Execryptor

Posted on  by 

  1. Execryptor 2.4
  2. Execryptor 2.2.4
  3. Strongbit Execryptor
  4. Execryptor
  5. Execryptor 2.4.1

Dec 27, 2018 ExamDiff 4.xxx reversing the protection schema by Shub-Nigurrath 33. 'ExeCryptor official crackme' - Deplhi target, full protection. 11 Feb 2015 2:51. London Mayor Boris Johnson said: We have made real progress in tackling the smartphone theft epidemic. ExeCryptor 2.4.1 UnPackMeExeCryptor2.4.1.rarTed.

  1. Jun 12, 2017 Tech support scams are an industry-wide issue where scammers trick you into paying for unnecessary technical support services. You can help protect yourself from scammers by verifying that the contact is a Microsoft Agent or Microsoft Employee and that the phone number is an official Microsoft global customer service number.
  2. Unpacker ExeCryptor 2.x.x v1.0 RC1 by RSI.rar. Unpacker ExeCryptor 2.x.x v1.0 RC2 by RSI.rar. Unpack CorrM Hider (SRC) By Hassan Hexor.rar. Unopix 0.94 (SRC) by bagie.

Execryptor 2.2.50

Data

by 'Pnluck', 'Saturn' e 'LittleLuk'

11/11/2005

Published by Quequero

Venghino signori, l'é vero, che qui ci sono

Annamo al massimo, annamo a gonfie vele - Pnluck
:/ - Que

<<checosa c'è??>>
Entrino e lo scoprirete (6)

....

Pnluck, #crack-it #pmode #cryptorev #unpacking(su efnet)

....

Difficoltà

(X)NewBies (X)Intermedio ( )Avanzato ( )Master

Introduzione

In questo articolo decrivo come fare l'unpacking di execryptor 2.2.50
Visitate il sito di Execryptor per le info su questo packer: http://www.strongbit.com/execryptor.asp

Tools usati

Ollydbg, IsDebug&Extra, Olly Invisible, HideDebugger, NtGlobalFlag, OllyDump, AntidetectOllyPatch, RDG

URL o FTP del programma

Crackme

Essay

About EXECryptor
To view somethings about Execryptor visit http://www.strongbit.com/execryptor.asp (most of these techniques are applied through the use of thread)

About Reversing stuff detection
Execryptor uses a lot of tricks to detect ollydbg, and other tools (like softice, filemon, regmon, etc..).This is possible, because Execryptor makes a lot of thread , withus it does a continuous control. For example, isn't possible uses at the same time ollydbg or filemon(not pached) with a software protected by Execryptor.
Those problem is possible resolve with RE-pair 0.6(for regmon, filemon) and AntidetectOllyPatch (for Olly)

About R3 degugger detection
Execryptor uses some trick to verify if he is debugged:

  1. Control of Beingdebug
  2. Control of ProcessHeap
  3. Controll of NtGlobalFlag
  4. Use of Windows apis
    Use CheckRemoteDebuggerPresent and IsDebuggerPresent, look msdn

  5. Use of Seh
    With the use of many exception, Execryptor controls if there are Hardware BreakPoints
    This is the simplest version of seh handler, beacause in other Execryptor controls also the DB register, from 0 to 3 to verify the presence of HD bp and react, therefore use memory bp.

  6. Use of Thread
    Execryptor creates a lot of thread to control the presence of Ollydbg, modification of code like bp, etc; to elude these controls in the simpler way, we can do a code injection into CreateThread:
Run software protected with Execryptor on Ollydbg
Ollydbg can debug a software protected with Execryptor only with a path and pluings. After the patching and the installation of plugins, we can run a software, here I show how arrive at OEP and how rebuild the iat.
  • Prepare Olly to debugging
    Patch olly with AntidetectOllyPatch
    Open Ollydbg and set these options: Alt+O -> Exceptions ->check: Int3 , SingleStep, Memory access and add Invalid lock sequenze.
    Open the option of hide debugger and check IsDebuggerPresent with Unhadled exceptions trick.
    Open the option of IsDebug&Extra and check all.
  • Find the OEP
    Open the menu of NtGlobalFlag and click on 'Set TempBreak on Tls Callback', and 'SET LDR_SHOW_SNAPS'. Now open the software (in this case the crackme) and Olly will break at Tls Callback, and it sets 2 bp, delete them, and set a break-on-access on code section.
    Run with alt+f9 the progie and we will break at:
    Step beyond the jmp, and find a 'cmp ecx,2', because this istruction is the end of decopressing proc: Set a bp on this istruction, push alt+f9 till ecx = 2 and again 3. Now re-set the bp-on-access and remove the bp on 'cmp ecx,2', push alt+f9, if there are exception push always alt+f9, and we'll break at the Oep. Here we can have stolen bytes or not, the difference is visible to eye.

