Execryptor 2.2.50 |
||
Data |
by "Pnluck", "Saturn" e "LittleLuk" |
|
11/11/2005 |
Published by Quequero |
|
Venghino signori, l'é vero, che qui ci sono |
Annamo
al massimo, annamo a gonfie vele - Pnluck |
<<checosa c'è??>> |
.... |
|
.... |
Difficolt� |
(X)NewBies (X)Intermedio ( )Avanzato ( )Master |
Introduzione |
Tools usati |
URL o FTP del programma |
Essay |
About EXECryptor
To view somethings about Execryptor visit http://www.strongbit.com/execryptor.asp
(most of these techniques are applied through the use of thread)
About Reversing
stuff detection
Execryptor uses a lot of tricks to detect ollydbg, and other tools (like softice,
filemon, regmon, etc..).This is possible, because Execryptor makes a lot of
thread , withus it does a continuous control. For example, isn't possible
uses at the same time ollydbg or filemon(not pached) with a software protected
by Execryptor.
Those problem is possible resolve with RE-pair 0.6(for regmon, filemon) and
AntidetectOllyPatch (for Olly)
About R3 degugger
detection
Execryptor uses some trick to verify if he is debugged:
004XXXXX MOV EAX,DWORD PTR FS:[30] ;fs:[30] return the PEB address ... 004XXXXX ADD EAX,2 ; PEB+2 is beingdebug memory address 004XXXXX MOV EAX,DWORD PTR DS:[EAX] ; AL maybe 0(not debug) or 1(debug present) ... 004XXXXX OR AL,AL 004XXXXX JE UnPackMe.004F2C67
004XXXXX MOV EAX,DWORD PTR FS:[18] ; fs:[18] return the TEB address ... after some operation 004XXXXX MOV EAX,DWORD PTR [EAX+30] ;TEB+0x30 return the PEB address .... after some operation 004XXXXX MOV EAX, DWORD PTR[EAX+18] ;PEB+0x18 retunr the ProcessHeap address 004XXXXX CMP DWORD PTR DS:[EAX+10],0 ;EAX+10 maybe 0(not debug) or other values (debug present)
004XXXXX MOV EAX,DWORD PTR FS:[30] ;fs:[30] return the PEB address 004XXXXX ADD EAX,8E4180C9 004XXXXX ADD EAX,71BE7F9F ;EAX = PEB+0X68 : address of NtGlobalFlag 004XXXXX MOV EAX,DWORD PTR DS:[EAX] ; NtGlobalFlag maybe 0x70(debug present) or 0
004XXXXX MOV ECX,ESP 004XXXXX ADD ECX,10 004XXXXX MOV ECX,DWORD PTR DS:[ECX] ;point to Context of software 004XXXXX MOV DWORD PTR DS:[ECX],10013 ;change the context flags ... 00524C5F ADD ECX,18 ;ECX = Debug Register 7 00524C65 MOV AL,BYTE PTR DS:[ECX] 00524C67 ADD ECX,9C ;ECX = EBP register 00524C6D ADD BYTE PTR DS:[ECX],AL 00524C6F ADD ECX,4 ;ECX = EIP register 00524C75 MOV DWORD PTR DS:[ECX],UnPackMe.00522929 ;Set the eip after the seh handler .... 0052068E XOR EAX,EAX ;EAX = 0 : fixed exception 00520690 POP ECX 00520691 RETNThis is the simplest version of seh handler, beacause in other Execryptor controls also the DB register, from 0 to 3 to verify the presence of HD bp and react, therefore use memory bp.
7C81082F >MOV EDI,EDI 7C810831 PUSH EBP 7C810832 MOV EBP,ESP 7C810834 PUSH DWORD PTR SS:[EBP+1C] 7C810837 PUSH DWORD PTR SS:[EBP+18] 7C81083A PUSH DWORD PTR SS:[EBP+14] 7C81083D PUSH DWORD PTR SS:[EBP+10] 7C810840 PUSH DWORD PTR SS:[EBP+C] <-- change with JMP to_empty_space 7C810843 PUSH DWORD PTR SS:[EBP+8] 7C810846 PUSH -1 7C810848 CALL kernel32.CreateRemoteThread 7C81084D POP EBP 7C81084E RETN 18 At empty space 7CXXXXXX MOV DWORD PTR SS:[EBP+C],4 <-- Set the thread to Suspend mode 7CXXXXXX PUSH DWORD PTR SS:[EBP+C] 7CXXXXXX PUSH DWORD PTR SS:[EBP+8] 7CXXXXXX JMP kernel32.7C810846
004F181D STOS BYTE PTR ES:[EDI] 004F181E JMP SHORT UnPackMe.004F1809Step beyond the jmp, and find a "cmp ecx,2", because this istruction is the end of decopressing proc:
004F1809 XOR EAX,EAX 004F180B CALL UnPackMe.004F1921 ... 004F18A2 MOV ECX,EAX 004F18A4 INC ECX 004F18A5 INC ECX 004F18A6 POP EAX 004F18A7 OR EAX,EAX 004F18A9 JE SHORT UnPackMe.004F18AF 004F18AB MOV EBX,EAX 004F18AD JMP SHORT UnPackMe.004F190D 004F18AF CMP ECX,2 <-- If ecx = 2 : end of decripting 004F18B2 JE SHORT UnPackMe.004F191ASet a bp on this istruction, push alt+f9 till ecx = 2 and again 3. Now re-set the bp-on-access and remove the bp on "cmp ecx,2", push alt+f9, if there are exception push always alt+f9, and we'll break at the Oep. Here we can have stolen bytes or not, the difference is visible to eye.
