how unpack this -> EXECryptor

how unpack this -> EXECryptor ? Any examples?

Never come across it before, have you tried a generic unpacker?

this thing messes up for me as well i think u need to program an application a certain way to allow it.

[MaRKuS-DJM]

Execryptor doesn't look very easy. i'm working on WikMail, but the important parts are all crypted. and the most sad about it: there's no real OEP. all is handled by execryptor code while the target runs. so there must be a way do decrypt this shit and then save it, no other possibility

most important parts on execryptor are crypted.. it decrypts those parts when neccesary and needs to use it.. so you most decrypt each crypted part by dumping from memory when program needs those parts it will decrypt them without any condition..you set your breakpoint where you want to break and decrypt then dump that part from memory ..it could take long time consuming work or maybe there's a better way to decrypt all stuff in one step..not sure ...but once you got the good you want to crack .... take those RVA/Bytes and make a patch like DZA does and you could easily patch most targets with it.... that could be best solution since there's many encryption involved on this... that's the only reason why it could be hard in some ways....but not unbeatable

i was checking the company that bought VBOX ?? Aladdin?? it has last section called as .protector ... i think both use similar encryption method with many and most interested parts encrypted

To Crk:

Hello man,

Quote:

...take those RVA/Bytes and make a patch like DZA does...

So,how to patch the execryptor,would you like give us a tut? Maybe that will be more clearly. I'm interested in it.

Regards
nimda2k3

Dear etienne,
Sorry but I can't understand what you said about morphing.
What's it?
Can you explain this trick?

Best Regards,
Android.

[s0cpy]

I think he tried to say that all instructions are converted to their equivalents, e.g. xor eax,eax == mov eax,0. Good example of polymorphism/metamorphism are different viruses

yes i agree. i looked into this protection for a few hours yesterday.
it bla..bla..bla.... I thought i had i down yesterday, app started to run, and then "file corruption". All i did was a simple nop somewhere outside main startup routine, to see if this would work.

[kubik]

Quote:

Originally Posted by Frequency

I wont get into too much detail, but seems this is way to inline patch it
sorta like how we go after aspr's api's (the inline patch vulnerability), we do the same here it seems. I thought i had i down yesterday, app started to run, and then "file corruption". All i did was a simple nop somewhere outside main startup routine, to see if this would work.

Yeah, you are right "the inline patch vulnerability" is there...
For example, code of one execryptor-api:

Code:

.004771B4: 56                           push        esi
.004771B5: 51                           push        ecx
.004771B6: 89C6                         mov         esi,eax
.004771B8: 89D1                         mov         ecx,edx
.004771BA: 83E904                       sub         ecx,004 ;"�?quot;
.004771BD: FC                           cld
.004771BE: AC                           lodsb
.004771BF: D0E8                         shr         al,1
.004771C1: 80F874                       cmp         al,074 ;"t"
.004771C4: 750E                         jne        .0004771D4  -----�?(1)
.004771C6: 8B06                         mov         eax,[esi]
.004771C8: 0FC8                         bswap       eax
.004771CA: 01C8                         add         eax,ecx
.004771CC: 8906                         mov         [esi],eax
.004771CE: 83C604                       add         esi,004 ;"�?quot;
.004771D1: 83E904                       sub         ecx,004 ;"�?quot;
.004771D4: 49                           dec         ecx
.004771D5: 7FE7                         jg         .0004771BE  -----�?(2)
.004771D7: 59                           pop         ecx
.004771D8: 5E                           pop         esi
.004771D9: C3                           retn

From this code we can jump to convenient =) place (many ZEROS, NOPS, ect) or to not using code... but there is some feature

Execryptor will make unpacking code part gradually and call this api after unpacking everyone from of parts.
Therefore in code which we will add (and will do jump to it), we should check "is unpacked our part of code (which we want to patch) or not?" =)

For this purpose i will tell one hint:
.004771B6: 89C6 mov esi,eax
.004771B8: 89D1 mov ecx,edx
EAX - address of start of unpacked code
EDX - size of unpacked code

But sometimes there is CRC-Check too... solve this promlem and enjoy

[kubik]

Android:
check the offsite...
http://strongbit.com/execryptor_details.asp

"EXECryptor 2.0 uses conceptually new approach to protect software applications. The essential of the protection technology is a brand new concept of the code transformation calling "Code Morphing". The code block to protect is disassembling and becomes a subject to a nondeterminate transformations which destroys the visible logical code structure. It is important to note that after the code transformation it remains executable and working as it is suppose to but it size will increase by a couple of dozens times, thus it becomes a really paintfull to analyze transformed code."

[NeOXOeN]

If you use olly you can find script here that will help you find OEP..
ExeCryptor v1.5x - find target's OEP (by loveboom)

http://ollyscript.apsvans.com/ its not for last version which is 2.0 but i think it will help you if you check it



but here is solution anyway.. :

if you know REAL OEP just dump from there set it with a PEeditor ... fix IAT ...same process for all packers/protectors, when you reach real OEP exe/.dll will be fully decrypted for most cases ..


bye NeO

this not true for execryptor. you dont reach a OEP. you exe is descrambled bits at a time. i know OEP, and dumped their, execcryptor is still present, so obviously was to early, i only get so far before it locks up olly. any pointers. also.. IAT.... this one seems like a tough one. but not impossible.

[MaRKuS-DJM]

it has an OEP, but it's morphed. so you can say execryptor is still there. unfortunately the morphing is done by the protector before it packs the exe, this means there's no way to patch it and dump it correctly without morphing. morphing needs to be done manually. the question is just how. it looks very ugly to demorph this.

markus
nice to see you again.
as far as patching i think it is very possible. i found a way to do it, where the cryptor writes my bytes for me, but alas.. crc check.. i need to find a way around the check, or else patch it out somehow. i think this one is far superior to many other protectors out there at the moment. lets say i know my oep is (eg. 00401000) if you try to break there olly either hangs or crashes. A full version key for the protector would prove very useful.. if anyone reading this has one please PM me, i will not give it out, will stay safe on my HD. i just want to pack a few exe's i have.. see what a generic approach there is.
thanks
-H3rCuL3s