http://cracklab.ru/f -> WorldWide -> PEunLOCK v0.2 PUBLiC by cyclotron

linhanshi28.03.2008 20:06:14
v0.2

+ support for victims whose apis are not redirected

+ fix exception for newer versions of PELock

PEunLOCK PUBLiC v0.1 by cyclotron

- Support unpacking PELock v1.06

- Based on ap0x's unpack engine v1.4

- EXCLUSIVE support for FULLY protected victim under WinXP SP2

2008.3.27


- PEunLOCK.PUBLiC.v0.2.rar
  
Kali28.03.2008 20:32:24
Thanks Linhanshi!
  
Grim Fandango29.03.2008 02:02:31
Thanks. This one is public, so there is a private one.
What's the difference?
  
pavka29.03.2008 05:37:31
Thanks !
unpacked

- dump.rar
  
Bronco29.03.2008 19:21:47
pavka
something like this with the table:
mov temp,[table]
add temp,5

ImpREC should trace OK

in code:
1.003B023A 8B96 B8000000 MOV EDX,DWORD PTR DS:[ESI+B8] //address in code
1.003B064B 8B47 04 MOV EAX,DWORD PTR DS:[EDI+4] //8040xxxx
2.003B094E 25 FFFFFF7F AND EAX,7FFFFFFF //0040xxxx
don't know how to take it yet, it runs, motherfucker...

Archer: This is world-wide subforum, I translated the message this time but I'll delete it the next time!
  
Bronco30.03.2008 01:16:02
Archer
yes, yes ....$$
//motherfucker - this steeply
=======






- PEunLOCK_un.txt
  
pavka30.03.2008 04:19:54
Bronco
var j
var nt
var fn
var srh
var seax
var jw
var ftn
var pbase
var oep
var gmh
var iatrva
var iatb
var iatsz
var iallocib
var espval
var counter
var ImageBase
var nm


mov counter,0
gmi eip,MODULEBASE
mov ImageBase,$RESULT
GMI eip,NAME
mov nm,$RESULT
eval "{nm}_U.exe"
mov nm,$RESULT

gpa "GetModuleHandleA","kernel32.dll"
mov gmh,$RESULT
bphws gmh,"x"

erun
erun
rtu
mov espval,esp
erun
mov iatrva,esi
pause
GMEMI iatrva,MEMORYBASE
mov iatb,$RESULT
GMEMI iatb,MEMORYSIZE
mov iatsz,$RESULT
alloc iatsz
mov iallocib,$RESULT
MEMCPY iallocib,iatb,iatsz
bphwc gmh
bphws espval,"r"
erun
bphwc espval
find eip,#FFE0#
cmp $RESULT,0
je quit
bp $RESULT
erun
bc eip
sti
mov oep,eip
GMI eip,ENTRY
mov pbase,$RESULT
GMEMI pbase, MEMORYBASE
mov pbase,$RESULT
find pbase,#53515256E8000000005B81EB??????0081C3??????008BC833D283C8FFBE040 0#
cmp $RESULT,0
je quit
mov fn,$RESULT
find pbase,#????????????4?80????????????4?80????????????4?80????????????4?8 0#
cmp $RESULT,0
je quit
mov nt,$RESULT

mov srh,401000

loop:
find srh,#CC90????????#//#CC90??600C45# //#FF2556FE4700#
cmp $RESULT,0
je goep
mov srh,$RESULT
mov j,$RESULT
mov jw,$RESULT+2
mov eip,fn

mov eax,j-400000

rtr
mov seax,eax
buf seax
find nt,seax
mov ftn,$RESULT+4
mov ftn,[ftn]
and ftn,0FFFFFF
mov [j],#FF25#
mov [jw],ftn
jmp loop
goep:
mov eip,oep
MEMCPY iatb,iallocib,iatsz
sub oep,ImageBase
sub iatrva,ImageBase
mov counter,ImageBase
add counter,3C
mov counter,[counter]
add counter,ImageBase
add counter,28
mov [counter],oep
add counter,58
mov [counter],iatrva
dpe nm, eip

eval "The file is completely unpacked!"
msg $RESULT
ret

quit:
ret
  
linhanshi30.03.2008 16:01:39
v0.6

+ support VB programs

v0.3

+ suppress unidentified stolen code restoration

+ make all sections writable


- PEunLOCK.PUBLiC.v0.6.rar
  
Grim Fandango30.03.2008 16:28:13
With this speed the author will write v1.0 in a week. ;)
  
linhanshi30.03.2008 16:38:05
some problems;)
  
pavka30.03.2008 17:56:51
Xm..What they can unpack?
  
Grim Fandango30.03.2008 19:57:16
pavka
There is a line in "About":
"Only for fully protcted victim".
  
Kali01.04.2008 23:32:49
v0.9

+ fix code redirection delta

- PEunLOCK 0.9.zip
  
Grim Fandango02.04.2008 11:35:13
Hehehe.
I was right, there'll be 1.0 soon.
  
nopnop02.04.2008 14:51:09
thanx
i think he or she work hard for rlzing ver 1
  
G00ba02.04.2008 15:28:18
but this way is hard, generic replace find is better!!!!! try this.....
  
linhanshi02.04.2008 17:47:02
Cyclotron: In terms of good encryption algorithm, we published books: encryption and decryption is his writing.

http://bbs.pediy.com/showthread.php?t=60232
  
nopnop03.04.2008 00:54:23
@linhanshi
how can we have this ebook ? any link for dl
is that english or not?
  
Kali09.04.2008 08:57:37
v1.2

[+] support for locating and incorporating dual comctl32.dll

[+] scan for SDK marks

[+] fix magic jump matching pattern

cyclotron works hard boys

- peunlock 1.2.zip
  
Grim Fandango09.04.2008 09:53:27
Maybe there are some other tools from this guy?
  
pavka09.04.2008 12:14:05
Grim Fandango ?????:
Maybe there are some other tools from this guy?
EmbededPe
  
Kali10.04.2008 09:02:11
Grim Fandango:
Maybe there are some other tools from this guy?

IDT Protector v0.9 for Win2k by cyclotron
  
BURAOT04.05.2008 03:19:58
doesnt work on XPSP3 It Crashed
  
PE_Kill06.05.2008 01:05:19
Shit protection. Don't run on my system. Unpacker used LOCK CMPXCHG8B EAX for self tracing and crash self.
  
PE_Kill06.05.2008 01:47:38
pavka please unpack 1.2 version
  
pavka06.05.2008 03:28:59
PE_Kill ?????:
unpack 1.2 version
unpacked

- PEunLOCK_U.rar
  
BURAOT07.05.2008 17:52:37
thnx again it worked now
  
linhanshi07.05.2008 19:47:01
v1.2

[+] support for locating and incorporating dual comctl32.dll

[+] scan for SDK marks

[+] fix magic jump matching pattern


- PEunLOCK.PUBLiC.v1.2.rar
  
Shkoder27.06.2008 02:58:59
does anyone know if project have any update from march? I got mysterious file can be partially dumped by PEunLock 0.9 while version 1.2 dies after step 3 (archive password is : helpmepls

hxxp://rapidshare.com/files/124011549/vps.rar.html

I've tried to unpack executable using wellknown pelock 1.06 unpacking tutorial but output file appeared to be broken and not sufficient for reverse engineering.. can anyone help me please?
  
pavka27.06.2008 14:49:15
Shkoder
dll ?
  
Shkoder27.06.2008 15:03:40
here they are :

http://rapidshare.com/files/125374137/dlls.rar.html

archive passwords is same

sorry
  
pavka29.06.2008 14:57:52
Shkoder
Maybe what it is not enough! protected program falls from a mistake.
I unpacked file but can not test our. If you need to file can lay out unpacked
  
Shkoder29.06.2008 17:55:25
I can make a try with your file but actually only two kind of errors were possible : no libraries (I am sure I gave you all DLLs supplied with software) or protection error (IP address no alllowed). about last error, I wish to take care of it by myself. please upload unpacked file somewhere
  
pavka29.06.2008 18:09:29
Shkoder
http://rapidshare.com/files/125865089/vpsU_.rar
  
Shkoder30.06.2008 22:22:10
some MFC calls still broken but unpacked executable fully usable for protection reversing. thanks a lot!
  
zelda22.09.2008 03:42:54
hi

after they Unpacked the exe with the peunlock 1.2 exe will not run
[url=http://rapidshare.com/files/147288979/T_-_Tool.rar.html
]http://rapidshare.com/files/147288979/T_-_Tool.rar.html
[/url]
please Help

Regards
  
pavka22.09.2008 05:35:58
zelda
unpacked
http://rapidshare.com/files/147305962/T_-_Airbag_ToolU_.rar
  
zelda22.09.2008 06:36:19
thanks pavka

it is possible to remove the demo version that is full vesion

Best Regards
  
every22.10.2008 23:15:53
hi Shkoder , i have removed the demo version, and now its full more than 5 calls .,i cant set any ip number for version .972
- i used another unpacker, the peunlock aint working here , "Error: Could not load engine. dll files" any ideas ..
Regards
  
injing11.04.2010 13:37:07
Shkoder
did you manage to uplack PeLock 1.06 ??
  
Archer11.04.2010 21:17:26
Have you seen the date? Do you really think he's still here? Use PM.