Hi all,
I'd like to ask a simple question: Is there a way to unpack notepad.exe once you packed it with execryptor?

Ah, but you really want more than a "simple" answer. If the answer were "yes," your next question would be "how" and you really need to actually read the FAQ before you even think about asking the second question.

Regards,

Hi,
JMI, huhuhu, I have read the FAQ...that's why I asked If it's possible, not how! However, my problem it's finding EOP. Im using ollydbg, but as I saw on google, execryptor has tricks to avoid it. Same with procdump. What tools are the best? Sice hidden? Thx

And if you actually READ the FAQ, did you read the other threads on this subject which are here in the Forums? And which part of the FAQ that states that you need to show some of your work (without target specific code) did you NOT understand. So far, all you have said is that YOU don't know how to do ANYTHING with this protector. This is NOT the place where you should ask someone else to do EVERYTHING for you.

If you read the threads here you might have learned some information about the "packer" used with excryptor and if you had actually "searched" on the net you should have discovered that there is an Olly script designed for this protector, and reading even the limited discussion of the topic posted on the Olly Forum should have given you some useful clues, which you apparently haven't discovered yet.

In other words, you have apparently not done much of anything to try to solve your own problem before you posted your "simple question" here. More than that is "expected" of posters here.

Regards,

Hi all,

No, JMI..you're wrong. I've been working with execryptor more than a month. I know the ollyscript you mentioned, but it only works with 1.5x version. Im working with 2.1.xx

An hour ago, I found th EOP (at least I think so ), but now revirgin hangs.. :S

I couldn't find on the forum any thread about execrypt; that's not correct: I found 3 items but no one can help me.

I feel my question is no welcome. It's true? Why? Maybe is only my paranoic mind...

Thanks in advance

All good questions are welcome here, but you didn't tell anyone any of these things from the start, that's the biggest problem, you came off as a stupid crack request, and you still have some proving to do that it's not...

oki, I'll preppare an essay with my steps trying unpack execryptor. Nowadays i'm working, but always have time for assembler!
thanks and be nice!

As dELTA has said, the issue is not what you may know or what you may have done, but what you have written here. We are not mind readers and do not know what you may or may not have done before posting your question, except what you say you have done. That is why I used the word "apparently," which means that is how it "appears" from what you have posted. The FAQ does contain a list of what one should try to include in a post and if you review that list and look at your first three posts you will see that you have provided very little information about what YOU may have done to try to help yourself.

The point is, that although you MAY have actually done a great deal, you didn't actually SAY you had done ANYTHING until your third post and even that one does not reveal much about what you have actually done. For example you did not say you had searched for or found anything about this protector. And you have not said whether you found that the program is still using UPX as a packer? You have not confirmed whether it still excrypts only certain portions of the code of the original software? You have not said whether you know about hiding Olly and whether you have tried anything to do so? You have not said whether you have examined the plugin for Olly for this protector to determine it's effectiveness for this version of the protector? You have not said whether you have tried Imprec because revirgin hangs. Do you see the difference?

Regards,

& when you will done all what JMI asked, then..
then..
JMI & delta can't help you

Oh what a cruel world. And if I wanted to, I could tell him that there is more current information on the subject on exetools. Maybe I will, and maybe I won't.

Regards,

Hi all,
Hehehe, I see..... you're right, but I also. I just said if it's possible! By the way, from my point of view, this would be a philosophical thread (to be or not to be ), and it's not! You are allowed to suspect i'm a 'script kiddie' and act in consecuence, but I'll demonstrate you are wrong, at least I hope so!! jejejje Now I will explain what I'm doing, but I need time because as I said, I'm working so far away from my home, and only can spend a few minutes per day on assembler. When I'll come back, i'll post my paper over my work. Till this moment, have a nice day!
thanks to all.

GENERIKO:

Indefinitely things we CAN, Indefinitely things we CAN'T;


yes, such thing you can do, but costs it that time time??

you also can learn programing & code you notepad
more good time loosing

evaluator, I'm working as teacher 12 hour per day. 7 days in a week. Do you think I hve time or predisposition to write a long paper? Not really. I'll finish my work next week. I'll write then.
Thanks and c u!

I'm sorry we misunderstood your philosophical question, here's a philosophical answer for you: Yes

And you really don't need to post an essay either, listing all the valid details will be just fine.

wow!
what program you are trying unpack, PM it (if you fail for unpack);

Hi all,
dELTA: Another philosophical question: and why yes? (joke)

evaluator: I'd prefer to try first by myself, thx.

I don't want to spend time in jokes or indirect words (I don't know the expression in englih, ut you know what I mean)

Other think. Yesterday I made a experiment: I have 2 files: file a (packed) and file b (dumped but packed I think). file a weights 2Mb and file 5mb does. File a of course works. File b doesn't. With PEditor I splitted all sections of file a and file b. Then I inserted .protect section of file b into file b. file a still work and hexviewing I can read a lot of string references. With olly plugin IsDebuggerPresent I can trace into ntdll, but it still hangs.. any comment will be appreciated.
Thanks and have a nice weekend!

