Take notes from cainiao off ExeCryptor

[Article Title]: notes taken by cainiao from ExeCryptor
[Author]: machengin
[Software name]: pm
[Software size]: 1.9 MB
[]: Search and download by yourself
[Shelling method]: ExeCryptor
[Protection method]: ExeCryptor
[Language]: Borland Delphi
[Tools]: OllyICE, PETools, ImportREC
[Operating platform]: winxp sp2
[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten us!
--------------------------------------------------------------------------------
[Detailed process]

First, thanks to the author of the ExeCryptor script.

Thank you for your reference to the ExeCryptor tutorial.

OD loading.

7C921231 C3 retn; System breakpoint.
7C921232 8BFF mov edi, edi
7C921234 90 nop
7C921235 90 nop
7C921236 90 nop
7C921237 90 nop
7C921238 90 nop
7C921239> CC int3
7C92123A C3 retn
7C92123B 90 nop
7C92123C 8BFF mov edi, edi
Bytes -------------------------------------------------------------------------------------------------

--
1. Find OEP and dump.

Run the script Bypass AntiDBG OEP. The exception occurs several times. Shift + F9 is passed.

0079F7BA E8 038 DEDFF call 006784C2; stop at the pseudo OEP.
0079F7BF 0D 71C08494 or eax, 9484C071
0079F7C4 07 pop es
0079F7C5 40 inc eax
0079F7C6 63E9 arpl cx, bp
0079F7C8 51 push ecx
0079F7C9 97 xchg eax, edi
0079F7CA ED in eax, dx
0079F7CB FFE8 jmp far eax; invalid register usage

The script ends.
Bytes -------------------------------------------------------------------------------------------------

--
Query code section 00401000 + 23E000 = 63F000.

The shoooo hero tells us:
"Delphi goes directly to the next row of the initialization table. The original oep is changed to jmp XXXX, and XXXX can be used as oep ".

0063E9A0-E9 150E1600 jmp <module entry point>; OEP !!!
0063E9A5 81E0 CEF1E9B3 and eax, B3E9F1CE
0063E9AB 8BD0 mov edx, eax
0063E9AD E8 DEF41100 call 0075DE90
0063E9B2 335F 0C xor ebx, [edi + C]
0063E9B5 D95B 0B fstp dword ptr [ebx + B]
0063E9B8 B7 BD mov bh, 0BD
0063E9BA 0BD8 or ebx, eax
0063E9BC-E9 3F360200 jmp 00662000
0063E9C1 D5 E8 aad 0E8
0063E9C3 8AD2 mov dl, dl
0063E9C5 53 push ebx
0063E9C6 EC in al, dx
0063E9C7 3A7C90 6A cmp bh, [eax + edx * 4 + 6A]
0063E9CB 8424F5 E5D8176A test [esi * 8 + 6A17D8E5], ah
0063E9D2 006A 00 add [edx], ch
0063E9D5 68 A4EA6300 push 0063EAA4; ASCII "AQB2005"

Use petoolsto convert to dumped.exe.

Create an EIP in 0063E9A0.

========================================================== ========================================================== ================================
2. decrypt IAT and restore the file.

Use LordPE to check whether the EXECryptor is normal. The 0eqizouf section under the BBS section is the IAT table address.

Name
But there is no doubt about a section under the BBS section.

0 eqizouf = 0025C000. In the OD data window, Ctrl + G: 65C000.

Note that the IAT function encrypted by EXECryptor is represented by the file name. xxxxxxxx, and "x" is a number.

Look down:

0065C1DC 00000000
0065C1E0 007C731F prj_safe.007C731F; encrypted IAT and IATstart.
0065C1E4 007DC743 prj_safe.007DC743
0065C1E8 00678B15 prj_safe.00678B15
......
0065C2C0 00760A9E prj_safe.00760A9E
0065C2C4 00000000
0065C2C8 770F4850 oleaut32.SysFreeString; unencrypted IAT
0065C2CC 7711C99D oleaut32.SysReAllocStringLen
0065C2D0 770F4B59 oleaut32.SysAllocStringLen
0065C2D4 00000000
0065C2D8 00674239 prj_safe.00674239
......
0065CBB8 71A23E00 WS2_32.bind
0065 CBBC 00000000
0065CBC0 01FD1F70 sys_aq.get_key_password; IATend.

Bytes -------------------------------------------------------------------------------------------------

---
Open ExeCryptor 2.xx IAT Rebuilder v1.1 script editing.

Mov IATstart, 0065C1E0
Mov IATend, 0065CBC0

Save the modification and run the ExeCryptor 2.xx IAT Rebuilder v1.1 script.

In this case, you can open the script run window to observe the recovery.

An exception occurred when restoring to 0065C258. Remember this address and use it for the next modification! Terminate the script.

Note: It is best to close the file and clear all UDD.

Start again until the pseudo OEP.

In the Disassembly window Ctrl + G: 0063E9A0 (OEP), create an EIP in 0063E9A0.
In the data window, Ctrl + G: 0065C258 and change it to 00000000.

