Unknown Multiple layer Encryption ?

well... haven't been able to make a decent dump and came here to see if someone knows a good method to get a dump or unpack for: _ttp://www.dvdxcopy-international.com/setup/DVDXPv4.0.3.8.exe

anyone knows what protector or cryptor was used on this one?

Peid says nothing.. i've been tracing for hours and can'r reach OEP ...maybe due many encryption layer it has and anti-debug tricks.. got tired ..but there most be an easy way.. i tried Lordpe/Full dump and all it gives is an invalid image without nothing decrypted ...

can you give us more info about the PE, like how many sections, what are their names, etc.

Also, look in the file with hex editor and see if you find any strings that might clue towards the protector.

Run the app in a debugger and see if it gives an error message. If so, what does it say and what does the message look like?

These are all indicators that can show the protector type.

The only protector I know of that will screw LordPE full dumps is Armadillo.

-Lunar

i did all that.. and the most strange part is that don't give any warning about the debugger.. running now SOFTICE 4.05 for win9x and runs perfect.. but never get into the finish of the encrypting...used some hardware bpm .. but never ends most be some anti debug trick ,, the section don't have names so far i remember and fix image size with LordPE don't do nothing when i dump it the code is still not decrypted even when i got the app.(nag) full loaded .....any ideas?

[Newbie_Cracker]

- Use ollydbg too. I think its better for visualizing the codes and registers.
- BP on IsDebuggerPresent, int 1,and use icedump with "protect on" for finding its anti-debug sections, if exists any.

Quote:

Lunar :

The only protector I know of that will screw LordPE full dumps is Armadillo

Another unknown protector skrews LordPE too. It closes most of crack tools like monitoring tools, ollydbg, and LordPE. I used PE Tools 1.5 and it dumped garbage code.
Please test "Password Reminder 1.7" too.

[Jay]

Quote:

Another unknown protector skrews LordPE too

If I remember correctly that was protected with softdefender at least earlier version were and vaguely recall sdpro did cause problems with lpe, I don't remember if standard version did.

nothing works, excuse me newbie cracker but you're not telling anything new.. have you been able to dump useable code with dumped.exe?? i need solutions not guessings

Regards

[taos]

Quote:

Originally Posted by Crk

i need solutions not guessings

3 EXE's packed:
dvdxrescue.exe
OEP=45ac1c
IAT=46affc size:6e0

platinum.exe
OEP=4530ca
IAT=48bffc size:750

xpress.exe
OEP=43de26
IAT=472ffc size:66c

I've attached unpacked & cracked solutions.

hxxp://s19.yousendit.com/d.aspx?id=19C2EREKI3XFL3CB1UH33Z5UUH

Regards

[D-Jester]

Were you able to identify the packer/ecryptor?
I was begining to think it was XtreamLok.
Did you write a walkthrough?

Taos,
could you please give a quick tut if possible? THis company (312 Studios) used to Use Protection Plus for their Software but switched. I tried for a while but got no where. If you find some time can you please elaborate on how you found OEP? thanks,
-H3rCuL3s

I've attached unpacked & cracked solutions.

Dear Taos i really apreciate your help but this don't really help me since i'm looking for knowledge and not unpacked exe. me and all here will be glad if you explain a little about this cryptor and how you unpacked. so still this is useless from my point of view... not ofenses

i would like to break registration scheme.. but as you know before that i most have the files decrypted and running good... i believe also a .dll which maybe depends of this is also packet .. with Peid you can find out which one is. i have uninstalled this i will check it later again.

Regards

[taos]

I'm too busy to writte a tut. when I have time maybe.
The registration scheme and the original EXE are packed in differents ways so you must crack the reg scheme (using SICE or stolen code) and then, when you bypass the reg., you will see how the loader unpacks the original file and go to the OEP.

I don't know what type of protection is (it creates threads)...
If my job permits me, I will post more info.
Regards.

you haven't answell any cuestion sound very misterious your way to handle this without sharing any tips if i would like cracked exe's this topic wouldn't be done here and will be on Requests ..i don't need any cracked exe by now for this excepting understanding the way this cryptor or packer works and how to unpack it. the answers keeps unanswered andthe topic remains alive.

Regards