http://cracklab.ru/f -> WorldWide -> vàg-cXm packed with pc-guard...

misterfr19.12.2007 18:12:43
hi everybody,

first sorry for my english... can you unpack for me vagcom v4 and vag-com v7 ? because i'm a noob in manual unpacking and tutorial for pc-guard in french not found :s


file: xxxx://rapidshare.de/files/38085149/vcppcg.rar.html
password of rar is: vagpacked

protected: pc-guard 5

thanks
  
linhanshi19.12.2007 18:37:39
Crack requests:

http://www.cracklab.ru/f/index.php?action=vthread&forum=10&topic=5986
  
misterfr19.12.2007 21:38:56
hi, my request is not for crack it but only unpack it from pc-guard .... i must do an crack request in that case?
  
centner20.12.2007 02:13:11
PC-Guard v5.xx Unpacking by Orthodox
  
misterfr20.12.2007 19:41:05
my english is so bad
  
pavka21.12.2007 04:52:37
misterfr
For start of the program the key is necessary?
  
misterfr21.12.2007 16:22:08
i have already a keygen for this software but i want only unpack it for translate it in french...
  
misterfr21.12.2007 16:53:48
centner writes:
PC-Guard v5.xx Unpacking by Orthodox

i have try this tutorial but not work, software go on exit after 4X Shift+F9 :s
  
misterfr21.12.2007 20:39:36
nobody can just unpack "vcppcg\v4 vagcom\VagCom.exe" (no need to crack it) plz ?
  
pavka22.12.2007 08:08:18
misterfr
VagCom unpacked
http://rapidshare.com/files/78238845/VAG-COMU_.rar
&Script
----------
var code
var csz
var prb
var oep

GMEMI eip, MEMORYBASE
mov prb,$RESULT
dec prb
GMEMI prb, MEMORYBASE
mov prb,$RESULT


GMI eip,CODEBASE
mov code,$RESULT
GMI eip,CODESIZE
mov csz,$RESULT
bpwm code,csz
erun
bpmc
find prb,#618D4424806A00#
cmp $RESULT,0
je quit
mov oep,$RESULT+E
bp oep
erun
sti
cmt eip,"<--OEP"
msg "OEP Faund, dump it & use ImpRec"
ret
quit
msg "Not PCGuard"
  
misterfr22.12.2007 13:29:24
vag-com cannot be launched... when i open he do nothing ....

but vagcom in "V4" directory was needed ....
  
pavka22.12.2007 13:41:39
misterfr
Use a script, there all is simple..
  
misterfr22.12.2007 15:11:16
look this picture (*).... i think i have a bad oep ! (vagcom in dir "V4")

i never do an unpacking then help me plz

* xxxx://images3.hiboox.com/images/5107/dqnyqwm7.jpg


you script do an error on GMEMI eip, MEMORYBASE (no such command)

and that is the script i have used :
/*
////////////////////////////////////////////////////////////////////// ////////////////////////
// PC-Guard 5.0
// Author : Ashraf Cracker
// Email : AshraCracker@hotmail.com
// OS : WinXP Pro, OllyDbg 1.10 Final, OllyScript 0.92
// Check ALL Debugging Exceptions
////////////////////////////////////////////////////////////////////// ///////////////////////
*/
var cbase
var csize
gmi eip, CODEBASE
mov cbase, $RESULT
log cbase
gmi eip, CODESIZE
mov csize, $RESULT
log csize
bprm cbase, csize
run
msg "This is the OEP! Found By Ashraf Cracker"
msg "The File was dumped successfully don't close OllyDbg and try now to Fix IAT with ImportREC"
cmt eip, "<== Original Entry Point"
ret
  
