Posted on  by 

  1. Execryptor Unpacker
  2. Decryption Software
  1. EXECryptor is a software protection system for protect programs from reverse engineering, analysis, modifications and cracking. EXECryptor has powerful anticrack, antidebug, antitrace and import code protection features for stop the latest cracking software. And crackers issues.
  2. GitHub is where the world builds software. Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
  3. They arent in til Monday though. So i went onto download.com and looked for the best anti-virus SW and came up with PC tools. When this scans it comes up with a popup box telling me that Trojan.Packed.Execryptor is trying to access it and it trying to block it. The other thing is im going super-slow and crashing out of everything.
  4. EXECryptor is one of the strongest and most innovative software security systems available. From program protection and cracking avoidance to preventing reverse engineering, analysis, and modifications, EXECryptor has it all.

Anti-cracking, anti-debugging, and anti-trace EXECryptor has innovative, powerful, anti-cracking, anti-debugging, anti-trace, and anti-reversing software in the business. It also has new code protection features to stop the latest cracking software and cracker issues.

Execryptor 2.2.50


by 'Pnluck', 'Saturn' e 'LittleLuk'


Published by Quequero

Venghino signori, l'é vero, che qui ci sono

Annamo al massimo, annamo a gonfie vele - Pnluck
:/ - Que

<<checosa c'è??>>
Entrino e lo scoprirete (6)


Pnluck, #crack-it #pmode #cryptorev #unpacking(su efnet)



(X)NewBies (X)Intermedio ( )Avanzato ( )Master


In questo articolo decrivo come fare l'unpacking di execryptor 2.2.50
Visitate il sito di Execryptor per le info su questo packer: http://www.strongbit.com/execryptor.asp

Tools usati

Ollydbg, IsDebug&Extra, Olly Invisible, HideDebugger, NtGlobalFlag, OllyDump, AntidetectOllyPatch, RDG

URL o FTP del programma



About EXECryptor
To view somethings about Execryptor visit http://www.strongbit.com/execryptor.asp (most of these techniques are applied through the use of thread)


About Reversing stuff detection
Execryptor uses a lot of tricks to detect ollydbg, and other tools (like softice, filemon, regmon, etc..).This is possible, because Execryptor makes a lot of thread , withus it does a continuous control. For example, isn't possible uses at the same time ollydbg or filemon(not pached) with a software protected by Execryptor.
Those problem is possible resolve with RE-pair 0.6(for regmon, filemon) and AntidetectOllyPatch (for Olly)

About R3 degugger detection
Execryptor uses some trick to verify if he is debugged:

  1. Control of Beingdebug
  2. Control of ProcessHeap
  3. Controll of NtGlobalFlag
  4. Use of Windows apis
    Use CheckRemoteDebuggerPresent and IsDebuggerPresent, look msdn

  5. Use of Seh
    With the use of many exception, Execryptor controls if there are Hardware BreakPoints
    This is the simplest version of seh handler, beacause in other Execryptor controls also the DB register, from 0 to 3 to verify the presence of HD bp and react, therefore use memory bp.

  6. Use of Thread
    Execryptor creates a lot of thread to control the presence of Ollydbg, modification of code like bp, etc; to elude these controls in the simpler way, we can do a code injection into CreateThread:
Run software protected with Execryptor on Ollydbg
Ollydbg can debug a software protected with Execryptor only with a path and pluings. After the patching and the installation of plugins, we can run a software, here I show how arrive at OEP and how rebuild the iat.
  • Prepare Olly to debugging
    Patch olly with AntidetectOllyPatch
    Open Ollydbg and set these options: Alt+O -> Exceptions ->check: Int3 , SingleStep, Memory access and add Invalid lock sequenze.
    Open the option of hide debugger and check IsDebuggerPresent with Unhadled exceptions trick.
    Open the option of IsDebug&Extra and check all.
  • Find the OEP
    Open the menu of NtGlobalFlag and click on 'Set TempBreak on Tls Callback', and 'SET LDR_SHOW_SNAPS'. Now open the software (in this case the crackme) and Olly will break at Tls Callback, and it sets 2 bp, delete them, and set a break-on-access on code section.
    Run with alt+f9 the progie and we will break at:
    Step beyond the jmp, and find a 'cmp ecx,2', because this istruction is the end of decopressing proc: Set a bp on this istruction, push alt+f9 till ecx = 2 and again 3. Now re-set the bp-on-access and remove the bp on 'cmp ecx,2', push alt+f9, if there are exception push always alt+f9, and we'll break at the Oep. Here we can have stolen bytes or not, the difference is visible to eye.

    With Stolen

    There're two method for find stolens:
    1) Trace the loader untill the ipotetic oep
    2)Use RDG for detect the compiler, analyze the stack and try to do things
    Dump the progie without rebuild the iat, and analyze this with RDG: is VC5.
    Generic opcodes of entrypoint for VC5 is : 'push ebp mov ebp,esp'. So the value of stack addr 12ffc0 is push ebp
    Now in the stack there's 0xff = -1(dec) at 12ffbc: 'push -1'. There are also stored two address: 'push 450e60 push 4292c8'. Ok now after the ipotetic OEP there's the installation of a seh handle so: 'push fs:[0]'.
    This is the rebuild code(the push eax is overwrite by push fs:[0], but the code is good because eax had the addr of fs:[0])
    Now redump with the option of iat rebuild, open the progie with cff or another PE editor, change in Optional Header the base of code to 1000 and delete the Tls directory
    Now we have a runnig progie, but the iat isn't all rebuild. To make the dump running also on other PC, you must annul the dword where there's the address of getmodulehandle in loader section in my case 487490. Dump funzionante

  • Rebuild the IAT
    Execryptor uses a new method to call an api, it doesn't use GetProcAddress, but:
    • Take an hash
    • The loader decripts dll's name and it gets the imagebase with GetModuleHandle, it takes the address of export table,after it generates an hash with every api who will be compare with the right_hash, until they will be egual:
    • When the loader find the correct hash, it takes the address in memory of api and rewrite the iat_address, push the_return_addr and execute a jmp [iat_addr]

    In fact this is a call before the calling:
    and this is the call after the calling:

Execryptor Unpacker

Pnluck, Saturn & LittleLuk

Note finali

Grazie ai forum Uic e Arteam, Ntoskrnl, Quake2, Quequero, AndreaGeddon il primo ad unpackare execryptor, Shub, Silent, SataNik, LonelyWolf, Zairon, Active85k e tutti i membri di Pmode e Uic


Vorrei ricordare che il software va comprato e non rubato, ma cmq potete scaricare na demo di trenta giorni: analizzarla, farle delle modifiche a piacere ed usarla quanto più vi piace ;)

Decryption Software

Coments are closed