PDA

View Full Version : PC-Guard v5.0x: Unpacking and finding EOP


Bunkai.Satori
03-21-2011, 02:53 PM
Dear all,

I would need to reverse one file that is protected with PC-Guard v5.0x. As this is my first target, despite continuously reading tutorials and additiona info, I am still having difficulties.

Could I kindly ask you on advice how to succesfully unpack and find EOP for my file?


The file is compressed with PC-Guard v 5.0x (probably v5.06.044) - is it possible to find precise subversion of PC-Guard used?
The protected file offers 14 day full feature trial version. Instead of finding the activation code algorithm, I've decided to identify the OEP of the full feature trial version. Is this correct approach?
I am able to identify the first instruction imediatelly after the trial version button press. But then a series of nested CALLs follows. How to find the real OEP, please?
I was able to identify series of calls to kernel::GetVersion(), kernel::GetCommandLine(). But there are too many of them meaning, that even included DLLs must have them implemented. Can still these call sbe of any help to me?
What are the other strategies of finding OEPs?


Thank you very much.

ac!d
03-21-2011, 09:58 PM
there is no version info stored inside the exe that i know of, give Protection ID a chance, it does detect it like v5.01 or v5.03 - v5.04. we are currently working on an exact way, all signature based too. so search them on your own or wait till the next release of protection id ;)

Bunkai.Satori
03-21-2011, 10:28 PM
[Please DO NOT quote whole messages, it is unnecessary]


Hi Ac!d,

Thanks, for your advice. I've been using PEiD. I am going to see Protection ID straight away. I hope, it is not the same package :-)

Protection ID is much better package than PEiD, indeeed. While PEiD give me only main version number, like PC Guard v5.0, Protection ID is more precise, returning PC Guard v5.1 - v5.2.

Moreover, it has more functions. Good job. Thank you.

watchfashions
04-22-2011, 11:25 PM
Thanks, for your advice. I've been using PEiD. I am going to see Protection ID straight away. I hope, it is not the same package :-)