how unpack this -> EXECryptor
 

how unpack this -> EXECryptor ? Any examples?

Never come across it before, have you tried a generic unpacker?

this thing messes up for me as well i think u need to program an application a certain way to allow it.

Execryptor doesn't look very easy. i'm working on WikMail, but the important parts are all crypted. and the most sad about it: there's no real OEP. all is handled by execryptor code while the target runs. so there must be a way do decrypt this shit and then save it, no other possibility

most important parts on execryptor are crypted.. it decrypts those parts when neccesary and needs to use it.. so you most decrypt each crypted part by dumping from memory when program needs those parts it will decrypt them without any condition..you set your breakpoint where you want to break and decrypt then dump that part from memory ..it could take long time consuming work or maybe there's a better way to decrypt all stuff in one step..not sure ...but once you got the good you want to crack .... take those RVA/Bytes and make a patch like DZA does and you could easily patch most targets with it.... that could be best solution since there's many encryption involved on this... that's the only reason why it could be hard in some ways....but not unbeatable :)

i was checking the company that bought VBOX ?? Aladdin?? it has last section called as .protector ... i think both use similar encryption method with many and most interested parts encrypted

To Crk:

Hello man,
So,how to patch the execryptor,would you like give us a tut? Maybe that will be more clearly. I'm interested in it.

Regards
nimda2k3

maybe im talking out of my ass here but...
 

>most important parts on execryptor are crypted.. it decrypts those parts
>when neccesary and needs to use it.. so you most decrypt each crypted
>part by dumping from memory

Seems to me the same kind of schema as used by ms to protect the components of os activation.
What i did was to analyze how exactly the info for each encrypted part is stored and how it is decrypted by protector.

Then write your own program to find all those parts in the .exe, decrypt them the same way, save back to .exe.
I think much less work than messing around with ollydbg bpx'ing around and dumping memory 10000 times:P

sorry... guys... but...
I think you are all wrong.

IF they do not lie at strongbit.com, there is no "decryption" at all.

code is morphed one time, then the garbage runs - and it does NOT decrypts anything, but just does the same (among some side effects) that the original code did.

so I am afraid that you can unpack it - but you will only increase the size, you won't make it any more readable. so that - unless you have a lookup table along with some quite complicated maths - you must trace/analyse/patch the garbage; disassembling it just makes no real sense.

Dear etienne,
Sorry but I can't understand what you said about morphing.
What's it?
Can you explain this trick?

Best Regards,
Android.

I think he tried to say that all instructions are converted to their equivalents, e.g. xor eax,eax == mov eax,0. Good example of polymorphism/metamorphism are different viruses

Android:
check the offsite...
http://strongbit.com/execryptor_details.asp

"EXECryptor 2.0 uses conceptually new approach to protect software applications. The essential of the protection technology is a brand new concept of the code transformation calling "Code Morphing". The code block to protect is disassembling and becomes a subject to a nondeterminate transformations which destroys the visible logical code structure. It is important to note that after the code transformation it remains executable and working as it is suppose to but it size will increase by a couple of dozens times, thus it becomes a really paintfull to analyze transformed code."

yes i agree. i looked into this protection for a few hours yesterday.
it bla..bla..bla.... I thought i had i down yesterday, app started to run, and then "file corruption". All i did was a simple nop somewhere outside main startup routine, to see if this would work.

If you use olly you can find script here that will help you find OEP..
ExeCryptor v1.5x - find target's OEP (by loveboom)

http://ollyscript.apsvans.com/ its not for last version which is 2.0 but i think it will help you if you check it :)



but here is solution anyway.. :

if you know REAL OEP just dump from there set it with a PEeditor ... fix IAT ...same process for all packers/protectors, when you reach real OEP exe/.dll will be fully decrypted for most cases ..


bye NeO

Yeah, you are right ;) "the inline patch vulnerability" is there...
For example, code of one execryptor-api:

From this code we can jump to convenient =) place (many ZEROS, NOPS, ect) or to not using code... but there is some feature ;)

Execryptor will make unpacking code part gradually and call this api after unpacking everyone from of parts.
Therefore in code which we will add (and will do jump to it), we should check "is unpacked our part of code (which we want to patch) or not?" =)

For this purpose i will tell one hint:
.004771B6: 89C6 mov esi,eax
.004771B8: 89D1 mov ecx,edx
EAX - address of start of unpacked code
EDX - size of unpacked code

But sometimes there is CRC-Check too... solve this promlem and enjoy ;)

this not true for execryptor. you dont reach a OEP. you exe is descrambled bits at a time. i know OEP, and dumped their, execcryptor is still present, so obviously was to early, i only get so far before it locks up olly. any pointers. also.. IAT.... this one seems like a tough one. but not impossible.

it has an OEP, but it's morphed. so you can say execryptor is still there. unfortunately the morphing is done by the protector before it packs the exe, this means there's no way to patch it and dump it correctly without morphing. morphing needs to be done manually. the question is just how. it looks very ugly to demorph this.

markus :)
nice to see you again.
as far as patching i think it is very possible. i found a way to do it, where the cryptor writes my bytes for me, but alas.. crc check.. i need to find a way around the check, or else patch it out somehow. i think this one is far superior to many other protectors out there at the moment. lets say i know my oep is (eg. 00401000) if you try to break there olly either hangs or crashes. A full version key for the protector would prove very useful.. if anyone reading this has one please PM me, i will not give it out, will stay safe on my HD. i just want to pack a few exe's i have.. see what a generic approach there is.
thanks
-H3rCuL3s

something tells me, that author of execryptor reads this forum :)
and soon such things like "the inline patch vulnerability" will be fixed...

who cares? if he isn't able to find this vulnerability out himself, he isn't able to fix it. if he is able to, he would fix it without our help too. b4d from SnD also released a patched Execryptor protected program with only changing one byte. it seems de decryption routine isn't very advanced. in fact a programmer can't release protector-versions faster than crackers can crack it. simply because programming take much more time than cracking.

yeah. i released execryptor protected program :) hi markus bro ;)

Well, it depends about programming. It doesnt have to be so. It all depends on cracker and programmer but cracking really got hard :/ Never before cracker had to rely on loader based ideas and i see that in near future that will be main thing :/

i don't think this will come. with growing protector strength the knowledge of crackers is growing. also of coders.

another thing:
SoftICE was difficult to handle and for modern protectors it wasn't very reliable. but what happened? there was suddenly this powerful tool called olly which worked in ring3 by oleh... ;) olly 2 in development. more easier to handle and more powerful features? who knows...

all i want to say: the time of unbeatable protectors still doesn't exist (because dyn!o doesn't have time to do so :P -> look his signature). there are still ways, also if it's a hard road.
for experimental i inline-patched ASPr 2.0 with bound-deletion, took me 2 hours to do so and really a pain if there's no way to automize this thing, but it's possible. also different ways: tested till now: hookings, file-simulation and parallel self-modifying and demodifying code used as inline-patch technique. there's another thing to say: what's the heart of every program? the kernel. i patched it also for experimental use so if GetModuleFileNameA is called (or CreateFileA), it searches if an .bak file exists with the same name of the .exe. if it exists, it should use it. this defeats every CRC-check which is non-memory dependant. i take no response for errors of your OS ;)
this is no method for daily use and for patches (who would let patch his kernel?), but it helps to improve knowledge.

Markus, i'm not arguing skill of any cracker, i'm just saying that its getting tougher and tougher and if anyone really put his head in protection almost uncrackable protections would be made. ASPR2 and Armadillo are just a laughs comparing to what i can imagine being a protector. I never unpacked asprotect 2. I did try but saw that i will need whole day or several days to make working unpacked exe of it. And i did take a route around it so i can crack any aspr2 app but thats just not like before. Keygening is almost dead. Being able to keygen something is only consequence of program author not wanting or not knowing how to implement good authentication algorithm.
For myself, another problem is growing. Why do i do all this? I've been called a lamer several times becouse my crack for some program stopped working after 2 hours. Eh. n/m. This is getting too offtopic :)

Okay well the original question was simple to answer... "HOW TO UNPACK".. well at the moment i dont have a answer to this. It seems we have to somehow get the protector to "Decrypt" itself. releasing the actual exe we so desire. If anyone does possess a key for v2.x i would like to have it (for testing only), would not release a serial or registered execrptor by no means.. Simply said... Until i understand better what the protector is actually doing here, seems a bit hard to go in blind, especially with this certain protector. As you have all read before, if it runs.. it can be cracked... Well this protector is by no means any different. Until we grasp what we are up against the answer is No... I cant unpack it.. but i wont quit just because of this.. I will put in few hours a day, until my desired conclusion is met.
-H3rCuL3s

it wasn't about skills of anyone, but what i wanted to say: you shouldn't stick to most common ways of patching / unpacking just because they are used by everybody. if you don't try abstract things like i mentioned there's no big learning-effect. the time when a protector is called "strong" is just the time where nobody knows how to defeat it. it was the same about ASPr 1.23. LaBBa wrote a tutorial then and the protector became more easier, also for beginners. i'm sure time will bring you tutorials and also tools for protectors like this.

