execryptor unpacking problem

[Lukasz3k]

Hi
I have problem with one packed exe with execryptor 2.2.x. Application stop on registration window with name, hwid and serial. This is execryptor window. is it possible to unpack this?

Best Regards

[revenger]

Hi
I have problem with one packed exe with execryptor 2.2.x. Application stop on registration window with name, hwid and serial. This is execryptor window. is it possible to unpack this?

Best Regards

It is possible unpacking without registration key , if the program compiled with
known compiler

[haggar]

If app just shows registration dialog, but allows some evaluation period - then you can unpack it.

If app doesn't start without correct key - then you have to break keycheck which is almost impossible. Ei. in that case you cannot unpack it.

[revenger]

"If app just shows registration dialog, but allows some evaluation period - then you can unpack it.

If app doesn't start without correct key - then you have to break keycheck which is almost impossible. Ei. in that case you cannot unpack it."

It's wrong.
If we have known application compiler (Delphi for example) - we can unpack it without correct key and without start the application.

[haggar]

Usually this kind of protection works in such way that code section is encrypted with hash from that key. You want to say that ExeCryptor doesn't work like that? It's really hard to believe that they were that dumb. I didn't check such applications, but all protectors have that kind of DEMO protection (aspr, armadillo,pelock, acp, etc...).

Unless if we talk about time trial that ended.

[Lukasz3k]

no time trial to run. So its must be dumb
I think its possible, in olly when I run app and dialog with serial etc. appear I go for example to 401000 and I see correct code(jmps to iat at the begin, app written in borland delphi) also strings etc. like proper code. The problem is how to recovery full iat, and stolen bytes at oep :/

[revenger]

Quite right .
So it's dumb .
It's very big error of Execrytor's programmer.
The similar mistake is in protector SVKP.

"The problem is how to recovery full iat, and stolen bytes at oep"

Delphi compiled programs have standard OEP.
To recovery full IAT apply IDA and Delphi signatures.

[haggar]

Check that my ExeCryptor tutorials. You should be able to find all imports with my script (I tested it on every 2.x target and it worked great). You will also find how I fixed oep in Delphi file.

http://www.reversing.be/search.php?query=&datestart=&dateend=&topic=0&type=all&author=63&mode=search

[Lukasz3k]

yes I was read Your tutorials and everything is on good way, I recovered oep, and try Your script for iat recovery. This works almost good but crush when recovered about 60% of iat. But when I try to fix only these 60% of iat with imprec and load it to olly iat is the same like before :/

[haggar]

What is your target? If it's small, I could try to check why script doesn't finishes job.

[Lukasz3k]

haggar I sent You app to on pm(attached). its small.

I found on what call script crashed, noped that call(ff25...) and script keep on, but for few second and still crashing

ok I unpacked and manually resolved some iat jmp`s. Now I wonder how to correct TLS info?

[Lukasz3k]

no body?

[haggar]

I got your email. I'll check it.


EDIT

Ok, I checked that app. First, app cannot run because obdii.dll is missing. ExeCryptor is not recognized by PEiD because my sig collection has many small and false signatures, but after removing false UPX, it gives ExeCryptor 2.1.17 version (which is not correct, but at least my sigs still can recognize protector OEP should be here and it has stolen code:

005156DC .-E9 9F620800 JMP mcprog48.0059B980

Script restores ALL imports, but as mentioned in tut, you need to change find pattern

find addr,#ff25????5200#

Script crushes after all imports are restored because some bug in script while setting EIP value. I didn't find bug (no time now), but when script reach error, dump import section with LordPE. Then restart, find OEP and binary paste bytes to import section. Here is my ImpREC tree so you can check it:

[Lukasz3k]

Thanks haggar, I corrected dump and wokring on other machines
I found where is bug, when I changed the line:
cmp pointer,10000000 //Check is import placed in thunk, or redirection.
to:
cmp pointer,C50000 //Check is import placed in thunk, or redirection.

Script works good.
Script crashes becuase some import are below than 10000000.

[haggar]

Great to hear