Log in

View Full Version : Article on Execryptor 2.2.50


pnluck
November 6th, 2005, 03:59
Hi dudes, I and other my friends are writing an article on Execryptor who is under costruction but it is on a good way
http://pnluck.altervista.org/article.php

At the moment, there are:
Hide Ollydbg and a description of r3 debug detection methods
Find OEP
Rebuild stolen
Description of iat protection

There aren't:
Total recostruction of iat

I hope who this is profit for you

5aLIVE
November 6th, 2005, 09:46
Very interesting article, excellent work pnluck.

I'm having some problems downloading the unpackme file and also running the RDG Packer Packer Detector.

When running RDG packer I first edited the GENERAL.INI file and changed the [lenguaje]
default=English.ini

I also downloaded a copy directly from the RDGSoft site, ran the RDG Dll Installer program which copies the RDGMax.dll to the system32 folder. Program still fails to run. I moved the DLL to the same folder the RDG Packer Detector, still no success.

Opened it in Olly an it reports bad or unknown format of 32-bit executable. Anyone else have this trouble? I'm running HP Home SP2.

PS. Do you need to use all the Olly hiding plugins (IsDebug&Extra, Olly Invisible, HideDebugger,) listed at the top of the article as well as the AntidetectOllyPatch to successfully hide Execryptor from Olly? Isn't there a single plugin available which can be used along with a patched Olly?
(I realise I could probably answer this question myself if I a working copy of unpackme file).

UPDATE: Just found .57 beta which seems to run fine.

Thanks in advance for any help.
5aLIVE

pnluck
November 6th, 2005, 10:42
The crackme is avaible from http://tuts4you.com/unpackme/?path=ExeCryptor/ , at 2.2.50 dir and it is the .j
For rdg i don't know
I wrote all the plugins, because they are great plugins
The patch is necessary

5aLIVE
November 6th, 2005, 11:00
Hi, I can find the unpackme okay, when downloading, at 99% IE gives the error "access denied, cannot copy file. Make sure disk is not full or write protected and that the file is not currently in use" None of these conditions are true. I rebooted, tried again to write to an external device and I get the same error???
Could someone attach the file please? Anyone else experience this strange error?

Ah okay so you are doing a little bit of free advertising there then?
Why not combine the features of each plugin into a single tool. That would be neat.
Ok, I'll just try the patch when I get the packed exe to play with.

regards,
5aLIVE

esther
November 7th, 2005, 04:38
*when downloading, at 99% IE gives the error "access denied, cannot copy file. Make sure disk is not full or write protected and that the file is not currently in use" None of these conditions are true.

Here it downloads perfectly without errors.Maybe you should check your IE is working well.

5aLIVE
November 7th, 2005, 05:41
esther, that's really very strange indeed. All the other unpackmes download without any trouble from this site. The only ones that fail are the different versions of Execryptor. Strange that it fails with a download manager too.

I'll review my Explorer setting to see if there is anything out of place, although I am sceptical that I'll find anything. Hmmmm???

UPDATE: Kapspesky AV disallows any Execryptor file to be written to disk as it reports the files are infected with Win32.CryptExe (false positive I expect).

So I've just got to figure a way to disable the monitoring program (taskmanager won't allow me to terminate the process). Removed the entry from the startup folder, AvpM still loads. I rebooted in safe mode, renamed the downloaded file extension to .exe insted if filenname.exe.jc! and it now runs

I've never had this problem before, so I though share my findings should anyone else have this trouble.

5aLIVE

PizzaPan
November 7th, 2005, 07:29
Very nice tut, thanks for posting

SiGiNT
November 7th, 2005, 10:13
A very nice, (and complete), tutorial on ExeCryptor, by SnD member PAKman is posted over at the ARTeam website - targrt specific, so no link posted here. Also a link to PEiD 0.94 - works quite well - no more Armadillo 1.xx-2.xx reports for ver 3.xx-4.xx.

SiGiNT

Z0oMiK
November 12th, 2005, 17:55
There is a very good tut out on unpacking an execryptor packed soft at
h**p://rapidshare.de/files/7251727/Tutorial_n_2.rar.html
(author Pakman)
And look this tut Unpacking Power Archiver 2005
h**p://jbfonline.net/sndfilez/?dir=00.tutorials/1-Unpacking/&file=snd-execryptor2.unpacking.tutorial.zip

Enjoy

hosiminh
November 14th, 2005, 05:31
@Z0oMiK
I got "Authorization Required" on h**p://jbfonline.net...

PizzaPan
November 14th, 2005, 09:21
They are both actually the same tutorial, at least unpacking the top link turns out its a tut by snd, about PowerArc, which wasnt posted by the previous user for a reason.

Z0oMiK
November 14th, 2005, 09:56
Quote:
[Originally Posted by hosiminh]@Z0oMiK
I got "Authorization Required" on h**p://jbfonline.net...

Ups sorry Uploaded in the rapidshare.de

------
Downloading here
http://rapidshare.de/files/7385298/snd-execryptor2.powerarc.2006_v9.50.28.unpacking.tutorial.zip.html

JMI
November 14th, 2005, 18:22
Z0oMiK:

It's important that you do not put extra spaces in your links. They don't work that way. I fixed what you posted so that it finds the correct file.

Regards,

LLXX
November 15th, 2005, 03:53
Quote:
[Originally Posted by JMI]Z0oMiK:

It's important that you do not put extra spaces in your links. They don't work that way. I fixed what you posted so that it finds the correct file.

Regards,

The forum software tends to insert spaces into long "words" - every 64, to be exact.

0123456789012345678901234567890123456789012345678901234567890123 456789

Kayaker
November 15th, 2005, 12:23
Actually, it's every 100 characters, I set that new limit a few weeks ago. In reality you inadvertently added your own space at char64 where the word wrap naturally occurs in the reply box.

100 char limit enforced on a 120 char word:

1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 12345678901234567890


And please..., we don't need this ugly h**p:// crap here. There is no need to "hide" direct links of any kind as I know some of you have gotten used to in other forums. Here we've modified the script to handle external and internal links differently and to nicely format external links.
And in fact, if you use Opera you can still right click/select on the external link and choose 'Go to URL' without there being any referal back to here.

h**p://google.com
http://google.com

So please, let our modifications do their jobs..