Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-02-2004, 21:51
kuli
 
Posts: n/a
how unpack this -> EXECryptor

how unpack this -> EXECryptor ? Any examples?
Reply With Quote
  #2  
Old 03-02-2004, 21:59
Nilrem
 
Posts: n/a
Never come across it before, have you tried a generic unpacker?
Reply With Quote
  #3  
Old 10-24-2004, 23:53
Broomop
 
Posts: n/a
this thing messes up for me as well i think u need to program an application a certain way to allow it.
Reply With Quote
  #4  
Old 10-25-2004, 00:18
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
Execryptor doesn't look very easy. i'm working on WikMail, but the important parts are all crypted. and the most sad about it: there's no real OEP. all is handled by execryptor code while the target runs. so there must be a way do decrypt this shit and then save it, no other possibility

Last edited by MaRKuS-DJM; 10-25-2004 at 00:26.
Reply With Quote
  #5  
Old 10-28-2004, 22:38
Crk
 
Posts: n/a
most important parts on execryptor are crypted.. it decrypts those parts when neccesary and needs to use it.. so you most decrypt each crypted part by dumping from memory when program needs those parts it will decrypt them without any condition..you set your breakpoint where you want to break and decrypt then dump that part from memory ..it could take long time consuming work or maybe there's a better way to decrypt all stuff in one step..not sure ...but once you got the good you want to crack .... take those RVA/Bytes and make a patch like DZA does and you could easily patch most targets with it.... that could be best solution since there's many encryption involved on this... that's the only reason why it could be hard in some ways....but not unbeatable

i was checking the company that bought VBOX ?? Aladdin?? it has last section called as .protector ... i think both use similar encryption method with many and most interested parts encrypted
Reply With Quote
  #6  
Old 10-29-2004, 08:17
nimda2k3
 
Posts: n/a
To Crk:

Hello man,
Quote:
...take those RVA/Bytes and make a patch like DZA does...
So,how to patch the execryptor,would you like give us a tut? Maybe that will be more clearly. I'm interested in it.

Regards
nimda2k3
Reply With Quote
  #7  
Old 10-29-2004, 11:58
upb's Avatar
upb upb is offline
Friend
 
Join Date: Apr 2002
Location: Elbonia
Posts: 63
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 0 Times in 0 Posts
upb Reputation: 0
maybe im talking out of my ass here but...

>most important parts on execryptor are crypted.. it decrypts those parts
>when neccesary and needs to use it.. so you most decrypt each crypted
>part by dumping from memory

Seems to me the same kind of schema as used by ms to protect the components of os activation.
What i did was to analyze how exactly the info for each encrypted part is stored and how it is decrypted by protector.

Then write your own program to find all those parts in the .exe, decrypt them the same way, save back to .exe.
I think much less work than messing around with ollydbg bpx'ing around and dumping memory 10000 times:P
Reply With Quote
  #8  
Old 04-19-2005, 07:19
etienne
 
Posts: n/a
sorry... guys... but...
I think you are all wrong.

IF they do not lie at strongbit.com, there is no "decryption" at all.

code is morphed one time, then the garbage runs - and it does NOT decrypts anything, but just does the same (among some side effects) that the original code did.

so I am afraid that you can unpack it - but you will only increase the size, you won't make it any more readable. so that - unless you have a lookup table along with some quite complicated maths - you must trace/analyse/patch the garbage; disassembling it just makes no real sense.
Reply With Quote
  #9  
Old 04-19-2005, 13:26
Android
 
Posts: n/a
Dear etienne,
Sorry but I can't understand what you said about morphing.
What's it?
Can you explain this trick?

Best Regards,
Android.
Reply With Quote
  #10  
Old 04-19-2005, 15:51
s0cpy s0cpy is offline
Friend
 
Join Date: Jul 2004
Posts: 30
Rept. Given: 10
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 2 Posts
s0cpy Reputation: 0
I think he tried to say that all instructions are converted to their equivalents, e.g. xor eax,eax == mov eax,0. Good example of polymorphism/metamorphism are different viruses
Reply With Quote
  #11  
Old 04-20-2005, 00:33
kubik kubik is offline
Friend
 
Join Date: Oct 2004
Posts: 9
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
kubik Reputation: 0
Android:
check the offsite...
http://strongbit.com/execryptor_details.asp

"EXECryptor 2.0 uses conceptually new approach to protect software applications. The essential of the protection technology is a brand new concept of the code transformation calling "Code Morphing". The code block to protect is disassembling and becomes a subject to a nondeterminate transformations which destroys the visible logical code structure. It is important to note that after the code transformation it remains executable and working as it is suppose to but it size will increase by a couple of dozens times, thus it becomes a really paintfull to analyze transformed code."
Reply With Quote
  #12  
Old 04-20-2005, 01:23
Frequency
 
Posts: n/a
yes i agree. i looked into this protection for a few hours yesterday.
it bla..bla..bla.... I thought i had i down yesterday, app started to run, and then "file corruption". All i did was a simple nop somewhere outside main startup routine, to see if this would work.

Last edited by Frequency; 04-21-2005 at 19:53.
Reply With Quote
  #13  
Old 04-20-2005, 09:10
NeOXOeN NeOXOeN is offline
Friend
 
Join Date: Jan 2005
Posts: 273
Rept. Given: 2
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 18 Times in 18 Posts
NeOXOeN Reputation: 3
If you use olly you can find script here that will help you find OEP..
ExeCryptor v1.5x - find target's OEP (by loveboom)

http://ollyscript.apsvans.com/ its not for last version which is 2.0 but i think it will help you if you check it



but here is solution anyway.. :

if you know REAL OEP just dump from there set it with a PEeditor ... fix IAT ...same process for all packers/protectors, when you reach real OEP exe/.dll will be fully decrypted for most cases ..


bye NeO
Reply With Quote
  #14  
Old 04-20-2005, 18:16
kubik kubik is offline
Friend
 
Join Date: Oct 2004
Posts: 9
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
kubik Reputation: 0
Quote:
Originally Posted by Frequency
I wont get into too much detail, but seems this is way to inline patch it
sorta like how we go after aspr's api's (the inline patch vulnerability), we do the same here it seems. I thought i had i down yesterday, app started to run, and then "file corruption". All i did was a simple nop somewhere outside main startup routine, to see if this would work.
Yeah, you are right "the inline patch vulnerability" is there...
For example, code of one execryptor-api:

Code:
.004771B4: 56                           push        esi
.004771B5: 51                           push        ecx
.004771B6: 89C6                         mov         esi,eax
.004771B8: 89D1                         mov         ecx,edx
.004771BA: 83E904                       sub         ecx,004 ;"â™?quot;
.004771BD: FC                           cld
.004771BE: AC                           lodsb
.004771BF: D0E8                         shr         al,1
.004771C1: 80F874                       cmp         al,074 ;"t"
.004771C4: 750E                         jne        .0004771D4  -----�(1)
.004771C6: 8B06                         mov         eax,[esi]
.004771C8: 0FC8                         bswap       eax
.004771CA: 01C8                         add         eax,ecx
.004771CC: 8906                         mov         [esi],eax
.004771CE: 83C604                       add         esi,004 ;"â™?quot;
.004771D1: 83E904                       sub         ecx,004 ;"â™?quot;
.004771D4: 49                           dec         ecx
.004771D5: 7FE7                         jg         .0004771BE  -----�(2)
.004771D7: 59                           pop         ecx
.004771D8: 5E                           pop         esi
.004771D9: C3                           retn
From this code we can jump to convenient =) place (many ZEROS, NOPS, ect) or to not using code... but there is some feature

Execryptor will make unpacking code part gradually and call this api after unpacking everyone from of parts.
Therefore in code which we will add (and will do jump to it), we should check "is unpacked our part of code (which we want to patch) or not?" =)

For this purpose i will tell one hint:
.004771B6: 89C6 mov esi,eax
.004771B8: 89D1 mov ecx,edx
EAX - address of start of unpacked code
EDX - size of unpacked code

But sometimes there is CRC-Check too... solve this promlem and enjoy
Reply With Quote
  #15  
Old 04-20-2005, 19:21
Frequency
 
Posts: n/a
this not true for execryptor. you dont reach a OEP. you exe is descrambled bits at a time. i know OEP, and dumped their, execcryptor is still present, so obviously was to early, i only get so far before it locks up olly. any pointers. also.. IAT.... this one seems like a tough one. but not impossible.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
EXECryptor omega_red General Discussion 12 11-02-2005 08:34


All times are GMT +8. The time now is 17:57.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )