|
One of the "secrets of life" in the world of RCE is that encrypted code can't run. The whole purpose of encryption is to prevent people such as this group from looking at it and figuring out what it is all about. Fortunately for us, to run, the code had to be decrypted back into code the CPU can process. The trick is to find out when and where this happens. Does it decrypt only into memory, does it decrypt only a small chunk at a time, does it write to a temp file and operate from there.
One of the main things protectors attempt to do is prevent us from looking at the code while it is running or attempting to run, because if you can look at it while it runs, eventually you can figure out what the heck it is doing to make it difficult for us to understand what's happening.
So the first order of business is to make your debugger work so you can watch the program decrypt itself. If, and when you find out where this is happening, you had capture the "real" code and maybe even put it back together without the encryption. Of course, if the programmer is clever, you won't actually be able to decrypt all, or some important portion of the code without a valid license, but that is another whole field of cryptology.
Regards.
__________________
JMI
|