Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 03-21-2011, 02:53 PM
Bunkai.Satori Bunkai.Satori is offline
Junior Member
 
Join Date: Mar 2011
Posts: 2
Default PC-Guard v5.0x: Unpacking and finding EOP

Dear all,

I would need to reverse one file that is protected with PC-Guard v5.0x. As this is my first target, despite continuously reading tutorials and additiona info, I am still having difficulties.

Could I kindly ask you on advice how to succesfully unpack and find EOP for my file?
  • The file is compressed with PC-Guard v 5.0x (probably v5.06.044) - is it possible to find precise subversion of PC-Guard used?
  • The protected file offers 14 day full feature trial version. Instead of finding the activation code algorithm, I've decided to identify the OEP of the full feature trial version. Is this correct approach?
  • I am able to identify the first instruction imediatelly after the trial version button press. But then a series of nested CALLs follows. How to find the real OEP, please?
  • I was able to identify series of calls to kernel::GetVersion(), kernel::GetCommandLine(). But there are too many of them meaning, that even included DLLs must have them implemented. Can still these call sbe of any help to me?
  • What are the other strategies of finding OEPs?

Thank you very much.
Reply With Quote
  #2  
Old 03-21-2011, 09:58 PM
ac!d ac!d is offline
Member
 
Join Date: Sep 2010
Posts: 25
Default

there is no version info stored inside the exe that i know of, give Protection ID a chance, it does detect it like v5.01 or v5.03 - v5.04. we are currently working on an exact way, all signature based too. so search them on your own or wait till the next release of protection id
Reply With Quote
  #3  
Old 03-21-2011, 10:28 PM
Bunkai.Satori Bunkai.Satori is offline
Junior Member
 
Join Date: Mar 2011
Posts: 2
Default

[Please DO NOT quote whole messages, it is unnecessary]


Hi Ac!d,

Thanks, for your advice. I've been using PEiD. I am going to see Protection ID straight away. I hope, it is not the same package :-)

Protection ID is much better package than PEiD, indeeed. While PEiD give me only main version number, like PC Guard v5.0, Protection ID is more precise, returning PC Guard v5.1 - v5.2.

Moreover, it has more functions. Good job. Thank you.

Last edited by Git : 03-22-2011 at 08:50 AM.
Reply With Quote
  #4  
Old 04-22-2011, 11:25 PM
watchfashions watchfashions is offline
Junior Member
 
Join Date: Apr 2011
Posts: 1
Default dsfsf

Thanks, for your advice. I've been using PEiD. I am going to see Protection ID straight away. I hope, it is not the same package :-)
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.