PDA

View Full Version : Execryptor + Ollydbg


bodzcount
October 15th, 2007, 17:53
Hi,
i am using ollydbg with antidetectolly 2.2.4. My problem is that i can run execryptor files only in about 1 of 5 attemps. Everytime I get different errors, executing memory 0x00 etc...

Does anybody have an idea how to fix this?

What does antidecetolly do change exactly? Is it possible to get execryptor running without patching olly?

Thanks!

PS: I am using advanced olly to hide debugger

JMI
October 15th, 2007, 21:40
Another first time poster who obviously failed to READ THE FRIGGIN FAQ and/or the signature under his name.

bodzcount:

The FAQ states you are supposed to tell US what YOU have done to attempt to actually FIND an answer to YOUR question on the net, as in YOU search for an answer and tell US what YOU found before you ask for someone here to GIVE you an answer!

Now go actually read the FAQ and follow it's directions.

Regards,

Sab
October 15th, 2007, 22:49
Only reason for this reply is primarily because this is not the first time I have seen this question come up. However, just about 3 seconds of googling will answer your question.

There was a really nice script released by pe_kill , haggar, and some others on unpack.cn which is linked directly to this board. Here is a portion of "ExeCryptor 2.0.x - 2.3.x OEP Finder v0.2.txt" from tuts4you.com:

Instructions:

1. You need to have NT based operating system;

2. Configure OllyDbg in "Debugging Options"->"Events" to
"Make first pause at - System breakpoint";

3. Ignore all exceptions and add to custom this one
C000001E (INVALID LOCK SEQUENCE)

4. Remove or disable all plugins which purpose is to hide
OllyDbg from protecors. ExeCryptor detects modified
imports and by that most such plugins are detected.

5. Now load target in OllyDbg. Remove all breakpoints
(hardware, memory, software). OllyDbg sets one bp
on OEP by default and ExeCryptor checks that. Hit
Alt+B to see is that breakpoint listed there. If
it is, remove it.

6. Now, run this script .


Next step is a snippet of his script which is related to antidebug:

log " "
log "------------------------------------------------------"
log " ExeCryptor 2.0.x - 2.3.x OEP finder script by HAGGAR"
log "------------------------------------------------------"

//-------------- Patch what can be patched -----------------
gpa "FindWindowA","user32.dll"
mov [$RESULT],#8BFF5533C05DC20800#
gpa "OutputDebugStringA","kernel32.dll"
mov [$RESULT],#8BFF5533C05DC20400#
gpa "ReadProcessMemory","kernel32.dll"
mov [$RESULT],#8BFF5533C05DC21400#
gpa "CreateThread","kernel32.dll"
mov [$RESULT],#8BFF555DC21800#
gpa "CloseHandle","kernel32.dll"
mov [$RESULT],#8BFF555DC20400#
gpa "CheckRemoteDebuggerPresent","kernel32.dll"
mov [$RESULT],#8BFF5533C05DC20800#
gpa "KiRaiseUserExceptionDispatcher","ntdll.dll"
mov [$RESULT],#C390909090#

You can run the code snippet above as a standalone script (without oep finder). The next step if you dont want to run the entire script but know whats going on is:

//---------------------- Erase debug bits ------------------------
mov temp,[addr] //BeingDebugged
and temp,0ff00ffff
mov [addr],temp
mov temp,addr //HeapFlag
add temp,18
mov temp,[temp]
add temp,10
mov [temp],0
mov temp,addr //NtGlobalFlag
add temp,68
mov [temp],0

You can enable the equivalent of those in OllyAdvanced with no problem.

That should* bypass the checks, but for further explanation; which I highly advise:

Google "Execryptor Haggar"
and your first result,
http://www.reversing.be/article.php?story=20061206203057545

which explains the above script pastes.

***Check out unpack.cn and search for a recent tutorial for execryptor
ExeCryptor_2[1].2.x_-_2.3.x_Unpacking_tutorial_-_By_EvOlUtIoN

That is in my opinion one of the most excellent contributions related to this wrapper around. It also will solve any antidebug issues.

By the way, if this works for you, I expect you to reply to this thread with DONGS or thanks or both.

