I have not cleared my note.
I wrote 2 olly script to get it:
1. Decompile unpackme,get the address of TLS callback function1
from IDA,and the target address of mov opcode is where i
dump it. I you want to find out the stolen codes,just keep on
tracing.
At here,both of the callback were "closed" somewhere,the important
function was replaced only a ret so if the protected baby is a
multi-thread program,the codes which decrypting and load apis won't
be executed repeatly.
in my post,i zero the entries in TLS directory,nothing important now.
2. Dispite many branches in the hooked apis,you can execute them
safely. Just stop at the packer EP,write a script to call each entry
in IAT(except 0 and good entries),bpx at correct position so it
will loop and never jmp into the real api. Use the script to fix IAT.Be
carecul to keep the stack balance(If not,it doesn't matter;-).
I unpacked execryptor itself,but when i run it,crashed! so i'll
continue it.I have no enough time,so maybe i can't finish it
soon. By now i just hope to unpack it,not carck it,i won't bother
to fight the algorithm. Maybe patching it is ok.
Regards.