Execryptor 2. x secondary encryption, no KEY shelling

Execryptor 2. x secondary encryption, no KEY shelling

First of all, we would like to thank shoooo, forgot, and fly for their guidance.

The original trial is a XX server of XX, which is a little large and cannot be uploaded. Please leave a message if necessary.
You can replace it with a small program written by abest in the attachment to practice shelling (because it is not a secondary encryption, so IAT needs to be repaired ).
Asp? Boardid = 4 & id = 827 & star = 1 #827 "> http://www.cracking.com.cn/dispbbs.asp? Boardid = 4 & id = 827 & star = 1 #827

The following process is written based on the process of removing the server.
Known:
1. This is encrypted twice and does not use the SDK.
2. Compiled by VC

Step0. erase the TLS table
Use lord-PE to set all TLS items in the data directory (Directories) to 0, and then save.
Note: tls callback address and tls callback index cannot be set to 0 !!!! (Why? I Dont Know)

BTW: This "secret" is broadcast by forgot.

Step1.
After step 0, you do not need to set the OD to stop at the system breakpoint (set to stop at EP ). in addition, you don't need to worry about the "Flying knife" in TLS. however, a "nuclear weapon" ---- advencedolly plug-in is required. with this plug-in, EXEC's anti can be all over.

However, hideOD can be used for shelling this time. Because we do not have a KEY, we cannot run the back, nor do we need to run the back. Therefore, many anti-attacks are useless.

Step2.
The steps are actually very simple. After the above preparations, load them with OD to ignore all exceptions:

0BB8CE4E> E8 F7FEFFFF call 0BB8CD4A
0BB8CE53 05 07480000 add eax, 4807
0BB8CE58 FFE0 jmp eax
0BB8CE5A E8 EBFEFFFF call 0BB8CD4A
0BB8CE5F 05 9F6A0000 add eax, 6A9F
0BB8CE64 FFE0 jmp eax
0BB8CE66 E8 04000000 call 0BB8CE6F
0BB8CE6B FFFF ??? ; Unknown command
0BB8CE6D FFFF ??? ; Unknown command
0BB8CE6F 5E pop esi
0BB8CE70 C3 retn

Then
1. HE GetProcAddress
2. F9
3. HD GetProcAddress
4. alt + f9
Now we are at the place where the IAT is filled:

0BB8CBE7 55 push ebp
0BB8CBE8 8BEC mov ebp, esp
0BB8CBEA 83C4 F4 add esp,-0C
0BB8CBED 56 push esi
0BB8CBEE 57 push edi
0BB8CBEF 53 push ebx
0BB8CBF0 BE 00F0AD0A mov esi, 0AADF000
0BB8CBF5 B8 00004000 mov eax, 00400000
0BB8CBFA 8945 FC mov dword ptr ss: [ebp-4], eax
0BB8CBFD 89C2 mov edx, eax
0BB8CBFF 8B46 0C mov eax, dword ptr ds: [esi + C]
0BB8CC02 09C0 or eax, eax
0BB8CC04 0F84 8E000000 je 0BB8CC98
0BB8CC0A 01D0 add eax, edx
0BB8CC0C 89C3 mov ebx, eax
0BB8CC0E 50 push eax
0BB8CC0F FF15 B480AA0B call dword ptr ds: [<& kernel32.GetModu>; kernel32.GetModuleHandleA
0BB8CC15 09C0 or eax, eax
0BB8CC17 0F85 0F000000 jnz 0BB8CC2C
0BB8CC1D 53 push ebx
0BB8CC1E FF15 B880AA0B call dword ptr ds: [<& kernel32.LoadLib>; kernel32.LoadLibraryA
0BB8CC24 09C0 or eax, eax
0BB8CC26 0F84 64000000 je 0BB8CC90
0BB8CC2C 8945 F8 mov dword ptr ss: [ebp-8], eax
0BB8CC2F 6A 00 push 0
0BB8CC31 8F45 F4 pop dword ptr ss: [ebp-C]
0BB8CC34 8B06 mov eax, dword ptr ds: [esi]
0BB8CC36 09C0 or eax, eax
0BB8CC38 8B55 FC mov edx, dword ptr ss: [ebp-4]
0BB8CC3B 0F85 03000000 jnz 0BB8CC44
0BB8CC41 8B46 10 mov eax, dword ptr ds: [esi + 10]
0BB8CC44 01D0 add eax, edx
0BB8CC46 0345 F4 add eax, dword ptr ss: [ebp-C]
0BB8CC49 8B18 mov ebx, dword ptr ds: [eax]
0BB8CC4B 8B7E 10 mov edi, dword ptr ds: [esi + 10]
0BB8CC4E 01D7 add edi, edx
0BB8CC50 037D F4 add edi, dword ptr ss: [ebp-C]
0BB8CC53 09DB or ebx, ebx
0BB8CC55 0F8