how unpack this -> EXECryptor

Quote:

Originally Posted by pp2

StrongBit has released "official" crackme for ExeCrypt with serial numbers included. The purpose of crackme is simply unpack file. If anybody wants I can attach it here.

Thanks in advance!!

ThunderPwr

[hosiminh]

There is no need to upload it here.


I guess you have "Relayer's EXECryptor official CrackMe" in mind:
hxxp://www.crackmes.de/users/relayer/execryptor_official_crackme/

It looks the only VERY VERY hard (level 8) crackme that didnt cracked for 1,5 years.

[MaRKuS-DJM]

Execryptors strongest part is morphing. this makes it hard to find the antidebug. but i think this crackme (execryptor) is using a int2e to kill olly.

[D-Jester]

Quote:

Originally Posted by MaRKuS-DJM

is using a int2e to kill olly.

I have never heard of int2e?

could you perhaps explain a bit.

Peace

[JMI]

OK. Time to try the old search engine and enter:

"anti-debugger detection int 2e" and/or "int 2e and debugger detection" (without the quotes, of course.)

and see what you get!

or, gasp, you could try the search button here, and enter "int2e" (again without the quotes.)

Regards,

Quote:

Originally Posted by D-Jester

I have never heard of int2e?

could you perhaps explain a bit.

Peace

Hi D-Jester,

Some time ago there was a file posted in this forum which was named DEBUG-ME
It was made by a member of Ar-Team. (Teerayoot)
he has used INT2EW in his Debug-Me.
Just take a look at that file.
Hope it helps you to understand.

Best Regards,
Android.

ok,with that U can resolve all pointers of an exe,changing a little bit the code
according to my comments and your will...notepad packed in zip can be fully recovered with that script,and much more...that's it...

all exceptions on Olly checked,and all list of exceptions also checked...

I wonder

I still cannot download but would be nice to know what packing options (morphing?) were used to pack that.

no morphing...only basic packing all on in the unregistered version...But the script is for IAT only,in not morphed...it may work in morphed but i cannot pack any...don't have registered execryptor to be sure what i pack and with what optionz...

hehe
crackme cracked

though gives enough ideas about the hardness of the stuff

But EXECryptor still not cracked )

Question about the morphing, does it really matter?

Can you just make a DLL to inject which will scan the whole code section and dump it in 0x1000 blocks like how Arma can be attacked? Does the morphed code depend on the protector (like CALL instructions into protector code for example)

BTW I like those idea about patching CreateFile, but really you can debug CreateFile and do the same thing.

Really remember a debugger can use other things as breakpoints other than 0xCC. I have custom unpacker debugger code that uses other types of exceptions as its breakpoints...when exception comes thru it checks its internal table to see if it belongs to the debugger or not Perhaps this could be a improvement for Olly in the future, to allow the user to set custom exception breakpoints. Really in ring3 a debugger ownz azz over any program it just has to hide itself well and it can do this by debugging/emulating the instructions that the protector tries to use for detection.

-Lunar