Tnx MaRKuS for that you think my tut help some ppl ...


i'm now also looking at this new ExeCrypt... it's realy nice!!
i realy love the fackt that it closes my Olly when it run... :D
(this is a big hint about how to kiil the anti-debug)
well i will see what this app is made of...

hope to have some more news at the future...


LaBBa.

yeah, it is nice trick with .tls section...
more detailed information:
hxxp://www.anticracking.sk/EliCZ/infos/TlsInAsm.zip

for running execrypted program in ollydbg, we need to change class of ollydbg. "OLLYDBG" => "Something".

(info from wasm.ru/forum)

StrongBit has released "official" crackme for ExeCrypt with serial numbers included. The purpose of crackme is simply unpack file. If anybody wants I can attach it here.

Someone over at REC claims to have solved the Execryptor official crackme.
However the person can't post his solution over at crackmes.de due to size limitations. Btw the person I'm talking about is kao. Some people already asked him to provide the solution by email. So...one could try to do the same. :)

Regards,

sTfN0X

hehe :)
would be nice to see that file
(I still cannot download though ;))

anyway, I think this "decrypting" and "dumping" approach won't lead you anywhere.

there must be a table, based on which the morpher engine selects instruction(s) to replace the current one with, so the proper technique involves writing a 100% tracer routine and access to that table.

Execryptor to be blinded
 

Some info to force Execryptor to be blinded to patching code (OLLY related):

This technique works on simple checking routine aka bytescout (wxw.bytescout.com) use in their stuffs.

1. 4 dwords with CRC seeds at file offset 110h (EXE) 050h (DLL). Execryptor check CRC before Anti-Debug routine.

2. BP ReadFile till you see PE string in STACK listing. Push CTRL-M and look for e.g. first CRCs string (point 1.). Put HW Break on access every of 4 CRC seedes separately. Olly stops and you see compared values (after patching you see which code you have to write to file offset 110h (EXE) 050h (DLL) back, also you will have to fix value in EAX to continue on next CRC check; do not forget there are 4 CRC check-points). After checking all of 4 CRC seeds remove all hardware breakpoint!!

3. You have to find from where EXECryptor read byte(s), which you want to patch aka HW Break on write. Simple patch them using HEX editor, find new crc strings, write them and enjoy.


If olly starts exe before OEP and EXECryptor fire complaint message use HW Break on execute on user32.UserClientDllInitialize, after you can put BP ReadFile and remove all hardware breakpoint !! (EXECryptor complaint about it)

Thanks in advance!!

ThunderPwr

There is no need to upload it here.


I guess you have "Relayer's EXECryptor official CrackMe" in mind:
hxxp://www.crackmes.de/users/relayer/execryptor_official_crackme/

It looks the only VERY VERY hard (level 8) crackme that didnt cracked for 1,5 years.

Execryptors strongest part is morphing. this makes it hard to find the antidebug. but i think this crackme (execryptor) is using a int2e to kill olly.

I have never heard of int2e? :confused:

could you perhaps explain a bit. :D

Peace

OK. Time to try the old search engine and enter:

"anti-debugger detection int 2e" and/or "int 2e and debugger detection" (without the quotes, of course.)

and see what you get! :eek: ;)

or, gasp, you could try the search button here, and enter "int2e" (again without the quotes.) ;)

Regards,

Hi D-Jester,

Some time ago there was a file posted in this forum which was named DEBUG-ME
It was made by a member of Ar-Team. (Teerayoot)
he has used INT2EW in his Debug-Me.
Just take a look at that file.
Hope it helps you to understand.

Best Regards,
Android.

version 1.1
 

ok,with that U can resolve all pointers of an exe,changing a little bit the code
according to my comments and your will...notepad packed in zip can be fully recovered with that script,and much more...that's it...

all exceptions on Olly checked,and all list of exceptions also checked...

I wonder ;)

I still cannot download but would be nice to know what packing options (morphing?) were used to pack that.

well
 

no morphing...only basic packing all on in the unregistered version...But the script is for IAT only,in not morphed...it may work in morphed but i cannot pack any...don't have registered execryptor to be sure what i pack and with what optionz...