No stolen |
With Stolen |
004271B0 PUSH EBP <-- OEP 004271B1 MOV EBP,ESP 004271B3 PUSH -1 004271B5 PUSH UnPackMe.00450E60 004271BA PUSH UnPackMe.004292C8 004271BF MOV EAX,DWORD PTR FS:[0] 004271C5 PUSH EAX 004271C6 MOV DWORD PTR FS:[0],ESP 004271CD ADD ESP,-58 004271D0 PUSH EBX 004271D1 PUSH ESI 004271D2 PUSH EDI 004271D3 MOV DWORD PTR SS:[EBP-18],ESP |
004271B0 JMP UnPackMe.00484321 004271B5 POP EAX 004271B6 ROL EAX,18 004271B9 JMP UnPackMe.0046C000 004271BE JO SHORT UnPackMe.004271D2 004271C0 INS BYTE PTR ES:[EDI],DX 004271C1 NOP 004271C2 XOR BL,BYTE PTR DS:[EDI] 004271C4 IN EAX,DX 004271C5 PUSH EAX <--Ipotetic OEP 004271C6 MOV DWORD PTR FS:[0],ESP 004271CD ADD ESP,-58 004271D0 PUSH EBX 004271D1 PUSH ESI 004271D2 PUSH EDI 004271D3 MOV DWORD PTR SS:[EBP-18],ESP |
This is the stack at Ipotetic OEP 0012FFB4 004292C8 UnPackMe.004292C8 0012FFB8 00450E60 UnPackMe.00450E60 0012FFBC FFFFFFFF 0012FFC0 0012FFF0 0012FFC4 7C816D4F RETURN to kernel32.7C816D4F <- Addr of ExitProcessDump the progie without rebuild the iat, and analyze this with RDG: is VC5.
004271B0 PUSH EBP <-- Set new origin here
004271B1 MOV EBP,ESP
004271B3 PUSH -1
004271B5 PUSH UnPackMe.00450E60
004271BA PUSH UnPackMe.004292C8
004271BF PUSH DWORD PTR FS:[0]
004271C6 MOV DWORD PTR FS:[0],ESP
004271CD ADD ESP,-58
Now redump with
the option of iat rebuild, open the progie with cff
or another PE editor, change in Optional Header the base of code to 1000
and delete the Tls directory 00486AA4 PUSH 2270D522 00486AA9 POP EAX .... 0048B26C ADD EAX,170A76E0 0048B272 SUB EAX,2A3E4C14 0048B278 ADD EAX,CBC09743 0048B27E SUB EAX,F5B509BF .... 0046F37C ADD EAX,80B01ADE ;EAX is the hash of api MOV right_buffer, EAX
START: ;proc which generate the hash for api's name 00479416 MOV EAX,DWORD PTR SS:[EBP-C] ;ebp-c = offset name_of_Api 00479419 MOVZX EAX,BYTE PTR DS:[EAX] ;in eax there are a char TEST EAX,EAX JE END1 ... jmps ... 004851EE ADD DWORD PTR SS:[EBP-8],EAX 004851F1 MOV EAX,DWORD PTR SS:[EBP-8] 004851F4 SHL EAX,0A 004851F7 ADD DWORD PTR SS:[EBP-8],EAX 004851FA MOV EAX,DWORD PTR SS:[EBP-8] 004851FD SHR EAX,6 00485200 XOR DWORD PTR SS:[EBP-8],EAX 00485203 INC DWORD PTR SS:[EBP-C] JMP START .. ebp-8 = buffer of generate_hash.. END1: 00480044 MOV EAX,DWORD PTR SS:[EBP-8] 00480047 SHL EAX,3 .... 004714BF >ADD DWORD PTR SS:[EBP-8],EAX 004714C2 >MOV EAX,DWORD PTR SS:[EBP-8] 004714C5 >SHR EAX,0B 004714C8 >XOR DWORD PTR SS:[EBP-8],EAX ... 0048D6FE MOV EAX,DWORD PTR SS:[EBP-8] ... 004793FF SHL EAX,0F 00479402 ADD DWORD PTR SS:[EBP-8],EAX 00479405 MOV EAX,DWORD PTR SS:[EBP-8] ... CMP EAX,right_buffer JNZ NEXT_API
004271D6 CALL DWORD PTR DS:[460ADC] ; UnPackMe.00484466and this is the call after the calling:
004271D6 CALL DWORD PTR DS:[460ADC] ; kernel32.GetVersion
Note finali |
Grazie ai forum Uic e Arteam, Ntoskrnl, Quake2, Quequero, AndreaGeddon il primo ad unpackare execryptor, Shub, Silent, SataNik, LonelyWolf, Zairon, Active85k e tutti i membri di Pmode e Uic
Disclaimer |
Vorrei ricordare che il software va comprato e non rubato, ma cmq potete scaricare na demo di trenta giorni: analizzarla, farle delle modifiche a piacere ed usarla quanto pi� vi piace ;)