unknown protection?

[BOSCH]

Hi my friends,can someone tell me what kind protection use this aplication?

[LCF-AT]

Hi,

it´s ExeCryptor.You can use the RC2 unpacker to unpack it.Choose the option Copy / Paste original IAT in Dump and let it unpack.

greetz

[BOSCH]

Believe me LCF-AT i done exactly this that you say to me yestereday night!But if you see is stay packed!!!Correct me if i am wrong... And give me the unpacked file if you can...

[LCF-AT]

Hi,

1. Unpack this file with the RC2 unpacker / choose copy / paste IAT...
2. Some APIs are there and some are using direct addresses to trace.
3. Now load this dump in Olly you are at the OEP.
4. Use the EXECryptor 2.x IAT rebuilder by PE Kill / enter IAT start & end.
5. Let run the script till finished.All APIs are there now.
6. Attach in ImpRec.Enter data OEP IAT start & Size.
7. Save the infos as tree.txt file.
8. Load the unpacked file in Olly
9. Attach file in ImpRec & load the tree.txt file.
10. Just fix your file now.All APIs are to read now.
11. etc...

greetz

[BOSCH]

Can you please post the script?I can't find in google,all is i chinese!

[LCF-AT]

[BOSCH]

LCF-AT in the begin the script run perfectly,but sometime ollydbg show me an error:"Don't know how to step because memory at address 00000011 is not readable.Try to change EIP or pass exception to program"... What i am doing wrong?

[LCF-AT]

Hi,

script is working till the end.
Set your Olly custom exceptions to 00000000-FFFFFFFF then try it again.

greetz

EDIT: Don´t forget to patch the CRC checks in this unpacked {2.4.1 EC version}file.If you not patch then you will get the "File corrupted" message {sooner or later}.It´s better to do this so then you can debug the unpacked file without to get any problems.

[BOSCH]

Hi LCF-AT,can you please be more specific in CRC patching,how i can do it that?I scan the unpacked with peid and cryptoanalyzer,but this aplication have many references CRC's!I need your help and i apreciate it untill now all that you told to me! Yes,aplication must patching the CRC because i have problem when i try to set breakpoint's.
EDIT:Which ollydbg modification you use it?

[LCF-AT]

Hi BOSCH,

CRC´s 2.4.x

[BOSCH]

LCF-AT,i done this that you told me in olly,search for all commands setnz byte ptr [ebp-9] but olly find just SETNE BYTE PTR [EBP-9] and it is one!All this i suppose in unpacked with execryptor unpacker file.Correct me please anything that i do wrong...
EDIT:this crc's 2.4.x how did you find it?And i say which version you use it,because maybie my olly,have some plugin's activated which make olly crash!When run the script the plugins must be activated???

[LCF-AT]

Hi,

yes SETNE is right.setnz is the same its like JNE / JNZ you know.

[BOSCH]

Ok LCF-AT i will unpack it!But if you want and you agree with me sometime give us a tutorial unpacking with this protection if you can...It will be very nice!!!! Just a little suggestion...

[LCF-AT]

Hi,

just some info for you.Look the pic.

[BOSCH]

Now,look LCF-AT what you done to me! Now tell me how do you activated?Do you unpack it,or just you patch the original?Please at least give me this a link for this tutorials because it is a little dificult to find them all...Thank you again!