And maybe it's not allowed to PM comercial aplications, I don't know.

You may give him the name and a download location by PM. You may NOT post them in the Forums.

Regards,

Well, this sunday morning i had no much work, so I continue with my file.
Now I have a completly functional exe file. How I got? let's see:
With the original one (2mb) y got a dump with procdump (to avoid its detection at execution time, just rename it :O). The dump image is 5mb. Then I took the .protect section and put into the original. Later I fixed the characteristics to E0000020 and RS=VS & RO=VO. The new file works perfectly and is 7mb. Now, with peid i check the entropy of the different sections and I still get 2 of them packed. Any hint?
Thanks

i'm not sure but is hard to believe Prodump, a very old tool, is able to make good dump runable for execrypted app.... did you added IAT manually or dumped included working IAT as well ??

Hi all,
Well, it's hard to believe that excryptor detects procdump and nag with 'debugger dedectec', but its harder to say that just renaming the procdump exe that protection is bypassed.. :O However, I dumped with iat fix option active.

In other way, a user PM me and told not to spend time in unpacking, just debugging. Are you agree? It's not possible to unpack as I started this thread?

Regards

What tool do you suggest? Softice with dump 'plugin'?

i suggest to find OEP manually and dump from there.. rebuild IAT with Imprec + plugin for the protector if you have any.. either with SICE or olly

but if you are out of time and already you got working dumped that prodump did ... don't waste more time.. but will be good idea to analyze the script that you used with prodump to make it work... you used generic unpacking procedure method ? .... if you did then analize the script it has for that matter and easily you will be able to do it manually with any debugger like prodump did.. PM the target if possible...

Regards

i had a target with execryptor. my problem wasn't to find OEP but more how to get the original code back instead of all this morphing. i think unpacking it without doing this is useless because you can't analyse it correct then.

Yes...
Really Pscycological thread..

Have yuu unpacked the target..

Don't be afraid to tell the truth...

It seems that no crackers (evaluator is a cracker?) have (yet and officially) come to a solution with Execryptor.
Please, correct me if I am wrong.

They put a crackme on www.crackmes.de 4 months ago, but it is yet unsolved. You can download it from their site too (http://www.softcomplete.com/download/execryptorcrackme.zip), so it is legal stuff.

Best regards, bilbo

There are a few tutorials and I do have a decrypted copy of Execryptor on my disk. But it take some effort to bypass all the shit SB has put in it. But using a NTAPI Kernel wrapper I created for bypassing ANTI CHEAT software (which has anti debug too) is mandatory.

Anyway... use a inline patch at a well chosen API to break inside the code. Then, put some trampolines at Registry/System/Process APIs using generic code, e.g.

mov eax, <offset>;
push eax;
retn;

instead of JMP (E9), ... or fill it up with crap code to fool ExeCryptor.IsBPXed(<offset>. Furthermore, fake Thread context, reset debug registers, clear debugger port (also from_EPROCESS using a kernel driver or tools like CheatEngine). Patch IsDebPres. aswell as similar 0815 tricks. Use LoardPE to dump, but take a look at the memory table first. LameCryptor messed it up

When using a hexed olly, you should be able to trace execryptor. In case you prefer Softice, you will need to patch it too. Use google to get familiar with the standard softice detection and also take a closer look @ CreateFileA("\\.\NTICE".

There are some other checks too. For those who are interested in the details, please contact me. Im to lazy to type all the steps - expecially the N0P'in all INT LOCK cmds is a huge pain in the ass.

The HW locking is rather poor. Quite disappointing considering the fact it took about 1 week to crack it. Alot of stuff is queried from the registry, like BIOS serial and Product IDs. Server storage provider ID, netbios30.dll->MAC addy, computername, .... well, the usual supects. SEH chain is altered. Use UnhandledExceptionFilter to bypass.

Use KERNEL API monitoring (stealthed) on Registry queries to see details. So far, I was able to crack the nag, unpack execrpytor to work with inline patches, to fake PC fingerprint and bypass it's poor HW lock.

Well, even SVKP was harder to crack. $199 for Execryptor is a waste of money. When I read the product description at their website, expectations gone high. But after looking into it, its just another full-bodied announced piece of crap. The only plus is that its very annoying to bypass. Big minus: Incompability. Some of my appz crash when packed with Execyptor ( which may be considered to be the best protection afterall )

I'm using the latest shareware version from their site. The one that uses FindWindowTitle(Olly) & NtQuerySystemInformation(<7> and closes your debugger. You can remove the shareware nag easily, but I'm still having trouble reengineering the serial procedure. I am not a math genius.

But since it's cracked, I'm happy with my loader

LordPE is your friend. and your right: Its not yet fully unpacked.
Email me the file, I will look at it. BTW ExeCrpytor is written in Delphi...
Use the fact to find the OEP in no time ... (just look at other delphi
crappz).

maybe you can be interested to kao's work...
http://www.crackmes.de/users/relayer/execryptor_official_crackme/solutions/kao

Regards, bilbo