after each other , so I assume there is no difference between the two as far as the stolen is concerned.

hosiminh 01-28-2005 21:55
Thanks you both for replying.

I saw at the fake oep (004F9BA8 CALL Formik.00407320) (just where stolen bytes ends) that EAX == 004F9764
(and in stack window: 0012FFC4 7C816D4F RETURN to kernel32.7C816D4F , at 7C816D4F is EAX PUSH-ed into stack ) but i was unsure if i have the right one.

britedream 01-28-2005 22:03
the last push in the stack is the ebx register = 7ffdf000

regards.


All times are GMT +8. The time now is 09:01.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX