Log in

View Full Version : Execryptor


jorono
March 2nd, 2005, 13:57
Hi all,
I'd like to ask a simple question: Is there a way to unpack notepad.exe once you packed it with execryptor?

JMI
March 2nd, 2005, 15:51
Ah, but you really want more than a "simple" answer. If the answer were "yes," your next question would be "how" and you really need to actually read the FAQ before you even think about asking the second question.

Regards,

jorono
March 3rd, 2005, 03:46
Hi,
JMI, huhuhu, I have read the FAQ...that's why I asked If it's possible, not how! However, my problem it's finding EOP. Im using ollydbg, but as I saw on google, execryptor has tricks to avoid it. Same with procdump. What tools are the best? Sice hidden? Thx

JMI
March 3rd, 2005, 11:36
And if you actually READ the FAQ, did you read the other threads on this subject which are here in the Forums? And which part of the FAQ that states that you need to show some of your work (without target specific code) did you NOT understand. So far, all you have said is that YOU don't know how to do ANYTHING with this protector. This is NOT the place where you should ask someone else to do EVERYTHING for you.

If you read the threads here you might have learned some information about the "packer" used with excryptor and if you had actually "searched" on the net you should have discovered that there is an Olly script designed for this protector, and reading even the limited discussion of the topic posted on the Olly Forum should have given you some useful clues, which you apparently haven't discovered yet.

In other words, you have apparently not done much of anything to try to solve your own problem before you posted your "simple question" here. More than that is "expected" of posters here.

Regards,

jorono
March 3rd, 2005, 12:02
Hi all,

No, JMI..you're wrong. I've been working with execryptor more than a month. I know the ollyscript you mentioned, but it only works with 1.5x version. Im working with 2.1.xx

An hour ago, I found th EOP (at least I think so ), but now revirgin hangs.. :S

I couldn't find on the forum any thread about execrypt; that's not correct: I found 3 items but no one can help me.

I feel my question is no welcome. It's true? Why? Maybe is only my paranoic mind...

Thanks in advance

dELTA
March 3rd, 2005, 12:28
All good questions are welcome here, but you didn't tell anyone any of these things from the start, that's the biggest problem, you came off as a stupid crack request, and you still have some proving to do that it's not...

jorono
March 3rd, 2005, 14:55
oki, I'll preppare an essay with my steps trying unpack execryptor. Nowadays i'm working, but always have time for assembler!
thanks and be nice!

JMI
March 3rd, 2005, 15:45
As dELTA has said, the issue is not what you may know or what you may have done, but what you have written here. We are not mind readers and do not know what you may or may not have done before posting your question, except what you say you have done. That is why I used the word "apparently," which means that is how it "appears" from what you have posted. The FAQ does contain a list of what one should try to include in a post and if you review that list and look at your first three posts you will see that you have provided very little information about what YOU may have done to try to help yourself.

The point is, that although you MAY have actually done a great deal, you didn't actually SAY you had done ANYTHING until your third post and even that one does not reveal much about what you have actually done. For example you did not say you had searched for or found anything about this protector. And you have not said whether you found that the program is still using UPX as a packer? You have not confirmed whether it still excrypts only certain portions of the code of the original software? You have not said whether you know about hiding Olly and whether you have tried anything to do so? You have not said whether you have examined the plugin for Olly for this protector to determine it's effectiveness for this version of the protector? You have not said whether you have tried Imprec because revirgin hangs. Do you see the difference?

Regards,

evaluator
March 3rd, 2005, 16:15
& when you will done all what JMI asked, then..
then..
JMI & delta can't help you

JMI
March 3rd, 2005, 16:20
Oh what a cruel world. And if I wanted to, I could tell him that there is more current information on the subject on exetools. Maybe I will, and maybe I won't.

Regards,

jorono
March 4th, 2005, 04:02
Hi all,
Hehehe, I see..... you're right, but I also. I just said if it's possible! By the way, from my point of view, this would be a philosophical thread (to be or not to be ), and it's not! You are allowed to suspect i'm a 'script kiddie' and act in consecuence, but I'll demonstrate you are wrong, at least I hope so!! jejejje Now I will explain what I'm doing, but I need time because as I said, I'm working so far away from my home, and only can spend a few minutes per day on assembler. When I'll come back, i'll post my paper over my work. Till this moment, have a nice day!
thanks to all.

evaluator
March 4th, 2005, 09:49
GENERIKO:

Indefinitely things we CAN, Indefinitely things we CAN'T;


yes, such thing you can do, but costs it that time time??

you also can learn programing & code you notepad
more good time loosing

jorono
March 4th, 2005, 10:36
evaluator, I'm working as teacher 12 hour per day. 7 days in a week. Do you think I hve time or predisposition to write a long paper? Not really. I'll finish my work next week. I'll write then.
Thanks and c u!

dELTA
March 4th, 2005, 11:09
I'm sorry we misunderstood your philosophical question, here's a philosophical answer for you: Yes

And you really don't need to post an essay either, listing all the valid details will be just fine.

evaluator
March 4th, 2005, 11:11
wow!
what program you are trying unpack, PM it (if you fail for unpack);

jorono
March 5th, 2005, 14:42
Hi all,
dELTA: Another philosophical question: and why yes? (joke)

evaluator: I'd prefer to try first by myself, thx.

I don't want to spend time in jokes or indirect words (I don't know the expression in englih, ut you know what I mean)

Other think. Yesterday I made a experiment: I have 2 files: file a (packed) and file b (dumped but packed I think). file a weights 2Mb and file 5mb does. File a of course works. File b doesn't. With PEditor I splitted all sections of file a and file b. Then I inserted .protect section of file b into file b. file a still work and hexviewing I can read a lot of string references. With olly plugin IsDebuggerPresent I can trace into ntdll, but it still hangs.. any comment will be appreciated.
Thanks and have a nice weekend!

jorono
March 5th, 2005, 14:44
Quote:
[Originally Posted by jorono]
evaluator: I'd prefer to try first by myself, thx.


And maybe it's not allowed to PM comercial aplications, I don't know.

JMI
March 5th, 2005, 15:17
You may give him the name and a download location by PM. You may NOT post them in the Forums.

Regards,

jorono
March 6th, 2005, 07:50
Well, this sunday morning i had no much work, so I continue with my file.
Now I have a completly functional exe file. How I got? let's see:
With the original one (2mb) y got a dump with procdump (to avoid its detection at execution time, just rename it :O). The dump image is 5mb. Then I took the .protect section and put into the original. Later I fixed the characteristics to E0000020 and RS=VS & RO=VO. The new file works perfectly and is 7mb. Now, with peid i check the entropy of the different sections and I still get 2 of them packed. Any hint?
Thanks

cRk
March 10th, 2005, 02:27
i'm not sure but is hard to believe Prodump, a very old tool, is able to make good dump runable for execrypted app.... did you added IAT manually or dumped included working IAT as well ??

jorono
March 10th, 2005, 05:54
Hi all,
Well, it's hard to believe that excryptor detects procdump and nag with 'debugger dedectec', but its harder to say that just renaming the procdump exe that protection is bypassed.. :O However, I dumped with iat fix option active.

In other way, a user PM me and told not to spend time in unpacking, just debugging. Are you agree? It's not possible to unpack as I started this thread?

Regards

jorono
March 10th, 2005, 05:55
Quote:
[Originally Posted by cRk]i'm not sure but is hard to believe Prodump, a very old tool, is able to make good dump runable for execrypted app

What tool do you suggest? Softice with dump 'plugin'?

cRk
March 10th, 2005, 13:03
i suggest to find OEP manually and dump from there.. rebuild IAT with Imprec + plugin for the protector if you have any.. either with SICE or olly

but if you are out of time and already you got working dumped that prodump did ... don't waste more time.. but will be good idea to analyze the script that you used with prodump to make it work... you used generic unpacking procedure method ? .... if you did then analize the script it has for that matter and easily you will be able to do it manually with any debugger like prodump did.. PM the target if possible...

Regards

MaRKuS-DJM
March 23rd, 2005, 07:29
i had a target with execryptor. my problem wasn't to find OEP but more how to get the original code back instead of all this morphing. i think unpacking it without doing this is useless because you can't analyse it correct then.

codeX
March 23rd, 2005, 13:59
Yes...
Really Pscycological thread..

Have yuu unpacked the target..

bilbo
March 24th, 2005, 08:50
Don't be afraid to tell the truth...

It seems that no crackers (evaluator is a cracker?) have (yet and officially) come to a solution with Execryptor.
Please, correct me if I am wrong.

They put a crackme on www.crackmes.de 4 months ago, but it is yet unsolved. You can download it from their site too (http://www.softcomplete.com/download/execryptorcrackme.zip), so it is legal stuff.

Best regards, bilbo

Pansemuckl
July 18th, 2005, 12:22
Quote:
[Originally Posted by bilbo]Don't be afraid to tell the truth...

It seems that no crackers (evaluator is a cracker?) have (yet and officially) come to a solution with Execryptor. Please, correct me if I am wrong.



There are a few tutorials and I do have a decrypted copy of Execryptor on my disk. But it take some effort to bypass all the shit SB has put in it. But using a NTAPI Kernel wrapper I created for bypassing ANTI CHEAT software (which has anti debug too) is mandatory.

Anyway... use a inline patch at a well chosen API to break inside the code. Then, put some trampolines at Registry/System/Process APIs using generic code, e.g.

mov eax, <offset>;
push eax;
retn;

instead of JMP (E9), ... or fill it up with crap code to fool ExeCryptor.IsBPXed(<offset>. Furthermore, fake Thread context, reset debug registers, clear debugger port (also from_EPROCESS using a kernel driver or tools like CheatEngine). Patch IsDebPres. aswell as similar 0815 tricks. Use LoardPE to dump, but take a look at the memory table first. LameCryptor messed it up

When using a hexed olly, you should be able to trace execryptor. In case you prefer Softice, you will need to patch it too. Use google to get familiar with the standard softice detection and also take a closer look @ CreateFileA("\\.\NTICE".

There are some other checks too. For those who are interested in the details, please contact me. Im to lazy to type all the steps - expecially the N0P'in all INT LOCK cmds is a huge pain in the ass.

The HW locking is rather poor. Quite disappointing considering the fact it took about 1 week to crack it. Alot of stuff is queried from the registry, like BIOS serial and Product IDs. Server storage provider ID, netbios30.dll->MAC addy, computername, .... well, the usual supects. SEH chain is altered. Use UnhandledExceptionFilter to bypass.

Use KERNEL API monitoring (stealthed) on Registry queries to see details. So far, I was able to crack the nag, unpack execrpytor to work with inline patches, to fake PC fingerprint and bypass it's poor HW lock.

Well, even SVKP was harder to crack. $199 for Execryptor is a waste of money. When I read the product description at their website, expectations gone high. But after looking into it, its just another full-bodied announced piece of crap. The only plus is that its very annoying to bypass. Big minus: Incompability. Some of my appz crash when packed with Execyptor ( which may be considered to be the best protection afterall )

I'm using the latest shareware version from their site. The one that uses FindWindowTitle(Olly) & NtQuerySystemInformation(<7> and closes your debugger. You can remove the shareware nag easily, but I'm still having trouble reengineering the serial procedure. I am not a math genius.

But since it's cracked, I'm happy with my loader

Pansemuckl
July 18th, 2005, 12:34
Quote:
[Originally Posted by jorono]Well, this sunday morning i had no much work, so I continue with my file.
Now I have a completly functional exe file. How I got? let's see:
With the original one (2mb) y got a dump with procdump (to avoid its detection at execution time, just rename it :O). The dump image is 5mb. Then I took the .protect section and put into the original. Later I fixed the characteristics to E0000020 and RS=VS & RO=VO. The new file works perfectly and is 7mb. Now, with peid i check the entropy of the different sections and I still get 2 of them packed. Any hint?
Thanks



LordPE is your friend. and your right: Its not yet fully unpacked.
Email me the file, I will look at it. BTW ExeCrpytor is written in Delphi...
Use the fact to find the OEP in no time ... (just look at other delphi
crappz).

bilbo
July 19th, 2005, 00:52
Quote:
[Originally Posted by Pansemuckl]I'm still having trouble reengineering the serial procedure. I am not a math genius.

maybe you can be interested to kao's work...
http://www.crackmes.de/users/relayer/execryptor_official_crackme/solutions/kao

Regards, bilbo