Instructions on how to analyze the VX30 products for stolen code
Version 2 (unpacking tutorial)
by Ryan Thoryk (aka EventHorizon)
via DrunkenBlog
VX30 comes in 2 products, with 3 total executables. The products are VX30 Encoder and VX30 Live. VX30 Live has the Live executable and the Server executable. Since those files have been packed with ExeCryptor, the only way to view the strings inside them is to run them, and dump the application out of ram onto disk.
Also note that I have 2 recent versions of VX30, and a third but much older version from 2004. The 2 recent versions are almost identical, except that in the latest one MXS deleted the strings I found in the Encoder (but not the stolen code); luckily I still have the previous version.
First download the executables here (current version) - or go to MXS's website.
Here's the executables of the previous version:
and the 2004 versions (these are what now is the Encoder app):
VX30 Design3 (?) 4/16/04 build
Here's the method of extracting the executable images:
1. Get the OllyDbg program from http://home.t-online.de/home/Ollydbg/
2. Get the OllyDump plugin from here: http://www.pediy.com/tools/Debuggers/ollydbg/plugin/OllyDump/OllyDump.zip and extract the ollydump.dll file into OllyDbg's directory.
3. Run OllyDbg, click File->open, and choose the VX30 executable you want to unpack.
4. In the large window (top left), scroll up to the top, right-click the first line, and choose "New Origin Here". Choose Yes in the following dialog box. This will change the application's entry point.
5. You will need to force the execution of the program. Hold down shift, and press F9 until you see the red "terminated" sign on the bottom right of OllyDbg.
6. Click the Plugins menu, then OllyDump, and click Dump Debugged Process
7. Click the button that says "Get EIP as OEP" just in case, and click "dump"
8. A dialog will pop up. Enter a new filename for the new unpacked executable, and save it.
9. The program will start flashing and going crazy (i don't know why). Just right-click it's taskbar icon and close it.
10. You now have an unpacked version of the VX30 executable.
11. Repeat the process for the next 2 executable files (and make sure you use a different output filename for each one)
12. Then, get a hex editor such as Hex Workshop and open up the new EXE files with it. You will find matches exactly like the ones below, and possibly even more:
Note - the older 2004 versions of VX30 are not packed, and do not require unpacking to view the contents of the executables.
VX30 Live pictures (contains XviD code, MplayerC code, LAME code, Ogg Vorbis, and more)
VX30 Live Server pictures (contains strange stuff, and what seems to be a list of serial numbers - if those are registration serials, whoever made that app is extremely stupid)
VX30 Encoder pictures (MXS has tried to hide the strings in this new version of Encoder, but here's pictures of the previous version)
Old VX30 pictures (1/21/2004 version) (tons of LAME code, XviD code, mpg123 reference, reference to LAME's website, etc)
You can also open the executables up in a resource editor program, and you will find many dialog windows from other programs, such as these.