Think i have followed JMI's rules

Have given it a good try but just a bit stuck, searched the forum. What i have done:

First set up olly, in options i set system breakpoint at make first pause.

Patched olly with the AntiDetectOlly.exe to stop execryptor detecting it.

Using LordPE i discover that the direction of callback is the 6A30FC, in principle the program began to execute itself in this direction.

Then i opened up Memory window and put breakpoint on Access on the section that it includes to this direction, in this case the section is j8d54r9. and give RUN (F9)

i break here:

7C9284FF 8B70 0C MOV ESI,DWORD PTR DS:[EAX+C] ; target.006A30FC
7C928502 8975 E0 MOV DWORD PTR SS:[EBP-20],ESI
7C928505 3BF3 CMP ESI,EBX
7C928507 74 16 JE SHORT ntdll.7C92851F
7C928509 381D 21C1977C CMP BYTE PTR DS:[7C97C121],BL
7C92850F 0F85 2F2F0100 JNZ ntdll.7C93B444
7C928515 8B06 MOV EAX,DWORD PTR DS:[ESI]
7C928517 3BC3 CMP EAX,EBX
7C928519 0F85 3A2F0100 JNZ ntdll.7C93B459
7C92851F 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
7C928523 E8 DA68FEFF CALL ntdll.7C90EE02
7C928528 C2 0800 RETN 8
7C92852B 90 NOP
7C92852C 90 NOP
7C92852D 90 NOP
7C92852E 90 NOP
7C92852F 90 NOP
7C928530 FFFF ??? ; Unknown command
7C928532 FFFF ??? ; Unknown command
7C928534 90 NOP
7C928535 B4 93 MOV AH,93
7C928537 ^7C AB JL SHORT ntdll.7C9284E4
7C928539 B4 93 MOV AH,93

Now, i believe that i need to keep running until i enter some code part, CODE32

So i contine but never land anywhere useful like a call, i F9 and land here:

008DDFFC ^E9 1AFCFFFF JMP target.008DDC1B
008DE001 0087 04245887 ADD BYTE PTR DS:[EDI+87582404],AL
008DE007 34 24 XOR AL,24
008DE009 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command
008DE00A EC IN AL,DX ; I/O command
008DE00B 53 PUSH EBX
008DE00C 68 707F2A29 PUSH 292A7F70
008DE011 E9 B60B0000 JMP target.008DEBCC
008DE016 0000 ADD BYTE PTR DS:[EAX],AL
008DE018 68 A3C78D00 PUSH target.008DC7A3
008DE01D ^E9 CFDCFFFF JMP target.008DBCF1
008DE022 C3 RETN
008DE023 E9 55060000 JMP target.008DE67D
008DE028 0000 ADD BYTE PTR DS:[EAX],AL
008DE02A 8BCC MOV ECX,ESP
008DE02C 81C1 10000000 ADD ECX,10
008DE032 8B09 MOV ECX,DWORD PTR DS:[ECX]
008DE034 C701 13000100 MOV DWORD PTR DS:[ECX],10013
008DE03A ^E9 DEC3FFFF JMP target.008DA41D
008DE03F 0000 ADD BYTE PTR DS:[EAX],AL
008DE041 8BCC MOV ECX,ESP
008DE043 52 PUSH EDX
008DE044 68 D303C0E5 PUSH E5C003D3
008DE049 5A POP EDX
008DE04A ^E9 ADE9FFFF JMP target.008DC9FC

but i can never get to the OEP, i am just going round in circles, hope someone can give me a helping hand.

Thanks

p.s.

You might want to move it to newbie section, i bet everyone here can unpack execryptor in the blink of an eye

if callback is 6A30FC the program donīt start in 6A30FC, you need look in hexa editor or in olly when you are stopped in system breakpoint the address 6A30FC in the dump-

for example

6A30FC 65 34 78 00

the program start executing in 783465

in this example this is the real start not 6A30FC .

There a tut for one execryptor 2 by GUAN but all execryptors 2 are not similars, but can you help a little more.

Ricardo Narvaja

Hi Ricardo,
you told a tut on execryptor by Guan, do you have the link? Sounds interesting..

gbrooks3:

Just a small point. The Rules are the Forums and not "mine." And if you were the one who change the name of your target to "target" in you code section, then you did very well for a first post. If you were not the one who wrote "target" in red, than another admin corrected that point, which is explained in the "Rules."

Regards,

@JMI

twas i

@Ricardo, ok thankyou, i will persevere, i never like having to be told the answer, much more fun to use the brain.

Thanks all, i will report back

http://www.ricnar456.dyndns.org/WEB/NUEVO%20CURSO/TEORIAS%20DE%20CRACKING/457-Tuto%20setool2G%20execryptor%202%20por%20GUAN.rar

itold this method donīt work in ALL execryptor 2, but can help for understand any things better,

Ricardo Narvaja

this little devil here uses static tls callbacks as the first line of defence to
obfuscate and remove any bps set at peheader->addr of entry point
then uses findwindow to look for ollydbg then uses openprocess to open father process and enumerates the export directory of the father process
and looks for strings like _setdisa _sendshor etc (which are unique to ollydbg)
then uses isdebuggerpresent
then uses CheckforRemoteDebuggerPresent (xp systems)
the queries queryprocessinformation with info class 7
and during all this time every single time it dynamically fetches the address
of all these apis and runs a continous check for
ccs (aka breakpoints) in the whole proc (well it does not recurse sub procs )
so if you fetch symbol and put a break on ntUserInternalFindWindowEx@20
ollywill happily break on findwindows and all such apis

btw if you are using plugins which hook and modify usermode apis
then you cant (hidedebugger plugin for example hooks and modifies
openprocess (adds a far jump to its code where it checks for father process handle and nulls it if it matched and returns back to api)
will automaticllay be killed by this little devil becaus it
explicitly checks for eb,e9,e8,cc,cd01,and checks to see if the address is pointing out of module )

and in the first static call back it erases the bp on oep and then puts back the original opcode in its place

you may take a look at ntglobalflag plugin
which is available here
http://www.reversing.be/article.php?story=20050603193932184

to make it stop on both the tls callback procs

and after that it still has some part encrypted and decrypts them only whenever required

absolutely excellent little devil here to deal with
layer after layer after layer of onion skins to peel off and cry

for starters relayer has posted a crackme packed with this in
crackmes.de which is what i analysed for above explanation

hope this helps some one in the process

well, after hours of having fun with this thing, i am beginging to think its not newbie or even amatuer level

However i will keep trying, i dont like being beaten.

@Ricardo, wasnt able to unpack the crackme you posted, anyone else give it a go?

Ok, I'll correct code in following version