how unpack this -> EXECryptor

[MaRKuS-DJM]

it has an OEP, but it's morphed. so you can say execryptor is still there. unfortunately the morphing is done by the protector before it packs the exe, this means there's no way to patch it and dump it correctly without morphing. morphing needs to be done manually. the question is just how. it looks very ugly to demorph this.

markus
nice to see you again.
as far as patching i think it is very possible. i found a way to do it, where the cryptor writes my bytes for me, but alas.. crc check.. i need to find a way around the check, or else patch it out somehow. i think this one is far superior to many other protectors out there at the moment. lets say i know my oep is (eg. 00401000) if you try to break there olly either hangs or crashes. A full version key for the protector would prove very useful.. if anyone reading this has one please PM me, i will not give it out, will stay safe on my HD. i just want to pack a few exe's i have.. see what a generic approach there is.
thanks
-H3rCuL3s

[s0cpy]

something tells me, that author of execryptor reads this forum
and soon such things like "the inline patch vulnerability" will be fixed...

[MaRKuS-DJM]

who cares? if he isn't able to find this vulnerability out himself, he isn't able to fix it. if he is able to, he would fix it without our help too. b4d from SnD also released a patched Execryptor protected program with only changing one byte. it seems de decryption routine isn't very advanced. in fact a programmer can't release protector-versions faster than crackers can crack it. simply because programming take much more time than cracking.

[nikola]

yeah. i released execryptor protected program hi markus bro

Well, it depends about programming. It doesnt have to be so. It all depends on cracker and programmer but cracking really got hard :/ Never before cracker had to rely on loader based ideas and i see that in near future that will be main thing :/

[MaRKuS-DJM]

i don't think this will come. with growing protector strength the knowledge of crackers is growing. also of coders.

another thing:
SoftICE was difficult to handle and for modern protectors it wasn't very reliable. but what happened? there was suddenly this powerful tool called olly which worked in ring3 by oleh... olly 2 in development. more easier to handle and more powerful features? who knows...

all i want to say: the time of unbeatable protectors still doesn't exist (because dyn!o doesn't have time to do so :P -> look his signature). there are still ways, also if it's a hard road.
for experimental i inline-patched ASPr 2.0 with bound-deletion, took me 2 hours to do so and really a pain if there's no way to automize this thing, but it's possible. also different ways: tested till now: hookings, file-simulation and parallel self-modifying and demodifying code used as inline-patch technique. there's another thing to say: what's the heart of every program? the kernel. i patched it also for experimental use so if GetModuleFileNameA is called (or CreateFileA), it searches if an .bak file exists with the same name of the .exe. if it exists, it should use it. this defeats every CRC-check which is non-memory dependant. i take no response for errors of your OS
this is no method for daily use and for patches (who would let patch his kernel?), but it helps to improve knowledge.

[nikola]

Markus, i'm not arguing skill of any cracker, i'm just saying that its getting tougher and tougher and if anyone really put his head in protection almost uncrackable protections would be made. ASPR2 and Armadillo are just a laughs comparing to what i can imagine being a protector. I never unpacked asprotect 2. I did try but saw that i will need whole day or several days to make working unpacked exe of it. And i did take a route around it so i can crack any aspr2 app but thats just not like before. Keygening is almost dead. Being able to keygen something is only consequence of program author not wanting or not knowing how to implement good authentication algorithm.
For myself, another problem is growing. Why do i do all this? I've been called a lamer several times becouse my crack for some program stopped working after 2 hours. Eh. n/m. This is getting too offtopic

Okay well the original question was simple to answer... "HOW TO UNPACK".. well at the moment i dont have a answer to this. It seems we have to somehow get the protector to "Decrypt" itself. releasing the actual exe we so desire. If anyone does possess a key for v2.x i would like to have it (for testing only), would not release a serial or registered execrptor by no means.. Simply said... Until i understand better what the protector is actually doing here, seems a bit hard to go in blind, especially with this certain protector. As you have all read before, if it runs.. it can be cracked... Well this protector is by no means any different. Until we grasp what we are up against the answer is No... I cant unpack it.. but i wont quit just because of this.. I will put in few hours a day, until my desired conclusion is met.
-H3rCuL3s

[MaRKuS-DJM]

it wasn't about skills of anyone, but what i wanted to say: you shouldn't stick to most common ways of patching / unpacking just because they are used by everybody. if you don't try abstract things like i mentioned there's no big learning-effect. the time when a protector is called "strong" is just the time where nobody knows how to defeat it. it was the same about ASPr 1.23. LaBBa wrote a tutorial then and the protector became more easier, also for beginners. i'm sure time will bring you tutorials and also tools for protectors like this.

[LaBBa]

Tnx MaRKuS for that you think my tut help some ppl ...


i'm now also looking at this new ExeCrypt... it's realy nice!!
i realy love the fackt that it closes my Olly when it run...
(this is a big hint about how to kiil the anti-debug)
well i will see what this app is made of...

hope to have some more news at the future...


LaBBa.

[kubik]

Quote:

Originally Posted by LaBBa

i realy love the fackt that it closes my Olly when it run...

yeah, it is nice trick with .tls section...
more detailed information:
hxxp://www.anticracking.sk/EliCZ/infos/TlsInAsm.zip

for running execrypted program in ollydbg, we need to change class of ollydbg. "OLLYDBG" => "Something".

(info from wasm.ru/forum)

[pp2]

StrongBit has released "official" crackme for ExeCrypt with serial numbers included. The purpose of crackme is simply unpack file. If anybody wants I can attach it here.

Someone over at REC claims to have solved the Execryptor official crackme.
However the person can't post his solution over at crackmes.de due to size limitations. Btw the person I'm talking about is kao. Some people already asked him to provide the solution by email. So...one could try to do the same.

Regards,

sTfN0X

hehe
would be nice to see that file
(I still cannot download though )

anyway, I think this "decrypting" and "dumping" approach won't lead you anywhere.

there must be a table, based on which the morpher engine selects instruction(s) to replace the current one with, so the proper technique involves writing a 100% tracer routine and access to that table.

[t4d]

Some info to force Execryptor to be blinded to patching code (OLLY related):

This technique works on simple checking routine aka bytescout (wxw.bytescout.com) use in their stuffs.

1. 4 dwords with CRC seeds at file offset 110h (EXE) 050h (DLL). Execryptor check CRC before Anti-Debug routine.

2. BP ReadFile till you see PE string in STACK listing. Push CTRL-M and look for e.g. first CRCs string (point 1.). Put HW Break on access every of 4 CRC seedes separately. Olly stops and you see compared values (after patching you see which code you have to write to file offset 110h (EXE) 050h (DLL) back, also you will have to fix value in EAX to continue on next CRC check; do not forget there are 4 CRC check-points). After checking all of 4 CRC seeds remove all hardware breakpoint!!

3. You have to find from where EXECryptor read byte(s), which you want to patch aka HW Break on write. Simple patch them using HEX editor, find new crc strings, write them and enjoy.


If olly starts exe before OEP and EXECryptor fire complaint message use HW Break on execute on user32.UserClientDllInitialize, after you can put BP ReadFile and remove all hardware breakpoint !! (EXECryptor complaint about it)