Hello..

Lately i ran into a program which seemed to be packed with EXECRYPTOR 1.5.3 (PEID 0.91 scanned)

Is anyone familiar with unpacking this protector? I have searched the net and this forum but have found nothing on this subject.

Any help about this would be very nice!


thanx.

Can you pm me with the program name , please.

Not much response so it seems. Is it just that unknown or quite a hard protector?

If you would have checked this protection's own website (hxxp://www.strongbit.com/execryptor.asp) you would have seen that it is not a packer at all, but is used to encrypt selected code snippets in programs, which can then be protected with any other packer etc. Downloading the trial and using it on your own test files will probably be very instructive, especially since it does not apparently pack the entire file, which makes comparative analysis of the protected areas much easier.

Also, you would most likely get much more help if you would show any own effort to analyze this protection, and be more specific about exactly where you're stuck.

Hi Scarabee

I took a look after your replay. Downloaded trial (packer) and almost reversed it. I found OEP, and found trick in which way he encrypts/decrypts code. My problem is that I couldnt make good dump of program because he has some advanced way to detect SI (I bypassed it in his code). I made semi working application, some options will not work.

I suppose with some time of reversing I could make all function working. Will see tomorrow.

For example in that trial OEP was 4b58e4. IAT is not crypted/redirected. He will never work if you have Super BPM on. So you have to find out way to bypass place where he checks for DRXs.

Zilot

Thanx for the help and info.
I did actually look at the Execryptor site and did realize that it only crypt snippets of code. i just used the word protector wrongly i guess. maybe i should have formulated it differently.

anyways.. i stumbled into that strange SI detection and was not able to circumvent. with icedump loaded it runs fine but when using it with loader it still will crash. so there i already am stuck.

thanx for all the efford!!!

replace in your dump last section with it, set OEP 000FD000 & try..

what iz that thing -------> execryptor 1.5.1

cant be dumped
b4 dump the proggy size waz : 1.32 MB
after dump i got 12kb

cant be debugged
used ollydbg
took 2 hours to bypass exceptionz
check
hxxp://members.lycos.co.uk/sssevennn/cryptvideo.rar
so
what iz that thing -------> execryptor 1.5.1