|
|
#16
07-01-2004, 17:59
|
|||
|
|||
|
thanks Crk again, so nice of you to complete the job.
 I appreciate it very much. 
|
|
#17
07-01-2004, 18:56
|
|||
|
|||
|
ok, after some analysis it seems neither is correct, the added entry or the oep.
 the missing entry is away from msvbvm60.dll, perhaps it's decryption routine, or some sort on code injection routine. I think if the author of the product spent his time enhancing his product more than the time he spent to over-protect it, that would have been much much better for him.I cannot imagine that a little program to change some entries in registry, or do things that freeware program does, can have such protection.
|
|
#18
07-01-2004, 20:23
|
|||
|
|||
|
this is right OEP and the way it should be... check more VB. app. and you'll know why
|
|
#19
07-01-2004, 21:32
|
|||
|
|||
 here it is some part of the code (P-Code) disasembled ... now it's possible to analyze the keyfile routine and possible to reverse without license
|
|
#20
07-01-2004, 21:50
|
|||
|
|||
|
and here are all TweakXP Resources i got using VBReformer
 for knowledge and studies purposes only!
|
|
#21
07-02-2004, 00:05
|
|||
|
|||
|
look closely here at image2, I think you'll know that 401380 seems like a good oep; not 40137a.
and image1 shows that ordinal at 1094 is referencing memory below than usual in regards to visual basic interepretation; it's not in the usual memory 77xxxxxx areas. @Crk, you are very good, but I want to show the facts.
Last edited by BetaMaster; 07-02-2004 at 00:17.
|
|
#22
07-02-2004, 09:00
|
|||
|
|||
|
look closely here at image2, I think you'll know that 401380 seems like a good oep; not 40137a.
sure.. but i never said 40137a was a good OEP .. i just used to get the IAT then i wrote back 401380 to Imprec wich Insert good OEP automatically .. or you can do it by hand/manually since at the right place OEP should be only contain 909090.. data .. Imprec interprete this as invalid OEP .. but if you wrote as OEP where the last JMP API call is Imprec will read this place as valid OEP and will find almost all correct API jumps for IAT
|
|
#23
07-02-2004, 15:42
|
|||
|
|||
|
Yes DLLFunctionCall is the function that will be missing from the IAT on a dump with imprec. Also it checks for special.dll that is also imulated by the wrapper, 1 function exported SVKP_KillDebugger, so if it doesnt find this it makes an error and exits. Last one to get into the code is the call to CryptVerifySignature, if you see that file in the main directory "tweak-xp3.val" this is a prehashed value from MS crypto that checks your dumped file, so make a dll with the SVKP_KillDebugger exported, when it loads and calls this just patch the call to CryptVerifySignature to return 1. Now you can run the app and look for the reg procedure. Also OEP 401364 "push 401A68", "Call ThunRTMain".
Last edited by mtw; 07-02-2004 at 15:49.
|
|
#24
07-02-2004, 20:00
|
|||
|
|||
|
mtw would you share how to do this ? do you have it (the EXE)
running already? please. share here source or your .dll solution for this one.. we all want to see this app. finished and running Regards
|
|
#25
07-02-2004, 20:24
|
|||
|
|||
|
Ooops!! sorry Crk, I didn't notice that you have used 1380 as oep in your second dumped exe, my mistake.
and I also hope that mtw share with us a working solution to this proggy, not that I like the program itself, but rather to show it tp TotalIdea.I think they deserve it.
|
|
#26
07-02-2004, 22:56
|
|||
|
|||
|
my previous method to dump this app. was wrong ... i think my brain is a little toasted for using many info.
hehehehe...for someone who still want to dump this app. just use the attached patch on Tweak-xp.exe original file ... note that i used this for full version exe file ... don't know if DEMO is the same or has same RVA locations ... this will write an infinitive loop (EBFE) to 0040137A (first API) because where OEP should be there are 909090 bytes ..this bytes are not used or readed by the program in any way ... SVKP simule this stolen bytes used for OEP then it will directly jump/go to 0040137A ..this first API call after OEP for VB applications... then open LOrdPE ..look for the PID process ... hit Correct Imagesize ,,as attached/included screenshot ... now you're ready to make a nice full descrypted/working dump without using any debugger ... remember to write back at 0040137A the bytes FF25 then fix IAT
|
|
#27
07-02-2004, 23:36
|
|||
|
|||
|
Yes I dumped the demo version from the site, also remember that first call you stop on is the ThunRTMain, so below that just find the string VB5!6 this is the address for the push. As for the DLL, as I said before, just create a DLL named special.dll, make 1 function exported named SVKP_KillDebugger,
and make another function to grab the PID, get the address of CryptVerifySignature, and write to that address something like mov eax, 01 retn 18. Also a note .. if your dumped file isnt the same name as the org program, change it to it. Last edited by mtw; 07-02-2004 at 23:38.
|
|
#28
07-03-2004, 07:15
|
|||
|
|||
|
@mtw, may I ask you to implement your theory.
|
|
#30
07-04-2004, 00:27
|
|||
|
|||
|
Mtw your ideas sounds very good .. but i'm trying to let you know that i don't have idea how to do this ... maybe you can attach here a sample dll with a little extra info. added which will try to explain how exactly do this with injected code example of course
Regards
|
 |
|
|
Linear Mode
