I must admit that today I've learned something interesting about EXECryptor. Not only do I love to trace through the endless chunks of virtualized data, I also enjoy the way it handles the code it shields. Tracing from a fully registered application, I managed to tell the program to go in full mode with a few changed bits.
Such as:
MOV EAX,3
MOV ECX,EAX
RET
That would be the replacement of a function that should return a value, value that is later compared and based on which program decides whether to go in trial or registered mode (or if it's expired/not expired). Here's an example:
By following that CALL and patching the code as I mentioned above, the return value, EAX, will change from 0 to 3, thus tricking the stupid check. In similar ways one can patch the application to show the registered status in the About box ;)
Pretty neat. Anyway, this has been fun enough, so I'm going to post the patch for the new "silent" update. Author thinks he can evade reversers. Not with EXECryptor you won't :)
Enjoy!
[ Download] » Uninstall Tool v2.3.1 (build 2427) » Size - 70 KB
February 10th, 2008 at 4:02 pm
You're so good. But I think you cannot brake a protection in 1st Clock -> http://www.1stclock.com :P
February 10th, 2008 at 5:24 pm
Remains to be seen ;)
P.S.: It's -- Borland Delphi 6.0 - 7.0 -- and not EXECryptor ;) Will look at it though..
February 10th, 2008 at 11:11 pm
And you can break others Execryptors?
I view other programs protected with Execryptor and for the moment not have the crack :) For Why? I dont know :) My opinion is for SDK protection added
(Anyplace control and other software ( I have many Execryptors very hard victims)
PD: For you, what is more hard to unpack? Execryptor or Themida (For me,unpack Execryptor :) ) and more difficult to crack? Execryptor or Themida (For me Themida :), 'its not easy inline patch Themida applications, Execryptor yes of course :) )
PD_final ;) : I view you can cracked Execryptor applications, but for why you cannot crack Themida applications? You cannot?
February 11th, 2008 at 7:02 am
I am selective on protections and am not doing it to damage software developers or ruin the hard work of others. My sole intent is purely educational and am keen to learn as much as I can from reversing on my own. It's not a race what I'm doing, it's more like self-teaching.. Regarding commercial protections, there are always means to get around them, ways to defeat them. EXECryptor is nice, Themida is too. They are two hybrid protectors shaped in different ways. True, SDK applications are harder than the stock ones, and that's where the fun becomes more interesting. Anyplace Control is easy to inline..
May 26th, 2008 at 1:21 pm
Hi
I have read your tuts about ExeCryptor and love them. i'm too trying to lern how to trace through the endless chunks of virtualized data and understand them but without success ... i'm working on a targer TransMac 8.1 and i have unpacked and fix the CRC and disabled the Anti BP, but i can't find how to register the application to remove the trial nag screen
can you help me understand how to read the virtualized data and understand the exeCryptor better ?
May 26th, 2008 at 4:08 pm
Hi. You can try to request it at this board ;)
http://snd.astalavista.ms/board/index.php
See you there =]