Usually this kind of protection works in such way that code section is encrypted with hash from that key. You want to say that ExeCryptor doesn't work like that? It's really hard to believe that they were that dumb. I didn't check such applications, but all protectors have that kind of DEMO protection (aspr, armadillo,pelock, acp, etc...).
no time trial to run. So its must be dumb
I think its possible, in olly when I run app and dialog with serial etc. appear I go for example to 401000 and I see correct code(jmps to iat at the begin, app written in borland delphi) also strings etc. like proper code. The problem is how to recovery full iat, and stolen bytes at oep :/
yes I was read Your tutorials and everything is on good way, I recovered oep, and try Your script for iat recovery. This works almost good but crush when recovered about 60% of iat. But when I try to fix only these 60% of iat with imprec and load it to olly iat is the same like before :/
Ok, I checked that app. First, app cannot run because obdii.dll is missing. ExeCryptor is not recognized by PEiD because my sig collection has many small and false signatures, but after removing false UPX, it gives ExeCryptor 2.1.17 version (which is not correct, but at least my sigs still can recognize protector OEP should be here and it has stolen code:
005156DC .-E9 9F620800 JMP mcprog48.0059B980
Script restores ALL imports, but as mentioned in tut, you need to change find pattern
Script crushes after all imports are restored because some bug in script while setting EIP value. I didn't find bug (no time now), but when script reach error, dump import section with LordPE. Then restart, find OEP and binary paste bytes to import section. Here is my ImpREC tree so you can check it:
; Syntax for each function in a thunk (the separator is a TAB)
; Flag RVA ModuleName Ordinal Name
; Details for <Valid> parameter:
; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set
; it to zero if you edit it).
; - Ordinal is not considered but you should let '0000' as value.
; - ModuleName is not considered but you should let '?' as value.
; 1 = valid: yes -> All next parameters on the line will be considered.
; Function imported by ordinal must have no name (the 4th TAB must
; be there though).
; 2 = Equivalent to 0 but it is for the loader.
; 3 = Equivalent to 1 but it is for the loader.
; 4 = Equivalent to 0 with (R) tag.
; 5 = Equivalent to 1 with (R) tag.
; And finally, edit this file as your own risk! :-)
I don't know will you make to get working dump , there is many things that can be reson of crushing. From bad dump, to some self check, threads that will be executed within EC code and that code you cannot remove, etc..
Thanks haggar, I corrected dump and wokring on other machines
I found where is bug, when I changed the line:
cmp pointer,10000000 //Check is import placed in thunk, or redirection.
cmp pointer,C50000 //Check is import placed in thunk, or redirection.
Script works good.
Script crashes becuase some import are below than 10000000.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You can attach files in this forum You can download files in this forum