svkp dumping problem

That looks about right britedream, ImpREC finds the IAT just fine after dumping at that OEP you mentioned.
Still 23 unresolved pointers after Trace Level 1, but it's a start.

Thanks

[britedream]

code at ab89c4 is the one that fills out that area and put
909090.. in there, the main thing is the missing code,for Iat in the demo version I copied the original along
with sections it needs , and it worked fine. so I don't
think the Iat is gonig to be a problem.

[britedream]

in programs packed by the demo ,I found out that breaking at mov dword ptr ds:[edi],eax in the packer code,
and following [edi] address in the dump, will get u the whole
Iat nice and clean . so copying that and repasting it back
once u stop on the oep, ImpoRTrec will solve it all. I
tested it with Iat from the program before protecting it,
and both are exactly the same. so as I said before for
us to unpack your program we need the packer registered
version to learn from.

britedream

[britedream]

Hi
I managed to unpack svkp1.3 , I wanted to check info
gained form svkp demo , so I downloaded program
called formik , protected by svkp1.3, and I did unpack it
so , if u want to check this one here is the info
oep= 4d5af8
dump at oep .
here is my Iat.

britedream

[britedream]

To Svensk:
here is the Iat for dap:

Very nice work britedream

I've set the project aside for while to play with PCGuard v5, but I'll check those IATs and get back to you.

Regards

what about making DAP regged? i see even if you unpack it still there are many limitations while been unregistered! if someone knows how to patch this registration scheme i will be really apreciated and we can have a DAP registered and Patched. i know a way to inline patch it and will be full functional without IAT rebuild needed.. information i got so far...

after validating a serial online it makes a file called: dapreg.key

this file depends of some machine ID and depends of reg. key

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName]
"ComputerName"="........."

it also writes to registry -->

[HKEY_LOCAL_MACHINE\Software\SpeedBit\Registration]
"DAP7"="........"

maybe we can find a way to make it work in All OS using a similar dapreg.key

i tried in winXP using a key that was registered in Win9x ( Same PC) but didn't work even if Computer name has the same name so depends of something else i guess

if someone knows where and how to defeat the registration ( MD5) post your results here explaining HOW and i'll tell you how to inline patch it.....i don't want to give more details about it because i know authors are reading this so please don't ask me

Regards!

[britedream]

To svensk:
I did unpack dap, here the info:
oep and Iat is given earlier,but stolen bytes are:

004C7B2A > $ 55 PUSH EBP
004C7B2B . 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
004C7B32 . 83EC 68 SUB ESP,68
004C7B35 . 64:FF35 00000000 PUSH DWORD PTR FS:[0]
004C7B3C . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004C7B3F . 33DB XOR EBX,EBX
mov dword ptr ss:[ebp-4],ebx ; [missed]
004C7B41 . FF15 70204E00 CALL NEAR DWORD PTR DS:[<&msvcrt.__set_app_type>] ; msvcrt.__set_app_type
pop ecx [missed]
004C7B47 . 830D 703D5300 FF OR DWORD PTR DS:[533D70],FFFFFFFF
004C7B4E . 830D 743D5300 FF OR DWORD PTR DS:[533D74],FFFFFFFF
004C7B55 . FF15 6C204E00 CALL NEAR DWORD PTR DS:[<&msvcrt.__p__fmode>] ; msvcrt.__p__fmode
004C7B5B . 8B0D 3C3A5300 MOV ECX,DWORD PTR DS:[533A3C]
004C7B61 . 8908 MOV DWORD PTR DS:[EAX],ECX
004C7B63 . FF15 34204E00 CALL NEAR DWORD PTR DS:[<&msvcrt.__p__commode>] ; msvcrt.__p__commode
004C7B69 . 8B0D 383A5300 MOV ECX,DWORD PTR DS:[533A38]
004C7B6F . 8908 MOV DWORD PTR DS:[EAX],ECX
004C7B71 . A1 3C204E00 MOV EAX,DWORD PTR DS:[<&msvcrt._adjust_fdiv>]
mov eax,dword ptr ds:[eax] ; missed
004C7B76 . A3 6C3D5300 MOV DWORD PTR DS:[533D6C],EAX

at address :48bc63 = push 48bd65 ,retn
copy section 00C00000 from orignal file to the unpacked
and svkp1.3 will be history.

britedream
Regards

[britedream]

To crk

please check this:
set address 533350=1
address 48c6dd jnz--->jmp
save changes
[note]
there are many refrences to 533350, I only gave the
one that takes out unregistered from about menu,
so check them and choose.

Hello britedream

Have few questions if you don't mind.

(1) if you can clarify how did you find the missing api
E1170 / E117C / E1180 / E118C / E1198 / E1224 / E124C

I was able to find E117C i.e. LoadLibraryA but rest was not able to identify. I need to understand how you got the True api.

(2)

>at address :48bc63 = push 48bd65 ,retn
Do you mean we have to assemble the bytes or we have to reach uptil 0x7CFAF9 where we see Push 48BD65 & a Ret.

(3)

>copy section 00C00000 from orignal file to the unpacked
I don't see any section below is section i can see. Which part you are mentioning.

Code:

Number  Name   VirtSize   RVA    PhysSize  Offset    Flag
    1          000E0000 00001000 00071000 00000400 C0000040
    2          0003A000 000E1000 0003A000 00071400 C0000040
    3          00019000 0011B000 00008000 000AB400 C0000040
    4          0004E000 00134000 0004E000 000B3400 C0000040
    5 .svkp    00010000 00182000 00010000 00101400 C0000040

(4) Stolen Bytes
How did you find the stolen bytes from which part of the code you understood & put back in the required offset.

Regards, Sope.

[britedream]

My pleasure ,but your list is long ,so I will try to be short


1. set break point on 00ab4fa4, and u will see apies stored in the iat , the ones that don't show, trace and
they will be in the trace easly identified.

2. at address 48bc63 u will find pushad ,replace it
with push 48bd65 and incode retn to jump to 48bd65.

3. view memory when the original program is running
and u will see 00C00000 imagebase with size 16000.

4. when u stop on the stack break point , look at
the eax ,if u see an address that within the code section
that will be your oep, if not then that is the address where you should be looking for the stolen bytes.

Regards.
britedream

Hello britedream,

Thank you for all the clarification of my doubts. I'll dig into it & try to understand the stuff.

We all have understood a lot about svkp now.

Regards, Sope.

[britedream]

Clarification:
for gentlemen who ask, for copying region
back from the original to dump,I didn't mean you paste it , I meant inline patch to read it back.this is just trying to avoid protection, but you can do it some other ways.
regards

I absolutely don't know anything about svkp, but if once dumped Dap7 we go through code and patch each single limitation? I mean: I haven't looked into it dumped yet, but I think that it would be something like

jne (address of Registered)

push (text of "This Feature is only available to registered users")
call ("Message box to pop up")

I may be wrong..please tell me if so..

Britedream
أتمنى أن تعرفني على المزيد من شخصك وكم يسرني التعرف عليك والمواصلة معك
هذه كلمات كتبتها بسرعة .. إن شاء الله لنا لقاء قريب
أخوك
أبو عبد الله
السعودية