tElock 0.98 and 0.99/1.00 scripts

[haggar]

There was some questions about that tElock tutorial. These scripts will maybe help a little:


//---------------- Script for TELock 0.98, needs Epsylon3 ODbgScript plugin ------
var CB
var CS

msg "Ignore ALL exceptions!!!"

gpa "GetModuleHandleA","kernel32.dll"
bp $RESULT
esto
bc eip
rtu

find eip,#80A5????????FF0F843001000080A5????????FF0F8423010000#
cmp $RESULT,0
je error
bp $RESULT
esto
bc eip
sti
mov [eip],0130E990

gpa "VirtualProtectEx","kernel32.dll"
bp $RESULT
esto
bc eip
rtu

gmi eip,CODEBASE
mov CB,$RESULT
gmi eip,CODESIZE
mov CS,$RESULT
bprm CB,CS
esto
bpmc
an eip

ret
error:
msg "Cannot find import redirection procedure!"
ret
//---------------------------------- End -------------------------------------------





This one is for TELock 0.99-1.0

//-------------------------- Start -----------------------------
/*
================================
tElock 0.99 - UNPACKER SCRIPT (c) haggar
================================
*/

var temp

gpa "GetClassNameA","user32.dll"
cmp $RESULT,0
je ERROR
bp $RESULT
esto
bc eip
rtu
sti
mov [eip],#90909090909090909090909090909090#
mov temp,eip
add temp,3F
bp temp
esto
bc eip
sub temp,3F
mov [temp],#81384F4C4C59741981384F574C5F7411#

gpa "VirtualAllocEx","kernel32.dll"
cmp $RESULT,0
je ERROR
bp $RESULT
esto
bc eip
rtr
sti
rtr
sti

find eip,#0F84????000080A5????????FF0F84????000080A5????????FF#
cmp $RESULT,0
je ERROR
bp $RESULT
esto
bc eip
fill eip,1,90
sti
fill eip,1,0E9

gpa "VirtualProtectEx","kernel32.dll"
cmp $RESULT,0
je ERROR
bp $RESULT
esto
bc eip
rtr
sti

find eip,#8B64240833C0FF642408#
cmp $RESULT,0
je ERROR
bp $RESULT
esto
bc eip

LABEL01:
sti
mov temp,[eip]
and temp,0FF
cmp temp,60
jne LABEL01

sti
mov temp,esp
bphws temp,"r"
esto
bphwc temp

rtr
sti
rtr
sti
an eip
cmt eip,"<-- OEP! Fix IAT with ImpREC. ...haggar..."

ret
ERROR:
msg "ERROR! Sorry Exiting..."
ret
//------------------------------ end --------------------------------------------------





For manually searching import magic jump in 0.98, break on GetModuleHandle and then search for this byte signature

80A5????????FF0F843001000080A5????????FF0F8423010000

There you need something to patch, don't remember what anymore.

[allko]

yeah the script works , then the dump fixing also works
but any idea why the dump fixing doesn't work with the manually method of MUNing ?


EDIT : after understanding the script carefully , i could simulate it manually on olly , and it works. the main point is in replacing that "je" with " nop & jmp"
iam trying now to understand the effect of this step. also i have a question , what is the size returned after gmi eip,CODESIZE ? i have just put a bp on memory from 401000 to the end. and it breaked on the oep which is 401000.

EDIT # 2 : nope , it seems that both methods leads to good result
(it seems that i have problems in manually copying and pasting the imports...)

[haggar]

Never mind for that manually copy-paste. That was my first idea while I was still new to unpacking.

Second idea is: Since tElock has option to protect imports or not, that means that inside its loader code has some check that will see if it needs to protect imports or not. So it's like patching simple crackme, we just fool protector. Such jumps are known as "magic jumps". Many protectors have these jumps or code that works in similar way. But sometimes is easy to find that jump like in tElock, and sometimes is harder. Sometomes packer doesn't even have this option.

[allko]

aha...
now i understand everything
(infinity exponent infinity) thanks flyz to you
i think this is the largest ever !!


all regards
allko