Results 1 to 14 of 14

Thread: Execryptor + Ollydbg

  1. #1
    bodzcount
    Guest

    Execryptor + Ollydbg

    Hi,
    i am using ollydbg with antidetectolly 2.2.4. My problem is that i can run execryptor files only in about 1 of 5 attemps. Everytime I get different errors, executing memory 0x00 etc...

    Does anybody have an idea how to fix this?

    What does antidecetolly do change exactly? Is it possible to get execryptor running without patching olly?

    Thanks!

    PS: I am using advanced olly to hide debugger
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Another first time poster who obviously failed to READ THE FRIGGIN FAQ and/or the signature under his name.

    bodzcount:

    The FAQ states you are supposed to tell US what YOU have done to attempt to actually FIND an answer to YOUR question on the net, as in YOU search for an answer and tell US what YOU found before you ask for someone here to GIVE you an answer!

    Now go actually read the FAQ and follow it's directions.

    Regards,
    JMI

  3. #3

    hm

    Only reason for this reply is primarily because this is not the first time I have seen this question come up. However, just about 3 seconds of googling will answer your question.

    There was a really nice script released by pe_kill , haggar, and some others on unpack.cn which is linked directly to this board. Here is a portion of "ExeCryptor 2.0.x - 2.3.x OEP Finder v0.2.txt" from tuts4you.com:

    Instructions:

    1. You need to have NT based operating system;

    2. Configure OllyDbg in "Debugging Options"->"Events" to
    "Make first pause at - System breakpoint";

    3. Ignore all exceptions and add to custom this one
    C000001E (INVALID LOCK SEQUENCE)

    4. Remove or disable all plugins which purpose is to hide
    OllyDbg from protecors. ExeCryptor detects modified
    imports and by that most such plugins are detected.

    5. Now load target in OllyDbg. Remove all breakpoints
    (hardware, memory, software). OllyDbg sets one bp
    on OEP by default and ExeCryptor checks that. Hit
    Alt+B to see is that breakpoint listed there. If
    it is, remove it.

    6. Now, run this script .


    Next step is a snippet of his script which is related to antidebug:

    log " "
    log "------------------------------------------------------"
    log " ExeCryptor 2.0.x - 2.3.x OEP finder script by HAGGAR"
    log "------------------------------------------------------"

    //-------------- Patch what can be patched -----------------
    gpa "FindWindowA","user32.dll"
    mov [$RESULT],#8BFF5533C05DC20800#
    gpa "OutputDebugStringA","kernel32.dll"
    mov [$RESULT],#8BFF5533C05DC20400#
    gpa "ReadProcessMemory","kernel32.dll"
    mov [$RESULT],#8BFF5533C05DC21400#
    gpa "CreateThread","kernel32.dll"
    mov [$RESULT],#8BFF555DC21800#
    gpa "CloseHandle","kernel32.dll"
    mov [$RESULT],#8BFF555DC20400#
    gpa "CheckRemoteDebuggerPresent","kernel32.dll"
    mov [$RESULT],#8BFF5533C05DC20800#
    gpa "KiRaiseUserExceptionDispatcher","ntdll.dll"
    mov [$RESULT],#C390909090#

    You can run the code snippet above as a standalone script (without oep finder). The next step if you dont want to run the entire script but know whats going on is:

    //---------------------- Erase debug bits ------------------------
    mov temp,[addr] //BeingDebugged
    and temp,0ff00ffff
    mov [addr],temp
    mov temp,addr //HeapFlag
    add temp,18
    mov temp,[temp]
    add temp,10
    mov [temp],0
    mov temp,addr //NtGlobalFlag
    add temp,68
    mov [temp],0

    You can enable the equivalent of those in OllyAdvanced with no problem.

    That should* bypass the checks, but for further explanation; which I highly advise:

    Google "Execryptor Haggar"
    and your first result,
    http://www.reversing.be/article.php?story=20061206203057545

    which explains the above script pastes.

    ***Check out unpack.cn and search for a recent tutorial for execryptor
    ExeCryptor_2[1].2.x_-_2.3.x_Unpacking_tutorial_-_By_EvOlUtIoN

    That is in my opinion one of the most excellent contributions related to this wrapper around. It also will solve any antidebug issues.

    By the way, if this works for you, I expect you to reply to this thread with DONGS or thanks or both.

    DONGS

  4. #4

    sage

    Giving the OP a premade solution does NOT free him of his burden of having to figure out what exactly it does!

  5. #5
    bodzcount
    Guest
    what you have written are one of the easiest and first things i have done. it worked for some older apps, but not for the new one i have right now.

    1. you forgot something in your script snipped.... [addr] = ?

    2. i tried that script already. Some EC apps give invalid handle errors, i guess because createthread .... other apps just freeze...

    3. when i use that script, i still need to have RemoteDebuggerPresent or QueryInformationProcess in OllyAdvanced checked... I guess the script can be improved here...

    any hints will be appreciated
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    "Hi,
    i am using ollydbg with antidetectolly 2.2.4. My problem is that i can run execryptor files only in about 1 of 5 attemps. Everytime I get different errors, executing memory 0x00 etc...
    "

    You need to elaborate in your original post as mentioned before. Your post does not suggest you tried any outside methods besides ready built plugins. How can anyone here know what you have tried and not tried? Next, you did not understand my original post:

    '"1. you forgot something in your script snipped.... [addr] = ?"
    I did not forget anything. I pasted that snippet to show the debug bits it was looking for and I mentioned to use ollyadvanced to bypass. The only portion of the script you need to use is the find#bytes# portion standalone. The rest you can do with alt+b/plugs. I also included the script name that I pasted from. This is obvious.

    2. "i tried that script already. Some EC apps give invalid handle errors, i guess because createthread .... other apps just freeze..."
    See below.

    "3. when i use that script, i still need to have RemoteDebuggerPresent or QueryInformationProcess in OllyAdvanced checked... I guess the script can be improved here..."
    So what? Want it to lather your balls in lotion for you? Update the script and release a new one. Also if you googled what I googled in my original post you will find haggar released 4 tutorials which include this:
    ExeCryptor 2.3.9 - Unpacking
    ExeCryptor 2.2.50 - Unpacking MSVC++ target
    ExeCryptor official crackme
    ExeCryptor 2.2.4


    I mentioned in my previous post to seek the tutorial:

    "***Check out unpack.cn and search for a recent tutorial for execryptor
    ExeCryptor_2[1].2.x_-_2.3.x_Unpacking_tutorial_-_By_EvOlUtIoN

    That is in my opinion one of the most excellent contributions related to this wrapper around. It also will solve any antidebug issues."

    Now if you go to this tutorial you will find the following:

    "Appendix B: How to run target on debugger"

    He mentions tricks above, + he uses HIDEOD.dll instead of ollyadvanced. For your #2 question, however, you can see an entire page or two dedicated to the threads.
    "1. How a thread is created?"
    "2. How to avoid its creation?"
    "...Latest versions of EC uses some "events" during the program
    execution...So problem is EC want to control the thread alive..."


    Interesting enough, there is not anything in this post that was not in the original post. Have fun unpacking, if the post helped reply DONGS or thanks (:

  7. #7

    sage

    Quote Originally Posted by bodzcount View Post
    what you have written are one of the easiest and first things i have done. it worked for some older apps, but not for the new one i have right now.

    1. you forgot something in your script snipped.... [addr] = ?

    2. i tried that script already. Some EC apps give invalid handle errors, i guess because createthread .... other apps just freeze...

    3. when i use that script, i still need to have RemoteDebuggerPresent or QueryInformationProcess in OllyAdvanced checked... I guess the script can be improved here...

    any hints will be appreciated
    Once again, you are reminded that trying to use a premade solution is NOT the right thing to do! Actually think, carefully, about what your program is doing and figure it out from there.

  8. #8

    hm

    guess the hints weren't appreciated heh.

  9. #9
    DONGS
    DONGS
    DONGS
    DONGS

    LLXX
    sage
    Quote:
    Originally Posted by bodzcount
    what you have written are one of the easiest and first things i have done. it worked for some older apps, but not for the new one i have right now.

    1. you forgot something in your script snipped.... [addr] = ?

    2. i tried that script already. Some EC apps give invalid handle errors, i guess because createthread .... other apps just freeze...

