Quote:
[Originally Posted by bilbo]Don't be afraid to tell the truth...
It seems that no crackers (evaluator is a cracker?) have (yet and officially) come to a solution with Execryptor. Please, correct me if I am wrong.
|
There are a few tutorials and I do have a decrypted copy of Execryptor on my disk. But it take some effort to bypass all the shit SB has put in it. But using a NTAPI Kernel wrapper I created for bypassing ANTI CHEAT software (which has anti debug too) is mandatory.
Anyway... use a inline patch at a well chosen API to break inside the code. Then, put some trampolines at Registry/System/Process APIs using generic code, e.g.
mov eax, <offset>;
push eax;
retn;
instead of JMP (E9), ... or fill it up with crap code to fool ExeCryptor.IsBPXed(<offset>

. Furthermore, fake Thread context, reset debug registers, clear debugger port (also from_EPROCESS using a kernel driver or tools like CheatEngine). Patch IsDebPres. aswell as similar 0815 tricks. Use LoardPE to dump, but take a look at the memory table first. LameCryptor messed it up
When using a hexed olly, you should be able to trace execryptor. In case you prefer Softice, you will need to patch it too. Use google to get familiar with the standard softice detection and also take a closer look @ CreateFileA("\\.\NTICE"

.
There are some other checks too. For those who are interested in the details, please contact me. Im to lazy to type all the steps - expecially the N0P'in all INT LOCK cmds is a huge pain in the ass.
The HW locking is rather poor. Quite disappointing considering the fact it took about 1 week to crack it. Alot of stuff is queried from the registry, like BIOS serial and Product IDs. Server storage provider ID, netbios30.dll->MAC addy, computername, .... well, the usual supects. SEH chain is altered. Use UnhandledExceptionFilter to bypass.
Use KERNEL API monitoring (stealthed) on Registry queries to see details. So far, I was able to crack the nag, unpack execrpytor to work with inline patches, to fake PC fingerprint and bypass it's poor HW lock.
Well, even SVKP was harder to crack. $199 for Execryptor is a waste of money. When I read the product description at their website, expectations gone high. But after looking into it, its just another full-bodied announced piece of crap. The only plus is that its very annoying to bypass. Big minus: Incompability. Some of my appz crash when packed with Execyptor ( which may be considered to be the best protection afterall

)
I'm using the latest shareware version from their site. The one that uses FindWindowTitle(Olly) & NtQuerySystemInformation(<7>

and closes your debugger. You can remove the shareware nag easily, but I'm still having trouble reengineering the serial procedure. I am not a math genius.
But since it's cracked, I'm happy with my loader
