EXECryptor

[softworm]

OK,I'll try,I hope i'm lucky enough.

And the guy named moon seemed to
have got it?

[softworm]

I can trace it only with spare time and it might cost
a long time for me. I'm not sure if i can do it.

At first i wish to unpack it rapidly with some
trick like memory access breakpoint and failed. It
seemed that the whole entry codes have
been moved into the packer.

My target now is to find out how the control
was given to the original program,and did not pay
attention to the IAT yet.

I ignored TLS callback function 0 now. I'm tracing
function 1 but not finished. It's not difficult to
write a script to pass through function0,function1
and stop at packer's EP,it can run happily under
OllyDbg,so the problem is patience and time.
and it has no any junk code,good news.

I'll spend my holiday soon. But I won't give up.

regards.

[softworm]

Got it.

[Jay]

execryptor is b**** congratz.

[MaRKuS-DJM]

you are right, it's useless without description.
how you get OEP from the other poster:
load program into olly
olly will stop in an exception. set memory-breakpoint on code-section. skip all exceptions with SHIFT+F9. the fourth stop is the OEP from the above poster.

[softworm]

I have not cleared my note.

I wrote 2 olly script to get it:

1. Decompile unpackme,get the address of TLS callback function1
from IDA,and the target address of mov opcode is where i
dump it. I you want to find out the stolen codes,just keep on
tracing.

At here,both of the callback were "closed" somewhere,the important
function was replaced only a ret so if the protected baby is a
multi-thread program,the codes which decrypting and load apis won't
be executed repeatly.

in my post,i zero the entries in TLS directory,nothing important now.

2. Dispite many branches in the hooked apis,you can execute them
safely. Just stop at the packer EP,write a script to call each entry
in IAT(except 0 and good entries),bpx at correct position so it
will loop and never jmp into the real api. Use the script to fix IAT.Be
carecul to keep the stack balance(If not,it doesn't matter;-).


I unpacked execryptor itself,but when i run it,crashed! so i'll
continue it.I have no enough time,so maybe i can't finish it
soon. By now i just hope to unpack it,not carck it,i won't bother
to fight the algorithm. Maybe patching it is ok.

Regards.