    3. when i use that script, i still need to have RemoteDebuggerPresent or QueryInformationProcess in OllyAdvanced checked... I guess the script can be improved here...

    any hints will be appreciated


    Once again, you are reminded that trying to use a premade solution is NOT the right thing to do! Actually think, carefully, about what your program is doing and figure it out from there.
    WOODMANN SAYS : Of what purpose is your comment?
    You have offered nothing. I can spout with offering nothing, it has been established that I dont know shit about anything.
    You on the other hand come here and "PRETEND" to offer something but never do. You use the term "sage" as if you have knowledge that none of us will ever have the chance to know.

    I, woodmann, do readily admit that I dont know shit. I, woodmann, would never spout shit that I have no idea about.
    I, woodmann, have never made statements that I could never support without proven fact.

    I, woodmann, have presented this information of my own free will. I am a retard, for the lack of a better word.
    I, woodmann have offered nothing to the world of RCE that I, MYSELF, consider worthy of the community.
    Why dont you, LLXX, from now on, provide facts to support any statement you may make in the future.
    I woodmann, will here by swear to support any statements I make on the woodmann.com forums with facts.
    Those facts may be my own or from others but I will always provide relevent information to back up any statements.

    Woodmann
    Last edited by Woodmann; October 29th, 2007 at 23:14. Reason: no reason

  10. #10
    Quote Originally Posted by Woodmann View Post
    Of what purpose is your comment?
    I'm telling him to think over the problem carefully instead of complaining about a premade script.
    You use the term "sage" as if you have knowledge that none of us will ever have the chance to know.
    Only if you never take the effort to find out -- http://en.wikipedia.org/wiki/Sage_(Internet) there you go.
    Why dont you, LLXX, from now on, provide facts to support any statement you may make in the future.
    I've always been supporting my claims with evidence, even though said "facts" may be subtle and not immediately obvious.

  11. #11

    hmm

    Depending on the circumstances it is better to reply to threads with an answer for cracking faq. In this case execryptor is a popular topic in re. Using the search function is everyone’s friend, but when search results are plagued with forum replies which contain "read the faq, rtfm, dig deeper, figure it out, your question isn’t good enough" (which are most times well deserved replies), it really doesn’t make a nice archive for any of us in the long run when we go to do our own research.

    I find on case by case basis that some threads are worth replying to even if the original post was not necessarily a quality post, but the topic was worth discussing; hence, without trying to disrepect the rules of board/admins I will answer a question regardless for the topic itself . imo, this is where a good quality forum of information is created. My intent is not necessary to help the poster, but to help everyone who ever searches this thread in the future. We can all hold our head high and our nose higher because we know the answers, but when starting off, its a lot harder to figure out. In this case I know its a common topic on unpacking forums, but has not been brought up on this board in sometime, particularly with the updated information that was replied.

    I Sab, support all of my claims made in this forum and every sub forum thereof, with respect to all transmissions public and private, that I will support all evidence as does one to one, using the support of (but not limited to): bullshit, fluff, DONGS, useless replies, postwhoring, and just enough information to reaffirm the poster has a problem...

  12. #12
    Quote Originally Posted by Sab View Post
    Depending on the circumstances it is better to reply to threads with an answer for cracking faq. In this case execryptor is a popular topic in re. Using the search function is everyone’s friend, but when search results are plagued with forum replies which contain "read the faq, rtfm, dig deeper, figure it out, your question isn’t good enough" (which are most times well deserved replies), it really doesn’t make a nice archive for any of us in the long run when we go to do our own research.
    If the OP is having intermittent problems, then obviously something is wrong on his machine. Seeing as he doesn't seem to want to persue the problem any further nor post what he had done to solve the problem had he done so, I think this thread is now a dead end.

    /thread

  13. #13

    hmmm

    clap.. clap... figure that all out by yourself?

    /useless

  14. #14
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    LLXX, just STFU, ok? If anyone made this thread a dead end, it was you, as usual...
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. Execryptor EC functions
    By LaBBa in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: May 13th, 2009, 00:49
  2. Article on Execryptor 2.2.50
    By pnluck in forum Malware Analysis and Unpacking Forum
    Replies: 14
    Last Post: November 15th, 2005, 12:23
  3. Execryptor
    By jorono in forum Malware Analysis and Unpacking Forum
    Replies: 28
    Last Post: July 19th, 2005, 00:52
  4. Execryptor unpacking.
    By souz in forum The Newbie Forum
    Replies: 1
    Last Post: May 19th, 2005, 07:37
  5. Execryptor
    By Scarabee in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: February 22nd, 2004, 17:28

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •