Hi and welcome to new tutorial. This one shall be very quick and brief since I already wrote two tutorials. Target for this tutorial is UnPackMe_ExeCryptor2.2.50.j.exe provided by Teddy Rogers. It can be found on SnD site http://www.tuts4you.com/. It is MSVC++ target protected with all options.
ExeCryptor targets differ from one to second, but differences are minor. Once you understand one version, you will have open door for other ones. Most of differences are Olly detections which are changed from version to version so patching Olly is useless. Every new version will find easy Olly in memory. ExeCryptor checks all processes and reads couple bytes from specific adddresses. Example, it checks some exports, or ODBG strings in every process to recognize Olly. If it finds some process, it terminate it. Processes are enumerated with GetWindowThreadProcessId.
- Killing debugger checks -
Ok, enough of talking. Open Olly and in debugging options, under events, set Olly to break on System Breakpoint. This is to avoid target autorun in Olly. Olly will set breakpoint on EP of target and that breakpoint is detected by ExeCryptor (EC). Open bp window and delete that bp.
EC has several debugger checks:
I already explained these checks in one my tutorial so look there for explanation. If you don't want to waste time to manually disable checks, use some plugin like HideOlly or OllyAdvanced. But warning! Plugins can be detected by EC. Plugins sometimes (depending on type of plugin and hide method) hooks APIs and EC checks for such redirections. So select only features for these checks.
- Killing threads -
EC uses a lot of threads to perform active monitoring and protection. These threads checks for debuggers, breakpoints, hostile windows, etc... To disable these checks , we can patch CreateThread API so threads are never started. Go to CreateThread and NOP whole API till the last RETN xxxx opcode. I sad already that EC versions have minor changes. In my previous tutorials, it was enough to patch CreateThread API. But this version uses CloseHandle to close handle of thread after it is created. If threads are not created, CloseHandle will couse exception and target will crush. So we must patch CloseHandle API in the same way as CreateThread.
- OllyDbg targeted tricks -
EC really hate Olly and because of that it tries to detect and kill Olly by any means. One trick that is used to crush Olly is OutputDebugStringA exploit. This is probably nothing new for reader of this small tutorial because this trick is used in lot of protectors, but in case that you didn't know for it:
There is some bug in Olly that will couse Olly to crush if debugged executable file name is "%s%s", or if OutputDebugStringA send this string to Olly. To prevent crushing we can patch that API just like we patched CreateThread and CloseHandle. Instead of NOPing whole API, you can just place RETN 4 opcode at the API start.
EC can use FindWindowA, ReadProcessMemory tricks too for detecting Olly, but in this version those checks are performed just with threads. And we killed threads so this not we can run target under Olly.
- Finding OEP and restoring OEP code -
After we patched all checks, we need to break on OEP. We will use memory breakpoints for this. Place mem bp on first section and run. First time we will stop at unpacking procedure:
When you break, remove mem bp, place bp at the last RETN. Last RETN is last opcode of this unpacking procedure and when you break there, code is unpacked. Remove that bp and place new mem bp. Run and you will break in procedure that writes destination of CALLs:
004B613E AC LODS BYTE PTR DS:[ESI]
004B613F D0E8 SHR AL,1
004B6141 80F8 74 CMP AL,74
004B6144 75 0E JNZ SHORT UnPackMe.004B6154
004B6146 8B06 MOV EAX,DWORD PTR DS:[ESI]
004B6148 0FC8 BSWAP EAX
004B614A 01C8 ADD EAX,ECX
004B614C 8906 MOV DWORD PTR DS:[ESI],EAX
004B614E 83C6 04 ADD ESI,4
004B6151 83E9 04 SUB ECX,4
004B6154 49 DEC ECX
004B6155 ^7F E7 JG SHORT UnPackMe.004B613E
004B6157 59 POP ECX
004B6158 5E POP ESI
004B6159 C3 RETN
Again, remove mem bp, place bp at the RETN, run and remove that bp. If you place next memory breakpoint on first section, you will break at OEP or first code that is executed in code section:
EC has strong obfuscation that makes impossible to reconstruct OEP code. But in this example number of stolen opcodes is small and most opcodes can be recovered by experience. Open some MSVC++ 6.0 file in second Olly and binary copy first 0x15 bytes. Paste them to our target at OEP. I have used Mozilla Firefox OEP bytes:
IAT section is 00460000. Most of imports are redirected in EC code where they are decrypted. In my past two tutorials I have explained how IAT is protected and how to recover it. But that was case when for imports are used jumps. VC++ use calls so I had to write new script. This script doesn't search for JMP/CALL, instead it just walks trough thunks in IAT section and decrypts protected ones. Script is below, paste it to some text file and use by some script plugin. My comments exapain most of things altough you don't need to understand it or change for this target:
// ----------- ExeCryptor 2.2.50 - for VC++ IAT ------------------
LABEL_01: //Examne thunks label.
cmp thunk,00461000 //Is it end of IAT? Then finish.
cmp [thunk],0 //Is thunk empty? Then go to next.
cmp [thunk],10000000 //Does thunk holds API? Go to next again.
sub thunk,4 //Thunk holds redirected import.
mov ref_esp,esp //Stack reference (start ESP value).
LABEL_02: //Trace untill return ESP value is decrypted.
cmp temp,30 //Trace first 30 opcodes.
LABEL_03: //Find referenced stack value.
mov temp,[temp] //Get "Magic return address".
cmp eax,10000000 //Is EAX<10000000 (EAX<IMPORT) ?
jb LABEL_01 //Then it is self-fixed import.
sub thunk,4 //If not self-fix, fix it!
mov eip,oep //Restore OEP.
//------------------------ End of script ------------------------------
When script is finished, dump image with LordPE (note that you'll had to correct ImageSize before you dump), load ImpREC and set OEP to 271B0, then rebuild IAT on dumped file.
- Fixing dump -
As a last touch, you need to erase TLS information from PE header. Use LordPE or CFF Explorer, set TLS offset and size to 0. You can also delete EC 3 sections to ge smaller dump. If you want to make perfect dump, you can place IAT in original IAT section at 00460000. Check my dump how I did it.