|
|
#1
09-22-2004, 00:47
|
|||
|
|||
|
EXECryptor
Has anyone messed with it? It claims to be able to metamorph any protected code (in addition to "normal" anti-whatever). However, I was unable to even run it (without any debugger), the downloadable installer crashed during setup
 strongbit.com/execryptor.asp 
|
|
#2
09-24-2004, 21:05
|
|||
|
|||
|
Do you have any target or unpackme protected by Execryptor2.0?
I tried it on my pc and always get a crashed result with the protected program. Unpacking the packer itself is too time-comsuming and difficult to me. It used TLS callback function to get control before reaching the EP,so you must set the breakpoint at right time. 
|
|
#3
09-25-2004, 00:15
|
|||
|
|||
|
I had posted a unpackme in kanxue studio,but no one can unapck it
try http://bbs.pediy.com/showthread.php?s=&threadid=3707 this one is packed by full version
|
|
#5
09-28-2004, 22:15
|
|||
|
|||
|
I can trace it only with spare time and it might cost
a long time for me. I'm not sure if i can do it.  At first i wish to unpack it rapidly with some trick like memory access breakpoint and failed. It seemed that the whole entry codes have been moved into the packer. My target now is to find out how the control was given to the original program,and did not pay attention to the IAT yet. I ignored TLS callback function 0 now. I'm tracing function 1 but not finished. It's not difficult to write a script to pass through function0,function1 and stop at packer's EP,it can run happily under OllyDbg,so the problem is patience and time.  and it has no any junk code,good news. I'll spend my holiday soon. But I won't give up. regards.
|
|
#8
10-22-2004, 04:25
|
||||
|
||||
|
you are right, it's useless without description.
how you get OEP from the other poster: load program into olly olly will stop in an exception. set memory-breakpoint on code-section. skip all exceptions with SHIFT+F9. the fourth stop is the OEP from the above poster.
|
|
#9
10-22-2004, 13:33
|
|||
|
|||
|
I have not cleared my note.
I wrote 2 olly script to get it: 1. Decompile unpackme,get the address of TLS callback function1 from IDA,and the target address of mov opcode is where i dump it. I you want to find out the stolen codes,just keep on tracing. At here,both of the callback were "closed" somewhere,the important function was replaced only a ret so if the protected baby is a multi-thread program,the codes which decrypting and load apis won't be executed repeatly. in my post,i zero the entries in TLS directory,nothing important now. 2. Dispite many branches in the hooked apis,you can execute them safely. Just stop at the packer EP,write a script to call each entry in IAT(except 0 and good entries),bpx at correct position so it will loop and never jmp into the real api. Use the script to fix IAT.Be carecul to keep the stack balance(If not,it doesn't matter;-). I unpacked execryptor itself,but when i run it,crashed! so i'll continue it.I have no enough time,so maybe i can't finish it soon. By now i just hope to unpack it,not carck it,i won't bother to fight the algorithm. Maybe patching it is ok. Regards. Last edited by softworm; 10-22-2004 at 13:38.
|
|
#10
10-15-2005, 22:27
|
|||
|
|||
|
Hi all
I have test the ExeCrypt 2.26 on MS Notepad and the result was very bad result I need to use only the code morphing feature on the code segments so I disabled all the features except the Antidebug checkbox and raise the code visualization percent to 100% No compression no antitrack no entry point protection... . The changes that I found Is just two long jumps to the original entry point. Is that possible or not. any one have similare experience can help. I need a tool that can generate confusion code with code junks from the original code segments any one have an Idia. Thanks
|
|
#11
11-01-2005, 18:40
|
|||
|
|||
|
I found that you have to add some marks around the critical blocks of your code the re-compile your application before using Execrypt to get your code "morphined".
|
|
#12
11-01-2005, 23:42
|
|||
|
|||
|
Quote:
|
 |
|
|
Linear Mode