    With Stolen

    There're two method for find stolens:
    1) Trace the loader untill the ipotetic oep
    2)Use RDG for detect the compiler, analyze the stack and try to do things
    Dump the progie without rebuild the iat, and analyze this with RDG: is VC5.
    Generic opcodes of entrypoint for VC5 is : 'push ebp mov ebp,esp'. So the value of stack addr 12ffc0 is push ebp
    Now in the stack there's 0xff = -1(dec) at 12ffbc: 'push -1'. There are also stored two address: 'push 450e60 push 4292c8'. Ok now after the ipotetic OEP there's the installation of a seh handle so: 'push fs:[0]'.
    This is the rebuild code(the push eax is overwrite by push fs:[0], but the code is good because eax had the addr of fs:[0])
    Now redump with the option of iat rebuild, open the progie with cff or another PE editor, change in Optional Header the base of code to 1000 and delete the Tls directory
    Now we have a runnig progie, but the iat isn't all rebuild. To make the dump running also on other PC, you must annul the dword where there's the address of getmodulehandle in loader section in my case 487490. Dump funzionante

  • Rebuild the IAT
    Execryptor uses a new method to call an api, it doesn't use GetProcAddress, but:
    • Take an hash
    • The loader decripts dll's name and it gets the imagebase with GetModuleHandle, it takes the address of export table,after it generates an hash with every api who will be compare with the right_hash, until they will be egual:
    • When the loader find the correct hash, it takes the address in memory of api and rewrite the iat_address, push the_return_addr and execute a jmp [iat_addr]

    In fact this is a call before the calling:
    and this is the call after the calling:
Pnluck, Saturn & LittleLuk

Note finali

Execryptor 2.4

Grazie ai forum Uic e Arteam, Ntoskrnl, Quake2, Quequero, AndreaGeddon il primo ad unpackare execryptor, Shub, Silent, SataNik, LonelyWolf, Zairon, Active85k e tutti i membri di Pmode e Uic

Execryptor

Disclaimer

Vorrei ricordare che il software va comprato e non rubato, ma cmq potete scaricare na demo di trenta giorni: analizzarla, farle delle modifiche a piacere ed usarla quanto più vi piace ;)

Powerful software tool used for an application code protection from reverse engineering, analysis and modifications, based on a brand new metamorphing code transformation technology, that provides with strong software security. Download EXECryptor by SoftComplete Development

Publisher:SoftComplete
Development
License:Shareware
Price:USD $125.00
Filesize:2.8 MB
Date Added:07/05/2007

EXECryptor is a software protection system for protect programs from reverse engineering, analysis, modifications and cracking. EXECryptor has powerful anticrack, antidebug, antitrace and import code protection features for stop the latest...
Read more

PCWin Note: EXECryptor 2.3.7 download version indexed from servers all over the world. There are inherent dangers in the use of any software available for download on the Internet. PCWin free download center makes no representations as to the content of EXECryptor version/build 2.3.7 is accurate, complete, virus free or do not infringe the rights of any third party. PCWin has not developed this software EXECryptor and in no way responsible for the use of the software and any damage done to your systems. You are solely responsible for adequate protection and backup of the data and equipment used in connection with using software EXECryptor.

Platform: Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP, Windows 2003

Category: Software Development


Download | Homepage | Buy Now | Screenshot | Report Error

PDF Password Protection Software - Need to protect your valuable PDF documents from piracy, online sharing, and Copying and other misuses? Then probably PDF protection software is the thing you need.
Colock - In short, Colock is a software based lock for making your software copy protected. By adding just one line of code to source code of your program, you will be able to use powerful copy protection system of Colock.
Password Page Protection Software - Password Page Protection Software allows you to easily add password protection to a web page. It generates password protection code which is added to the top of a web page to prevent unauthorized access with a high level of security and reliability.
Logic Protect - Logic Protect is a reliable anti-piracy, copy protection, software activation and license management system featuring high level of security and protection against illegal software copying and distribution.
ElecKey - ElecKey is the complete solution for software copy protection, software licensing, and secure electronic software distribution system. ElecKey provides software security that helps to protect your software applications against piracy.
Image and Photo Copy Protection Software - The Image and Photo Copy Protection Software is used for encrypting photos and images.

Execryptor 2.2.4

Password Workbook Pro - Password WorkBook Pro is a database-type password protection software that works with your Internet browser to help you secure, store and manage passwords, sensitive data, access codes, figures, numbers, pin codes etc.
USB Data Leakage Protection Software - USB storage device data protection software is real time USB activities monitoring tool that prevent network from unauthorized use of any external removable storage media.
es Web Form SPAM Protection - Web Form SPAM Protection is a utility to protect forms from being scanned, analyzed and used to send SPAM emails. It encodes form source code, so that form spiders can't work with it and can't use it to send SPAM emails.
Web Form SPAM Protection - Web Form SPAM Protection is a utility to protect forms from being scanned, analyzed and used to send SPAM emails. It encodes form source code, so that form spiders can't work with it and can't use it to send SPAM emails.
Excelsior JET for Windows - Excelsior JET is a complete solution for acceleration, protection and deployment of your Java(tm) applications, certified Java Compatible on a number of Microsoft Windows and Linux (IA-32) platforms.

Strongbit Execryptor

ExplorerBarXP - ExplorerBarXPâ„¢ is an ActiveX control that accurately emulates the ExplorerBar control found in Microsoft Windows XP. An explorer bar provides a way to display multiple commands or pieces of information to your users, grouped into logical sections.
More Software of 'SoftComplete Development'
ECBackup - ECBackup is a archiver with strong-security, based on open key technology.
Pass Diff Pro - PasDiff Pro is the syntax oriented diff tools for Delphi.
HardKey License Manager - HardKey System is easy and powerfull license manager and work with short (15-25 chars) keys.
LayoutFix - LayoutFix functions are very simple, but you need them regularly.
MSNTalk - MSNTalk - easy to use replacement for standard WinPopup.
SearchGun - SearchGun is a full-text search utility Search any files on your computer or local network by it content and file name.
SubstDrive - API for work with substitution device (see DOS command 'subst').
FuzzySearch - Approximate string matching concerns to find patterns in texts in presence of 'mismatches' or 'errors'.

Execryptor

FastTextSearch/IB - FastTextSearch/IB is unique solution for the searching textual information in the Interbase database.

Execryptor 2.4.1

RNDGen - True random generator for Delphi and C++ Builder

Coments are closed