pavka22.12.2007 16:15:48
004470DC 55 PUSH EBP <------oep vagcom in "V4
004470DD 8BEC MOV EBP,ESP
004470DF 6A FF PUSH -1
004470E1 68 38B44600 PUSH VagCom.0046B438
004470E6 68 145E4400 PUSH VagCom.00445E14
004470EB 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004470F1 50 PUSH EAX
004470F2 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
004470F9 83EC 58 SUB ESP,58
004470FC 53 PUSH EBX
004470FD 56 PUSH ESI
004470FE 57 PUSH EDI
004470FF 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00447102 FF15 70524600 CALL DWORD PTR DS:[465270] ; kernel32.GetVersion
00447108 33D2 XOR EDX,EDX
0044710A 8AD4 MOV DL,AH
0044710C 8915 E8645100 MOV DWORD PTR DS:[5164E8],EDX
00447112 8BC8 MOV ECX,EAX
00447114 81E1 FF000000 AND ECX,0FF
0044711A 890D E4645100 MOV DWORD PTR DS:[5164E4],ECX
00447120 C1E1 08 SHL ECX,8
00447123 03CA ADD ECX,EDX
00447125 890D E0645100 MOV DWORD PTR DS:[5164E0],ECX
0044712B C1E8 10 SHR EAX,10
0044712E A3 DC645100 MOV DWORD PTR DS:[5164DC],EAX
00447133 6A 01 PUSH 1
00447135 E8 C9760000 CALL VagCom.0044E803
0044713A 59 POP ECX
0044713B 85C0 TEST EAX,EAX
0044713D 75 08 JNZ SHORT VagCom.00447147
0044713F 6A 1C PUSH 1C
00447141 E8 C3000000 CALL VagCom.00447209
00447146 59 POP ECX
00447147 E8 00330000 CALL VagCom.0044A44C
0044714C 85C0 TEST EAX,EAX
0044714E 75 08 JNZ SHORT VagCom.00447158
00447150 6A 10 PUSH 10
00447152 E8 B2000000 CALL VagCom.00447209
00447157 59 POP ECX
00447158 33F6 XOR ESI,ESI
0044715A 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
0044715D E8 6B6A0000 CALL VagCom.0044DBCD
00447162 FF15 30514600 CALL DWORD PTR DS:[465130] ; kernel32.GetCommandLineA
00447168 A3 60AA5F00 MOV DWORD PTR DS:[5FAA60],EAX
0044716D E8 EA730000 CALL VagCom.0044E55C
00447172 A3 CC645100 MOV DWORD PTR DS:[5164CC],EAX
00447177 E8 93710000 CALL VagCom.0044E30F
  
misterfr22.12.2007 16:41:40
i have try with this oep and i have same error :s, can you unpack it for me ? i think its better to begin manual unpacking with french tutorial ...

thank you for your help
  
pavka22.12.2007 18:19:55
1
0046512C 7C801EEE kernel32.GetStartupInfoA
00465130 7C812C8D kernel32.GetCommandLineA
00465134 006221BD VagCom.006221BD <--kernel32.ExitProcess
00465138 7C9105D4 ntdll.RtlAllocateHeap
0046513C 7C9179FD ntdll.RtlReAllocateHeap

2
0043C3C8 68 BE000000 PUSH 0BE
0043C3CD E8 505B1E00 CALL VagCom.00621F22 <----decrypt
0043C3D2 ^ 7F 95 JG SHORT VagCom.0043C369
0043C3D4 2AD6 SUB DL,DH

0043C4CA 68 74000000 PUSH 74
0043C4CF E8 4E5A1E00 CALL VagCom.00621F22 <-----crypt
0043C4D4 3C 2B CMP AL,2B
Script for crypt remove
// ?????? ????????? ? ??? (Script to start being on OEP)

Var oep
var f1
var p1
var p2
var chk
var srh

mov oep,eip
mov srh,401000

l1:
find srh,#68????0000E8????1E00# //masck call
cmp $RESULT,0
je end
mov srh,$RESULT+A
mov chk,[$RESULT+8]
and chk,0F
cmp chk,F
jae l1
mov f1,$RESULT
mov eip,f1
mov p1,f1
add f1,A
bphws f1,"x"
run
bphwc f1
fill p1,A,90
find eip,#68????0000E8????1E00#
cmp $RESULT,0
je end
mov p2,$RESULT
fill p2,A,90
jmp l1

end:
mov eip,oep
MSG "Decrypt Suseful"
ret
  
pavka22.12.2007 18:48:09
vagcom in dir "V4" unpacked
http://rapidshare.com/files/78333287/VagComU_.rar
  
misterfr22.12.2007 20:44:43
i think vag-com have another protection because when i launch it then i have no error but he is closed immediately
  
pavka22.12.2007 21:59:51
Is not present there that all ;) is normally started
  
misterfr22.12.2007 23:51:56
no on my computer, your dump not work, he nothing do
  
pavka23.12.2007 07:44:23
misterfr ?????:
my request is not for crack it but only unpack it from pc-guard ...
  
pavka23.12.2007 10:33:03
misterfr
try it
http://rapidshare.com/files/78475104/VagComU_.rar
  
misterfr23.12.2007 10:59:55
ok! BIG thank you but wat was wrong ? WHY when i use dumpfile it in win32dasm 8.93 or reshacker(when i save a re compiled) i have again an error (maybe a protection)
  
pavka23.12.2007 12:58:24
misterfr
Try to process file Resource Binder 2.3
  
misterfr23.12.2007 14:44:19
PERFECT ! u really really good! ressource binder is a good soft!

i have last 2 question....

1) what the difference are you do betweden this 2 files:xxxx://rapidshare.com/files/78333287/VagComU_.rar(not work) xxxx://rapidshare.com/files/78475104/VagComU_.rar (work) ... (i think only iat build ?)

2) in can you give the v7-vagcom because xxxx://rapidshare.com/files/78238845/VAG-COMU_.rar cannot be launched like you first v4-vagcom

thank you pavka
  
pavka23.12.2007 15:55:41
misterfr ?????:
in can you give the v7-vagcom
There it is used VM! To assort long enough!
It will be easier if you start 1 script that I have written for you, and will make dump on the Yours computer
All will normally work!
  
pavka23.12.2007 17:51:58
misterfr
try it Will work on all OS normally
http://rapidshare.com/files/78544350/VAG-COMUV7.rar
  
misterfr23.12.2007 19:24:28
THANKS A LOT !!!!!!!!!!!!!!!!!!!!!!!!!! u're good!!!!!
  
misterfr29.12.2007 13:49:00
pavka writes:
misterfr
try it Will work on all OS normally
http://rapidshare.com/files/78544350/VAG-COMUV7.rar


lol reeeee, i can't LOAD this file in w32dasm because there are an" do loop "..... can you help me again for this pavka ?
  
pavka29.12.2007 17:32:04
misterfr
I do not use w32dasm Work in IDA
  
misterfr29.12.2007 23:19:40
he work with ida and olly but not with w32dasm .... i know that ida and olly are better than w32dasm but i have always use it .... can anyone help me please?
  
pavka30.12.2007 06:47:20
VM not with w32dasm
  
driver7326.03.2008 16:01:32
Pavka, can you please unpack the english version of this software?
http://www.ross-tech.com/vag-com/download/current.html
  
pavka27.03.2008 14:03:34
driver73
http://rapidshare.com/files/102736065/vagcomU.rar
  
driver7327.03.2008 16:47:23
Thank you for quick response!
But in the unpacked file I see many encrypted code blocks
for example:
0040C80D
0040D723
00419079
...
Can you decrypt these code blocks?
  
