Wednesday, December 06 2006 @ 08:36 PM CET Contributed by: haggar Views: 18884
Level : intermediate
This is very short tutorial that brings just some small update for previous ones. Target is ExeCryptor 2.3.9 itself which can be found on official protector site. Tutorial shows unpacking and not cracking target. You will need OllyDbg (some script plugin, and some hide plugin), LordPE, ImpREC and Windows XP.
- Loading in Olly and preparing for debugging -
First open Olly and in "Debugging options", under "events" set "Make first pause at: System breakpoint". That will prevent auto start that is coused by TLS callback. Now load target in Olly.
Open breakpoint window and delete breakpoint that Olly has placed on OEP:
0076E427 EXECrypt One-shot CALL EXECrypt.0076E323
Use some plugin to hide Olly from (or check previous tutorials to learn manually way):
Do not check anything else in your plugin because EC (ExeCryptor) might detect it. EC detects hooks on APIs.
Go to OutputDebugStringA API and place RETN 4 opcode at it's start. This is to prevent "s%s%" exploit.
- Hardware exception trick -
This is new trick. It seams that EC sets temporary hardware breakpoint somehow. I do not know yet how this is performed, but within Olly this will couse file crushing/detection.
Under exceptions options in Olly, CHECK ALL boxes. But delete all custom exceptions! Be sure that you didn't place any memory, software or hardware breakpoint. Now hit Shift+F9 to run target under Olly. You will stop on first exception:
007637D0 F0:F1 LOCK INT1
Hit Shift+F9 three more times and then check hardware breakpoints (Debug menu -> Hardware breakpoints). You will see that one hardware breakpoint is placed:
# Base Size Stop on
1 0076098F Temporary
This is new trick in EC. If you continue to running with this hwbp, target will crush eventualy. Therefor, delete it at this point. Also, go to exception options and add last exception (C000001E INVALID LOCK SEQUENCE) to custom ones.
- FindWindowA check -
Hardware breakpoint rick is defeated. Next we have IsDebuggerPresent check which is defeated by our plugin. Then FindWindowA check which searches for window with "OLLYDBG" class. Place memory breakpoint on first opcode in FindWindowA API and run. You will stop on breakpoint check on API that is performed as small calculus to not be so obvious (junk removed from snippet):
Some more examning is performed and then it jumps to FindWindowA that finds "OLLYDBG" class in memory. Just set EAX=0 when retrning from this API and this check is killed.
- ReadProcessMemory check -
EC examnes all processes in order to find Olly running. It uses GetWindowThreadProcessId to retrieve PID of processes, then it opens each proces. It uses ReadProcessMemory to examne them. We cannot place bp on ReadProcessMemory since it will be detected, we could use memory breakpoints but that would be too slow. Since ReadProcessMemory uses ZwReadVirtualMemory, we can place bp on this one that is not checked. Then we can run. When we break at that API, return to kernel and then to EC code trace little untill you see that some bytes are checked (if you cannot find that check, hit F9 to break on new memory reading):
Threads are used to perform continious protection. Just NOP whole CreateThread API (except last RETN xxxx).
- OEP -
This is Delphi program and OEP should be at the end of code section. But OEP is scrambled and on OEP there will be jump to moved OEP. Use memory breakpoints to land in code section as described in previous tutorials. OEP should be here:
This protection is already explained. Use my script to fix them, then dump file and rebuild new IAT with ImpREC.
//-------------------------------- SCRIPT START -----------------------------------------
//ExeCryptor 2.x IAT for asm/Delphi/BorlandC++ type - by haggar
cmp pointer,10000000 //Check is import placed in thunk, or redirection.
cmp pointer,0 //For delphi!!!!!!!!!!!!!!!!
mov esp_ref,esp //Stack reference.
LABEL_02: //Trace some code.
LABEL_03: //Find referenced stack value.
mov temp,[temp] //Go to "Magic address".
cmp temp,025ff //SelfWriting import type? No need to fix it then.
cmp eax,10000000 //If EAX=!IMPORT, then it is a first type.
mov temp,addr //In this case EAX=IMPORT.
//------------------------- END SCRIPT ------------------------------------------------
- Fixing dump -
Change TLS pointer with LordPE to 000E2000. Dump should work now, but probably with some problems. Problem is with serial so you will get exception message, plus dump might not work on other machines. Read official Excryptor crackme solution for more info about that.