[t4d]

Some info to force Execryptor to be blinded to patching code (OLLY related):

This technique works on simple checking routine aka bytescout (wxw.bytescout.com) use in their stuffs.

1. 4 dwords with CRC seeds at file offset 110h (EXE) 050h (DLL). Execryptor check CRC before Anti-Debug routine.

2. BP ReadFile till you see PE string in STACK listing. Push CTRL-M and look for e.g. first CRCs string (point 1.). Put HW Break on access every of 4 CRC seedes separately. Olly stops and you see compared values (after patching you see which code you have to write to file offset 110h (EXE) 050h (DLL) back, also you will have to fix value in EAX to continue on next CRC check; do not forget there are 4 CRC check-points). After checking all of 4 CRC seeds remove all hardware breakpoint!!

3. You have to find from where EXECryptor read byte(s), which you want to patch aka HW Break on write. Simple patch them using HEX editor, find new crc strings, write them and enjoy.


If olly starts exe before OEP and EXECryptor fire complaint message use HW Break on execute on user32.UserClientDllInitialize, after you can put BP ReadFile and remove all hardware breakpoint !! (EXECryptor complaint about it)