There is very easy way how to find OEP, olly can do it for us. In options, under SFX tab, set "Trace real entry bytewise (very slow!)" and just load exe in olly. After second or two, oly will stop on OEP:
Imports can be fixed very easy too. First remove that tracing option in Olly, set it to "Stop at entry of self-extractor." and then restart target in olly. Then set bp on the end of GetModuleHandleA api and run:
In stack you can see what API is redirected, in this case it is OutputDebugStringA. We can change few bytes in protector code in order to trick protector. But we need little place for injection so I will just NOP couple junk opcodes to make space. Scroll up and check:
107D6CF7 EB 02 JMP SHORT 107D6CFB
107D6CF9 CD 20 INT 20
107D6CFB 58 POP EAX ; unsafedi.0060C0B8
107D6CFC EB 02 JMP SHORT 107D6D00
107D6CFE 0FE889 077C03EB PSUBSB MM1,QWORD PTR DS:[ECX+EB037C07]
107D6D05 03E9 ADD EBP,ECX
107D6D07 ^74 FB JE SHORT 107D6D04
107D6D09 61 POPAD
Two API's are wrong !?! Last jump at 402522 is good, but those two at the begining lead to protector's code. What's the problem? SVKP uses another procedures for those two API's. I placed memory bp's on these two addresses and found that missing two API's are:
Only thing that is left is to dump and rebuild imports with ImpREC. Dumped file is lot bigger than packed, it's data section is pretty big, author of app coded it like that so I will just leave it. But I removed SVKP secion, the last one.
This way of unpacking SVKP is maybe little dirty or lame, but I didn't wan't to waste too much time with it. I'm playing now with 1.42 which has some more tricks, but that will wait for new tutorial.