Run the ExeCryptor 2.xx IAT Rebuilder v1.1 script.

After the script is complete, change the function address of 0065C258 to kernel32.FreeLibrary.

Use ImportREC and OEP = 0023E9A0 RVA = 0025C1E0 to restore the file.

3. Repair OEP.

Modify OEP by referring to other Borland Delphi files.

This software has a Borland Delphi file Project1, which is not encrypted.
Bytes -------------------------------------------------------------------------------------------------

---
0048FF74> 55 push ebp
0048FF75 8BEC mov ebp, esp
0048FF77 83C4 F0 add esp,-10
0048FF7A 53 push ebx
0048FF7B B8 ACFC4800 mov eax, Project1.0048FCAC
0048FF80 E8 F760F7FF call Project1.0040607C; F7 follows.

Here.
0040607C 53 push ebx
0040607D 8BD8 mov ebx, eax
0040607F 33C0 xor eax, eax
00406081 A3 9c0000900 mov dword ptr ds: [49366c], eax
00406086 6A 00 push 0
00406088 E8 2 BFFFFFF call <jmp. & kernel32.GetModuleHandleA>; more familiar functions!
Bytes -------------------------------------------------------------------------------------------------

---
Modify OEP:
0063E9A0> 55 push ebp
0063E9A1 8BEC mov ebp, esp
0063E9A3 83C4 F0 add esp,-10
0063E9A6 53 push ebx
0063E9A7 B8 30E26300 mov eax, AQTB_01.0063E230; here the changes are as follows ②!
0063E9AC E8 FB86DCFF call 004070AC; here the changes are as follows ①!
0063E9B1 8B1D C0E26300 mov ebx, [63E2C0]; AQTB_2.0043508C check later!
0063E9B7 68 A4EA6300 push 0063EAA4; ASCII "AQB2005"
0063E9BC 6A 00 push 0
0063E9BE 6A 00 push 0
0063E9C0 E8 6326 DDFF call 00411028
0063E9C5 E8 BE27DDFF call 00411188
0063E9CA 3D B7000000 cmp eax, 0B7
0063E9CF 75 20 jnz short 0063E9F1
0063E9D1 6A 00 push 0
0063E9D3 6A 00 push 0
0063E9D5 68 A4EA6300 push 0063EAA4; ASCII "AQB2005"
0063E9DA E8 DD95DCFF call <jmp. & user32.RegisterClipboar>
Bytes -------------------------------------------------------------------------------------------------

--
The cursor is searched near the OEP of dumped_.exe:

Push ebx
Mov ebx, eax
Xor eax, eax

Search here.
004070AC 53 push ebx
004070AD 8BD8 mov ebx, eax
004070AF 33C0 xor eax, eax
004070B1 A3 A4F06300 mov dword ptr ds: [63F0A4], eax
004070B6 6A 00 push 0
004070B8 E8 2 BFFFFFF call <jmp. & kernel32.GetModuleHandleA>

The entry address of the first call starting from OEP is determined as 004070AC.

② Determine 0063E9A7 B8 30E26300 mov eax and AQTB_01.00xxxxxx.
After confirming that the OEP starts to enter the entry address of the first call, F7 enters the tracking.
Now, open another ODPS and use dumped_.exe without oepfix. In the Disassembly window, Ctrl + G: 004070AC.
Set the memory access breakpoint on the AC, Shift + F9, and run.
In the registration window, click "try" and disconnect.

Check the memory: eax = 0063E230

To confirm the progress, step F8 here.
004070E6 E8 4DD5FFFF call 00404638; F7 enter.
004070EB 5B pop ebx

Step F8 here.
00404672 E8 61 FFFFFF call 004045D8; F7 enter.
00404677 C3 retn

004045D8 55 push ebp
004045D9 8BEC mov ebp, esp
004045DB 53 push ebx; aaaaaa_.0063e230 is added to the stack.
004045DC 56 push esi
004045DD 57 push edi
004045DE A1 40966400 mov eax, [649640]
004045E3 85C0 test eax, eax
004045E5 74 4B je short 00404632
004045E7 8B30 mov esi, [eax]; Note the [eax] address!

Ds: [0063E230] = 000000ED

Locate in the data window:
0063E230 000000ED
0063E234 0063E238 AAAA_.0063E238
0063E238 00407120 AAAA_.00407120
0063E23C 004070F0 AAAA_.004070F0
0063E240 00406F14 AAAA_.00406F14
0063E244 00406EC0 AAAA_.00406EC0

Get:
0063E9A7 B8 30E26300 mov eax, 0063E230

 

========================================================== ========================================================== ================================
4. initialize the modification.

Fixed the OEP deformation code, and encountered a Memory exception during initialization. It was only possible to go to the startup interface. This problem took a long time, mainly because

Base
The reason is too bad.

Also, extract the dumped_.exe that does not repair the oep. compare it with the code line supplemented after the first call:

0063E9AC E8 FB86DCFF call 004070AC; here the changes are as follows ①