pavka27.03.2008 16:53:50
00A0FB69 68 16A49F00 PUSH vagcomU_.009FA416
00A0FB6E ^ E9 6D57FEFF JMP vagcomU_.009F52E0
00A0FB73 68 90BD9F00 PUSH vagcomU_.009FBD90
00A0FB78 ^ E9 6357FEFF JMP vagcomU_.009F52E0
00A0FB7D 68 A2D99F00 PUSH vagcomU_.009FD9A2
00A0FB82 ^ E9 5957FEFF JMP vagcomU_.009F52E0
00A0FB87 68 CFE39F00 PUSH vagcomU_.009FE3CF
00A0FB8C ^ E9 4F57FEFF JMP vagcomU_.009F52E0
00A0FB91 68 24F39F00 PUSH vagcomU_.009FF324
00A0FB96 ^ E9 4557FEFF JMP vagcomU_.009F52E0
00A0FB9B 68 DF46A000 PUSH vagcomU_.00A046DF
00A0FBA0 ^ E9 3B57FEFF JMP vagcomU_.009F52E0
00A0FBA5 68 0B4EA000 PUSH vagcomU_.00A04E0B
00A0FBAA ^ E9 3157FEFF JMP vagcomU_.009F52E0
00A0FBAF 68 7171A000 PUSH vagcomU_.00A07171
00A0FBB4 ^ E9 2757FEFF JMP vagcomU_.009F52E0
00A0FBB9 68 657FA000 PUSH vagcomU_.00A07F65
00A0FBBE ^ E9 1D57FEFF JMP vagcomU_.009F52E0
00A0FBC3 68 5CC5A000 PUSH vagcomU_.00A0C55C
00A0FBC8 ^ E9 1357FEFF JMP vagcomU_.009F52E0
00A0FBCD 68 ABC7A000 PUSH vagcomU_.00A0C7AB
00A0FBD2 ^ E9 0957FEFF JMP vagcomU_.009F52E0
00A0FBD7 68 20D5A000 PUSH vagcomU_.00A0D520
00A0FBDC ^ E9 FF56FEFF JMP vagcomU_.009F52E0
00A0FBE1 68 BCE8A000 PUSH vagcomU_.00A0E8BC
00A0FBE6 ^ E9 F556FEFF JMP vagcomU_.009F52E0
  
driver7327.03.2008 19:05:10
O ... this is exact decrypting proc.
But I have not so high cracking skill
I want get working exe with already decrypted code.
Is it possible?
  
pavka28.03.2008 04:49:38
driver73 ?????:
I want get working exe with already decrypted code.
Is it possible?
Probably Try..
  
driver7303.04.2008 02:03:12
I need complete unpacked exe.
Please contact me pm if anybody can help.
  
pavka03.04.2008 11:59:13
driver73
File complete unpacked
  
driver7303.04.2008 13:28:18
OK. I need complete decrypted exe
this file has about 40 encrypted code blocks.
I need exe with decrypted code blocks.
  
obdflasher08.12.2008 22:51:45
misterfr hi help me plase with unpack vag 805.0and 805.1 ?
  
nerko31.12.2008 11:18:29
Hi everybody
I have few questions, bad_guy said to ask You ppl..

I tried to translate this soft (same thing "misterfr" wants) but when i try to run it/save it I get message/warning/error that "Image" is changed, afterward .exe is unusable. Even if i change single char.
I tried about 200Mb of different software to bypass this but none worked
Also i have 3 different version unpacked same problem on all of them.


I want Santa Claus to give me solution for this, I give up from chicks You can have them
  
__31.12.2008 11:36:17
nerko
.rsrc section in .exe should be last section
  
nerko31.12.2008 13:05:44
Its working
  
nerko04.01.2009 01:24:33
Hi, I got new problems
Seems like I need to decompile VM... any directions how can nob like me do that anybody?
  
nerko09.01.2009 11:36:29
Hi, anybody can point me 'how to decode' "codes.dat" file (from same software)?
Contest looks like this:

000000 Ňž÷餔†ۑ˙Ěç
000001 ¶Ň©óŢŽ ®Î‘şŠÜň™şźŢ
000002 ý÷éÇËŢú‘ŚŠ‘đŻÝúą˜ůχ҄ďŮÔ
000003 ·ŃÖÜÜŕé”îňŚČśˆ



thanks
  
nerko16.01.2009 22:34:33
Anybody willing to do it for some cash? #17 and #18
  
nerko19.01.2009 22:56:46
nobody?
  
marusv20.01.2009 12:19:35
codes.dat decryption is my homework for now... I'll keep you informed.
  
weezer30.01.2009 01:13:41
Good day, ppl

can u please unpack lastest beta release vag-com software pc-guard-5.xx packed.

url:
http://temp.ross-tech.com/VCDS/download/B812/VCDS-Beta-8121-Installer. exe (file: VCDS.exe)


i'm try unpack it for ollydbg with posted scripts and don't get any results