DONGS

LLXX
October 16th, 2007, 01:57
Giving the OP a premade solution does NOT free him of his burden of having to figure out what exactly it does!

bodzcount
October 16th, 2007, 06:20
what you have written are one of the easiest and first things i have done. it worked for some older apps, but not for the new one i have right now.

1. you forgot something in your script snipped.... [addr] = ?

2. i tried that script already. Some EC apps give invalid handle errors, i guess because createthread .... other apps just freeze...

3. when i use that script, i still need to have RemoteDebuggerPresent or QueryInformationProcess in OllyAdvanced checked... I guess the script can be improved here...

any hints will be appreciated

Sab
October 16th, 2007, 12:46
"Hi,
i am using ollydbg with antidetectolly 2.2.4. My problem is that i can run execryptor files only in about 1 of 5 attemps. Everytime I get different errors, executing memory 0x00 etc...
"

You need to elaborate in your original post as mentioned before. Your post does not suggest you tried any outside methods besides ready built plugins. How can anyone here know what you have tried and not tried? Next, you did not understand my original post:

'"1. you forgot something in your script snipped.... [addr] = ?"
I did not forget anything. I pasted that snippet to show the debug bits it was looking for and I mentioned to use ollyadvanced to bypass. The only portion of the script you need to use is the find#bytes# portion standalone. The rest you can do with alt+b/plugs. I also included the script name that I pasted from. This is obvious.

2. "i tried that script already. Some EC apps give invalid handle errors, i guess because createthread .... other apps just freeze..."
See below.

"3. when i use that script, i still need to have RemoteDebuggerPresent or QueryInformationProcess in OllyAdvanced checked... I guess the script can be improved here..."
So what? Want it to lather your balls in lotion for you? Update the script and release a new one. Also if you googled what I googled in my original post you will find haggar released 4 tutorials which include this:
ExeCryptor 2.3.9 - Unpacking
ExeCryptor 2.2.50 - Unpacking MSVC++ target
ExeCryptor official crackme
ExeCryptor 2.2.4


I mentioned in my previous post to seek the tutorial:

"***Check out unpack.cn and search for a recent tutorial for execryptor
ExeCryptor_2[1].2.x_-_2.3.x_Unpacking_tutorial_-_By_EvOlUtIoN

That is in my opinion one of the most excellent contributions related to this wrapper around. It also will solve any antidebug issues."

Now if you go to this tutorial you will find the following:

"Appendix B: How to run target on debugger"

He mentions tricks above, + he uses HIDEOD.dll instead of ollyadvanced. For your #2 question, however, you can see an entire page or two dedicated to the threads.
"1. How a thread is created?"
"2. How to avoid its creation?"
"...Latest versions of EC uses some "events" during the program
execution...So problem is EC want to control the thread alive..."


Interesting enough, there is not anything in this post that was not in the original post. Have fun unpacking, if the post helped reply DONGS or thanks (:

LLXX
October 17th, 2007, 02:29
Quote:
[Originally Posted by bodzcount;69480]what you have written are one of the easiest and first things i have done. it worked for some older apps, but not for the new one i have right now.

1. you forgot something in your script snipped.... [addr] = ?

2. i tried that script already. Some EC apps give invalid handle errors, i guess because createthread .... other apps just freeze...

3. when i use that script, i still need to have RemoteDebuggerPresent or QueryInformationProcess in OllyAdvanced checked... I guess the script can be improved here...

any hints will be appreciated
Once again, you are reminded that trying to use a premade solution is NOT the right thing to do! Actually think, carefully, about what your program is doing and figure it out from there.

Sab
October 29th, 2007, 21:05
guess the hints weren't appreciated heh.

Woodmann
October 29th, 2007, 22:02
DONGS
DONGS
DONGS
DONGS

LLXX
Quote:

sage
Quote:
Originally Posted by bodzcount http://www.woodmann.com/forum/images/buttons/viewpost.gif ("http://www.woodmann.com/forum/showthread.php?p=69480#post69480")
what you have written are one of the easiest and first things i have done. it worked for some older apps, but not for the new one i have right now.

