There are three sections in the remaining of this tutorial:
1. Introduction
2. Finding OEP, Dumping & Rebuilding.
3. Fixing Corrupted Imports in Main exe, running fixed Exe.
4. Conclusion

Yeah yeah I know.. "another stupid tutorial from this guy"  Well yes in some ways it is stupid... But my theory is "there are never enough"  In this tutorial we are gonna Remove the protective layer from Video Vault.  So why a new tutorial?  Well this one has a few tricks up its sleeve.  Plus a bug I never took note of before.  You'll notice it in the unpacked file.  We aren't gonna fix this bug but just wanted to point out.. in case the authors are reading this :)  So anyways.. on with the show. :)

Nothing new here folks.  Same as last tutorial.

Now we will execute the PUSHAD by hitting F7 twice.

Then our next objective is to use the ESP register as our BP.  So go over to ESP and right click it and then follow it in dump

Then in the dump we will put a HW BP on Access WORD selecting the first 2 bytes:

Then our next job is to let the packer Decrypt itself.  We do this by hitting the F9 button.  So go ahead and do this now.

Then you will see the Nag come up.

Now we will select the "I would like to evaluate the application" option and then hit next.

Now click "evaluate" and then we will break here:

Now we just hit the F7 key to execute the RETN.

And there we have it :)  We have reached the OEP.  Now we use OllyDump to Dump because if you use LORD-PE it will not dump properly.  So go to your Plugins and select OLLYDUMP.

then get the OllyDump dll.

then you will see the usual screen.

Make sure you de-select the "Rebuild Method" option.  And then dump it.

Now we need to fix this Protections ANTI-DUMP feature.  So open up LORD-PE and then go to the "PE-EDITOR" option.

Select "PE-EDITOR".  And then open up the original exe (still packed).

Then click on the "sections" option.

Take note of the RSIZE of the ".rsrc" section. which is 0009CA00.

Now open up the dumped file in LORD-PE and do all the same things as before.  (Pe-Editor, sections).

You notice the ".rsrc" section has been wiped?  Just replace the VSIZE and RSIZE with 0009CA00, by right clicking the section then edit it.

Then when you see this:

Just change the 2 things I just mentioned. (RSIZE & VSIZE)

Then hot "okay", and then save your changes.

Now that's all.  You have beaten Part 1 of this Protections anti-dump.  Now all that's left is to rebuild the import table, then figure out why ....well you'll see :)

Well okay now its time to fix the imports.  (still at OEP) search for "FF25".  Hit CTRL+B then type in FF25.

You should see this.  Now type in FF25.

Then click on "OK".

You should be here.  Now follow the pointer in dump (memory).

Then in Dump scroll up till you reach the beginning of the Import Table.

Now all we do is hit CTRL+G, and then type in the address we see (005BD000).

Then type in 005BD000.

Then click on "OK".

Now our offset is stored.. It is safe to restart Olly.  So hit CTRL+F2.  And we are back at the EP of the protector.

Now in dump hit CTRL+G and hit "OK".  Once there right click and set a BP MEM on WRITE.

Hit CTRL+G then "OK". 

Then right click the pointer and set MEM BP WRITE.

Now it is okay to hit F9 and let it run till we get to the nag.

But first we break at this REP command (to zero our bytes)

Now the nag appears.

Then like before we want to evaluate it.

Then click the "evaluate" button.

We now break here.  If we scroll up we see the infamous CALL that I showed you last tutorial how to get rid of.  So scroll up and enter the CALL then follow along.

Then hit enter on the CALL. (to enter it)

Now we need to find the JA to patch.  So easily just follow the JNZ at 00E211B8 (hitting enter on it also)

Now hit "Enter" on it.

You land here.  Now you see the other JNZ? At offset 00E2126C?

Hit "enter" on this as well.

And there it is :)  All we do now is to set a BP HW EXECUTION on it.  Then restart it.

Now we can restart it.  So hit CTRL+F2.  and we are back at the EP again.

Yup here again.  If your HW BP on ESP has been deleted please re-do it now.

Now hit F9 till we reach our Nag.

Same as before.. Evaluate it :)

Once we click on evaluate we will break on our HW BP.

We see it jumps this time.  Not every Import is messed up.. But a good many are.  So  Now just remove the HW BP on EXECUTION here and change this JA -> JMP.

Now just change the JMP.

Now let it run till we break on the OEP (well the instruction before it)

Then like before follow it to the OEP by hitting F7 to execute the RETN.

There :)

Now we need to rebuild the Imports as best we can with IMPREC.  So start up IMPREC and attach the videovault.exe process.

Then enter in our OEP (0050E7FC)

but we subtract the Image Base from it (00400000)

So 0050E7FC - 00400000 = 010E7FC

So in the OEP box .  Enter in 010E7FC, then click "IAT Autosearch"

Now click on the "Get Imports" button.

Then click the button.  You see one entry is invalid from Kernel32.  WE know what this is already from previous encounters. (GetProcAddress).  Now only 5 remain in the bottom section of the Imports.

These will never turn up.  (this is the Anti-Dump protection feature Part 2 I talk about).

So we can just cut them and then attach the IAT to the fixed dump file.  Tune into next section for the fixing details.

There it is.

So do like below to the following.. we need to find the section it tries to load and then attach it to the unpacked exe so it wont crash :)  Its very simple people.  :)  This method is not new. But I must say I was inspired to create this from a request I had from a dear friend.  (HINT: ARTeam member.. you know who you are).  This secret I have been hiding for a while but gave up because it's easier to inline it then to unpack, at least I think.

So anyways.. What we do is now follow the Pointer in dump to see where it tries to access.  So go ahead and right click any of the Invalid Pointers from the picture above.

And then we see what the dump tells us about this set of Invalid pointers (ie. Why they are invalid)

You see?  this dump backwards = 00E2ACB0

We do not have a section like this in our dump.. why you ask???? it's the protectors next anti-dump measure.  But very easy to fix. :)  All we need to do it get the correct section from the protected exe and attach it to the dumped one.  Simple enough.  So now start up the protected exe in Olly and then look for this section.  You will need to get past the 2 nags yet again to get there.  But plz if you didnt already.. Keep the BP on the Stack there (ESP BP).  This way we break when we reach OEP.. Ample enough time to get our section.

So you got past the 2 nags and are now on the OEP.. first things first.  Hit ALT+M to bring up your memory map and look for a section that would contain the missing pointers offset.  So somewhere in the range of holding 00E2ACB0:

Theres our missing section :)

Now very easy to fix this.  Just double click the line.:

And then we right click and select all.

Then we look like this:

Now we will copy it to a backup file.

Then save it as the default name.  No need to rename it anything else.

Now we start up LORD-PE again and we are gonna attach the section to the exe that we have as our dump.  So once LORD-PE is running click on the "PE-EDITOR" button, select your file and then click on the "sections" button.  Then once in there... right click anywhere in the section dialog box a select "Load section from disk".

Then select the file we saved.

Now we arent finished yet.... we need to modify the Virtual Address so our dump reads from it.

So using math skills again:

00E20000 - 00400000 = 00A20000

So modify it like so... right click the section we just added, then select "edit section header"

now you see this:

Then change the appropriate offset to our new offset...

Now we need to rebuild it using Lord-PE still :)

So get out of this area (make sure you save it) and back to the main dialog of Lord-PE, and click "Rebuild PE", then select our dump file:

There the ugly part is fixed. :)

Now we have one last thing to fix or else it will still crash... I didn't mention this before.. The Section we just added was a "are we registered" section.  When it returns back to the exe if it doesn't return registered then it will display "TRIAL VERSION" in the about box.  Very easy to fix though.  So all we do is set a BP on each of the 5 Imports we just repaired.  It will break and then just trace it out.  You will come to a area like so:

So you see its very easy to fix it. (note this isn't important.. only for looks)

Now our app will run with no problems.  Well except for the bug I told you about in the intro.  SO lets test it out.  Save all changes and then run our fixed exe.

And it runs!

But I will warn you.. this app is very touchy.  If you minimize it.... It will crash.  Yes... But if you try to do it with the original exe it does this as well.  I am sure there are more things you can do to fix it better.  This tutorials point was mainly to show you how to make the exe run, also teach you something. The point here was to teach you about the Import table and how it plays a good role in the functioning of our app.  Well I hoped you learned yet again another new idea.  Let's keep em coming guys.  All you aspr lovers why not make a nice tutorial on the newer versions.  Who knows maybe one day we will meet a protection that is indeed.. IMPOSSIBLE.  Until then.. I am MaDMAn_H3rCuL3s.... Later....

1. You hopefully learned how to remove the Protection from a "harder to unpack" exe.

2. Remember.. Knowledge is free.  Or at least it should be.  I do this for fun.  Not to financially cripple anyone or any company.

[MAIN TEAM]
[Nilrem] [JDog45] [Shub - Nigurrath] [MaDMAn_H3rCuL3s] [Ferrari] [Kruger] [Teerayoot] [R@dier] [ThunderPwr][Eggi] [EJ12N] [Stickman 373] [Bone Enterprise]

[TSRH] [some 0day grps] [BriteDream] [Exetools] [CUG] [Ricardo] [SnD] [fly] [PEdiy forums] [MEPHiST0]