Unpacker ExeCryptor 2.x.x v1.0 RC2, by RSI [tPORt]


:

Clear pointer GetModuleHandleA
------------------------------
      ,    
GetModuleHandleA     :

1.  "Type1"    EC 2.2.5  .
          ,   
    GetModuleHandle   .

2.  "Type2"     ,  EC 2.2.6-2.3.9.

3.  "Not Found pointers"    EC 2.4.x,  
    GetModuleHandle  .

[!]    EC 2.3.9  ,    
    /      
      ,    GetModuleHandle .

Patch message "Debugger Detected
--------------------------------
   ,    "[305] 
Debugger Detected"     ,   .
 
1. Method 1    
2. Method 2    

[*]     "Method 3",    
       .

Patch File CRC Check
--------------------
     CRC .     
      "File Corrupted!", 
   CRC     CRC .

Patch Memory CRC Check
----------------------
     CRC .

[!]      , ..   
      ,  CRC ,  -  
         .
 
Remove trash
------------
      PE    ,
     .

Fix Relocs
----------
   ,  :

1.   ,     ,  
      ,      PE .

2.   ,    2  ("_reloc1.dll"  "_reloc2.dll")
             
   ReloX.

[*]     ,      .

Cut last sections
-----------------
      (  ),
   .

[*]    , .. -    . ;-)

Reconstruct Dynamic Import
--------------------------
  / IAT  
  .     
,         .

Fix IAT in dump
---------------
      :

1.   ,       
    ,       PE .

2.   ,        / IAT
            ImpRec.

[*]   ,       ImpRec).
 
Copy/Paste original IAT in dump
-------------------------------
        .  
       .

Save log
--------
      "_u.log".

Find OEP
--------
 OEP     (  )   ,
    PE .

 exe      OEP,   .
  dll   ,   .

[*]     OEP,     .


 :

v1.0 release candidate 2
------------------------
*    +    
*    OEP (   70% , 
       )
*      
*    (   

v1.0 release candidate 1
------------------------
*        (
   )
*     ,  Win XP SP0/SP1
*   ,      OEP

v1.0 beta 4
-----------
*     OEP  VC++, Delphi
*   OEP  VB, MASM  TASM
*  2   "[305]"

v1.0 beta 3
-----------
*     EC 2.4.1
*   "Patch Memory CRC Check",    CRC
    
*   "Remove Sign Detected by Kaspersky,   
    ,    
*      OEP  ++
*      

v1.0 beta 2
-----------
*         
*    ,    
*  ap0x unpack engine     
*      
*   OEP  Delphi, ..    
    
*    EP ,     
*      
*   drag'n'drop