1. you forgot something in your script snipped.... [addr] = ?

2. i tried that script already. Some EC apps give invalid handle errors, i guess because createthread .... other apps just freeze...

3. when i use that script, i still need to have RemoteDebuggerPresent or QueryInformationProcess in OllyAdvanced checked... I guess the script can be improved here...

any hints will be appreciated


Once again, you are reminded that trying to use a premade solution is NOT the right thing to do! Actually think, carefully, about what your program is doing and figure it out from there.


WOODMANN SAYS : Of what purpose is your comment?
You have offered nothing. I can spout with offering nothing, it has been established that I dont know shit about anything.
You on the other hand come here and "PRETEND" to offer something but never do. You use the term "sage" as if you have knowledge that none of us will ever have the chance to know.

I, woodmann, do readily admit that I dont know shit. I, woodmann, would never spout shit that I have no idea about.
I, woodmann, have never made statements that I could never support without proven fact.

I, woodmann, have presented this information of my own free will. I am a retard, for the lack of a better word.
I, woodmann have offered nothing to the world of RCE that I, MYSELF, consider worthy of the community.
Why dont you, LLXX, from now on, provide facts to support any statement you may make in the future.
I woodmann, will here by swear to support any statements I make on the woodmann.com forums with facts.
Those facts may be my own or from others but I will always provide relevent information to back up any statements.

Woodmann

LLXX
October 31st, 2007, 18:08
Quote:
[Originally Posted by Woodmann;69921]Of what purpose is your comment?
I'm telling him to think over the problem carefully instead of complaining about a premade script.
Quote:
You use the term "sage" as if you have knowledge that none of us will ever have the chance to know.
Only if you never take the effort to find out -- http://en.wikipedia.org/wiki/Sage_(Internet) there you go.
Quote:
Why dont you, LLXX, from now on, provide facts to support any statement you may make in the future.
I've always been supporting my claims with evidence, even though said "facts" may be subtle and not immediately obvious.

Sab
November 1st, 2007, 05:16
Depending on the circumstances it is better to reply to threads with an answer for cracking faq. In this case execryptor is a popular topic in re. Using the search function is everyone’s friend, but when search results are plagued with forum replies which contain "read the faq, rtfm, dig deeper, figure it out, your question isn’t good enough" (which are most times well deserved replies), it really doesn’t make a nice archive for any of us in the long run when we go to do our own research.

I find on case by case basis that some threads are worth replying to even if the original post was not necessarily a quality post, but the topic was worth discussing; hence, without trying to disrepect the rules of board/admins I will answer a question regardless for the topic itself . imo, this is where a good quality forum of information is created. My intent is not necessary to help the poster, but to help everyone who ever searches this thread in the future. We can all hold our head high and our nose higher because we know the answers, but when starting off, its a lot harder to figure out. In this case I know its a common topic on unpacking forums, but has not been brought up on this board in sometime, particularly with the updated information that was replied.

I Sab, support all of my claims made in this forum and every sub forum thereof, with respect to all transmissions public and private, that I will support all evidence as does one to one, using the support of (but not limited to): bullshit, fluff, DONGS, useless replies, postwhoring, and just enough information to reaffirm the poster has a problem...

LLXX
November 3rd, 2007, 18:31
Quote:
[Originally Posted by Sab;69968]Depending on the circumstances it is better to reply to threads with an answer for cracking faq. In this case execryptor is a popular topic in re. Using the search function is everyone’s friend, but when search results are plagued with forum replies which contain "read the faq, rtfm, dig deeper, figure it out, your question isn’t good enough" (which are most times well deserved replies), it really doesn’t make a nice archive for any of us in the long run when we go to do our own research.
If the OP is having intermittent problems, then obviously something is wrong on his machine. Seeing as he doesn't seem to want to persue the problem any further nor post what he had done to solve the problem had he done so, I think this thread is now a dead end.

/thread

Sab
November 3rd, 2007, 21:46
clap.. clap... figure that all out by yourself?

/useless

dELTA
November 4th, 2007, 06:32
LLXX, just STFU, ok? If anyone made this thread a dead end, it was you, as usual...