SVKP 1.3x unpacking

codeX · #1 01-08-2005, 15:05

Hi,

I'm trying to unpack the Speed Optimizer from Speedbit.

http://speedoptimizer.com/

It's packed with SVKP 1.3x & i managed to find oep as 4604b2.

What about it and the stolen bytes. Pls help.

The UC2004's SVKP explorer don't works.

#2 01-08-2005, 18:17

i-speed optimizers are trush, forget tham;
is other any good program protected with svkp..

about stolen bytes many times explaned, use search;

hosiminh · #3 01-08-2005, 19:36

Formik maybe (dunno what is for you "good program")
_http://www.formik.rksoft.sk/
_http://www.rksoft.sk/Download/formik.exe

hosiminh · #4 01-10-2005, 00:10

speedoptimizer

Looks like 89 stolen bytes , oep == 00460459

#5 01-27-2005, 00:02

sorry, forgot about this thread..
so i dld-ed Formik. That was Delphi-app, so at OEP are ripped just few
Delphi-standart instructions..

also there are 2 SVKP_Imported calls; (1st= mov eax,1; ret4; 2nd = ret)
some decryptor calls, from where last 2 decrypted code conteins PE-header check.

#6 01-27-2005, 01:10

Code:

....stolen bytes
004F9B79    90              NOP                             
004F9B7A    90              NOP
004F9B7B    90              NOP
004F9B7C    90              NOP
004F9B7D    90              NOP       
004F9B7E    90              NOP
004F9B7F    90              NOP
004F9B80    90              NOP
004F9B81    90              NOP
004F9B82    90              NOP
004F9B83    90              NOP
004F9B84    E8 97D7F0FF     CALL Formik.00407320
004F9B89    8B1D F8F04F00   MOV EBX,DWORD PTR DS:[4FF0F8]            ; Formik.00500C8C
004F9B8F    E8 603EFEFF     CALL Formik.004DD9F4
004F9B94    84C0            TEST AL,AL

...and restore this bytes

004F9B79    55              PUSH EBP
004F9B7A    8BEC            MOV EBP,ESP
004F9B7C    83C4 F0         ADD ESP,-10
004F9B7F    B8 40974F00     MOV EAX,Formik.004F9740
004F9B84    E8 97D7F0FF     CALL Formik.00407320
004F9B89    8B1D F8F04F00   MOV EBX,DWORD PTR DS:[4FF0F8]            ; Formik.00500C8C
004F9B8F    E8 603EFEFF     CALL Formik.004DD9F4
004F9B94    84C0            TEST AL,AL
004F9B96    75 05           JNZ SHORT Formik.004F9B9D

hosiminh · #7 01-28-2005, 19:27

If someone has "Formik v2.16a" please PM me. Can't find that version anywhere (stolen bytes above are for this version)

#8 01-28-2005, 21:11

hosiminh,

you want learn unpacking, or only unpack that program?
look at any Delphi567 program & you will able discover OEP
bytes without any tracing-debugging..
(i can upload unpacked.ace 466kb, but is it correct for forum?)

britedream · #9 01-28-2005, 21:21

I did check the stolen for the last version; 2.16b, and the correct stolen are:

004F9B9C 55 PUSH EBP
004F9B9D 8BEC MOV EBP,ESP
004F9B9F 83C4 F0 ADD ESP,-10
004F9BA2 53 PUSH EBX
004F9BA3 B8 64974F00 MOV EAX,Formik.004F9764

the two versions are right after each other , so I assume there is no difference between the two as far as the stolen is concerned.

hosiminh · #10 01-28-2005, 21:55

Thanks you both for replying.

I saw at the fake oep (004F9BA8 CALL Formik.00407320) (just where stolen bytes ends) that EAX == 004F9764
(and in stack window: 0012FFC4 7C816D4F RETURN to kernel32.7C816D4F , at 7C816D4F is EAX PUSH-ed into stack ) but i was unsure if i have the right one.

britedream · #11 01-28-2005, 22:03

the last push in the stack is the ebx register = 7ffdf000

regards.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
svkp	infern0	General Discussion	3	06-05-2011 18:34
The new svkp 143	britedream	General Discussion	3	09-19-2004 22:22