Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 32

Thread: EXECryptor (Latest version) dump fixing

  1. #16
    nope it isn't unpacked nor oep.
    First you have to dump program from memory and try to figure what compiler it is. After that you may break at certain parts of code close to oep and dump code.

  2. #17
    rockdh
    Guest
    can you help me in this?
    i have put alot of effort into trying to unpack this program.
    please help me sir.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #18
    use ida and signatures to locate code generated by compilers. Then you may find oep by looking at code. ExeCryptor also unpacks executable in tlscallback so when you get out of it, you may dump application and start searching for oep using signatures in ida, of course, you may find some spot close to oep because some bytes from oep are stolen and morphed.

  4. #19
    rockdh
    Guest
    what do you mean by use IDA and Signatures?
    i can enter TLSCallBacks using NtGlobalFlag right?
    what do you mean by get out of it?

    please check your PM.

    regards,

    david howie
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #20
    Quote Originally Posted by rockdh
    what do you mean by use IDA and Signatures?
    in IDA -> shift + f5 then you select either signatures for borland or msvc depending on your target. if it is VB then finding oep is nothing more than using bpx at msvbvm6/50!ThunRtMain.

    i can enter TLSCallBacks using NtGlobalFlag right?
    what do you mean by get out of it?
    Dunno about NtGlobalFlag, I use my loader to do that for me. Please check ARTeam ezine(http://ezine.accessroot.com), I wrote small txt how to get in/out from tlscallback.

  6. #21
    rockdh
    Guest
    I have entered the TLS callbacks and the last command i see before 0000's is a JMP.
    i followed that jump and i think that i'm close to OEP>
    please check the attached pictures.
    the first one is the final jump i saw and the second is after i follow the jump.

    MORE USELESS CODE REMOVED
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #22
    rockdh
    Guest
    Picture 2

    AND EVEN MORE USELESS CODE REMOVED
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #23
    man, get out of TLS callback, or simply dump app while it is running, load dump in IDA and apply signatures, find something that must be called close to oep. Analyze logic of compiler and you will find place close to oep where hook can be applied and where target may be dumped.

    Pictures that you have posted are not useful at all, 1st one is entry of tlscallback, second one is still tlscallback...

  9. #24
    rockdh
    Guest
    I've been trying and the dump finally loaded in IDA (40.5MB) because i wanted it to disassemble fully.
    then i used the signatures and found this:

    Code:
    CODE:00403B34 ; ---------------------------------------------------------------------------
    CODE:00403B34                 push    ebp                                              
    CODE:00403B35                 mov     ebp, esp
    CODE:00403B37                 add     esp, 0FFFFFFF4h
    CODE:00403B3A                 movzx   eax, ds:word_4C6024
    CODE:00403B41                 mov     [ebp-8], eax
    CODE:00403B44                 lea     eax, [ebp-4]
    CODE:00403B47                 push    eax
    CODE:00403B48                 push    1
    CODE:00403B4A                 push    0
    CODE:00403B4C                 push    offset aSoftwareBorlan ; "SOFTWARE\\Borland\\Delphi\\RTL"
    CODE:00403B51                 push    80000002h
    CODE:00403B56                 call    sub_401384
    CODE:00403B5B                 test    eax, eax
    CODE:00403B5D                 jnz     short loc_403BAC
    CODE:00403B5F                 xor     eax, eax
    CODE:00403B61                 push    ebp
    CODE:00403B62                 push    offset loc_403BA5
    CODE:00403B67                 push    dword ptr fs:[eax]
    CODE:00403B6A                 mov     fs:[eax], esp
    CODE:00403B6D                 mov     dword ptr [ebp-0Ch], 4
    CODE:00403B74                 lea     eax, [ebp-0Ch]
    CODE:00403B77                 push    eax
    CODE:00403B78                 lea     eax, [ebp-8]
    CODE:00403B7B                 push    eax
    CODE:00403B7C                 push    0
    CODE:00403B7E                 push    0
    CODE:00403B80                 push    offset aFpumaskvalue ; "FPUMaskValue"
    CODE:00403B85                 mov     eax, [ebp-4]
    CODE:00403B88                 push    eax
    CODE:00403B89                 call    sub_40138C
    CODE:00403B8E                 xor     eax, eax
    CODE:00403B90                 pop     edx
    CODE:00403B91                 pop     ecx
    CODE:00403B92                 pop     ecx
    CODE:00403B93                 mov     fs:[eax], edx
    CODE:00403B96                 push    offset loc_403BAC
    CODE:00403B9B
    CODE:00403B9B loc_403B9B:                             ; CODE XREF: CODE:00403BAAj
    CODE:00403B9B                 mov     eax, [ebp-4]
    CODE:00403B9E                 push    eax
    CODE:00403B9F                 call    sub_40137C
    CODE:00403BA4                 retn
    CODE:00403BA5 ; ---------------------------------------------------------------------------
    CODE:00403BA5
    CODE:00403BA5 loc_403BA5:                             ; DATA XREF: CODE:00403B62o
    CODE:00403BA5                 jmp     loc_404418
    CODE:00403BAA ; ---------------------------------------------------------------------------
    CODE:00403BAA                 jmp     short loc_403B9B
    CODE:00403BAC ; ---------------------------------------------------------------------------
    CODE:00403BAC
    CODE:00403BAC loc_403BAC:                             ; CODE XREF: CODE:00403B5Dj
    CODE:00403BAC                                         ; DATA XREF: CODE:00403B96o
    CODE:00403BAC                 mov     ax, ds:word_4C6024
    CODE:00403BB2                 and     ax, 0FFC0h
    CODE:00403BB6                 mov     dx, [ebp-8]
    CODE:00403BBA                 and     dx, 3Fh
    CODE:00403BBE                 or      ax, dx
    CODE:00403BC1                 mov     ds:word_4C6024, ax
    CODE:00403BC7                 mov     esp, ebp
    CODE:00403BC9                 pop     ebp
    CODE:00403BCA                 retn
    CODE:00403BCA ; ---------------------------------------------------------------------------
    CODE:00403BCB                 align 4
    CODE:00403BCC aSoftwareBorlan db 'SOFTWARE\Borland\Delphi\RTL',0 ; DATA XREF: CODE:00403B4Co
    CODE:00403BE8 aFpumaskvalue   db 'FPUMaskValue',0     ; DATA XREF: CODE:00403B80o
    CODE:00403BF5                 align 4
    CODE:00403BF8
    CODE:00403BF8 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
    CODE:00403BF8
    CODE:00403BF8
    CODE:00403BF8 sub_403BF8      proc near               ; CODE XREF: sub_40469C-518p
    CODE:00403BF8                                         ; sub_41F8F4-1B64Ap ...
    CODE:00403BF8                 fninit
    CODE:00403BFA                 wait
    CODE:00403BFB                 fldcw   ds:word_4C6024
    CODE:00403C01                 retn
    CODE:00403C01 sub_403BF8      endp
    CODE:00403C01
    CODE:00403C01 ; ---------------------------------------------------------------------------
    CODE:00403C02                 align 4
    CODE:00403C04
    CODE:00403C04 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
    CODE:00403C04
    CODE:00403C04
    CODE:00403C04 sub_403C04      proc near               ; CODE XREF: sub_410DC0+E2p
    CODE:00403C04                                         ; sub_410DC0+103p ...
    CODE:00403C04                 mov     al, 4
    CODE:00403C06                 jmp     sub_4028E8
    CODE:00403C06 sub_403C04      endp
    CODE:00403C06
    CODE:00403C0B ; ---------------------------------------------------------------------------
    CODE:00403C0B                 retn
    CODE:00403C0C
    CODE:00403C0C ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
    CODE:00403C0C
    CODE:00403C0C
    CODE:00403C0C sub_403C0C      proc near               ; CODE XREF: sub_416C48+Cp
    CODE:00403C0C                                         ; sub_41AE08+5Dp ...
    CODE:00403C0C                 mov     eax, [eax]
    CODE:00403C0E                 mov     edx, eax
    CODE:00403C10                 mov     eax, edx
    CODE:00403C12                 retn
    CODE:00403C12 sub_403C0C      endp
    CODE:00403C12
    CODE:00403C12 ; ---------------------------------------------------------------------------
    CODE:00403C13                 align 4
    CODE:00403C14
    CODE:00403C14 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
    So i thought that OEP is somewhere between 00403B34 and 00403BA5 so i opened the target again in olly and used NtGlobalFlag to break at Tlscallbacks.

    Then i ran a search for the following strings:

    Code:
    01E1899F   33C0             XOR EAX,EAX
    01E189A1   5A               POP EDX
    01E189A2   59               POP ECX
    01E189A3   59               POP ECX
    01E189A4   64:8910          MOV DWORD PTR FS:[EAX],EDX
    I found them and also two PUSH EBP's when i scrolled up.
    Could this be somewhere close to the OEP?

    I've made a lot of progress,thanks to deroko.
    Last edited by rockdh; July 14th, 2006 at 21:54.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #25
    It looks like you're somewhere inside of Borland's Delphi Run-time Library. 403b34 looks like it might be it.

  11. #26
    rockdh
    Guest
    Quote Originally Posted by LLXX
    It looks like you're somewhere inside of Borland's Delphi Run-time Library. 403b34 looks like it might be it.
    i dumped it there at the code you told (in OllyDbg it's 01E1892B) with rebuild Import in OllyDump.

    What next?
    Attached Images Attached Images  
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #27
    Now find InitExe signature and dump there. but you have to break on init exe to get value of eax (delphi code) + you have to see where init exe will take you since it is called from morphed code so you assemble something liek this later in dump:

    Code:
    mov eax, magic_value
    push ret_address
    jmp __InitExe

  13. #28
    rockdh
    Guest
    SO the first dump i just made now is useless?
    How do i break on InitExe?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #29
    that's why you need dump to find it, then load app and set bpx on it after TLS callback gets executed! That's when ExeCryptor's code is decrypted and you may set BPX on that procedure without aproblem.

  15. #30
    rockdh
    Guest
    I assembled the following in some empty space

    Code:
    004C6000     B8 AEE2C802                             MOV EAX,02C8E2AE
    004C6005     68 9F1AC902                             PUSH 02C91A9F
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. fixing IAT Armadillo 3.78
    By NoLOcK´s in forum The Newbie Forum
    Replies: 1
    Last Post: August 9th, 2005, 15:48
  2. EXECryptor
    By omega_red in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: September 22nd, 2004, 04:16
  3. problem fixing imports
    By jolopez in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: February 17th, 2004, 09:23
  4. Replies: 0
    Last Post: June 4th, 2001, 11:31
  5. can't crack newer version using older version tuts.
    By bas in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: February 12th, 2001, 21:40

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •