UnpExeCr
所属分类:其他
开发工具:Asm
文件大小:1381KB
下载次数:3
上传日期:2019-07-08 01:41:00
上 传 者:
eugene004578
说明: Unpacking and Dumping ExeCryptor and Coding Loader
文件列表:
example (0, 2006-01-17)
example\debugger.asm (5423, 2006-01-17)
example\debugger.EXE (4096, 2006-01-16)
example\test.asm (846, 2006-01-17)
example\test.EXE (4096, 2006-01-16)
execryptor-imprecplugin (0, 2006-01-17)
execryptor-imprecplugin\execryptor.dll (8192, 2006-01-01)
execryptor-imprecplugin\resolved.txt (19584, 2006-01-17)
loader (0, 2006-01-17)
loader\loader.asm (8649, 2006-01-17)
oepfinder (0, 2006-01-17)
oepfinder\extern.inc (883, 2006-01-09)
oepfinder\howtoexecryptor.pdf (172196, 2006-01-09)
oepfinder\oepfinder.asm (37455, 2006-01-18)
oepfinder\oepfinder.exe (20480, 2006-01-18)
oepfinder\oepfinder.res (3948, 2006-01-09)
ARTeam.esfv (572, 2006-01-18)
Unpacking_And_Dumping_ExeCryptor_and_Coding_Loader.pdf (1712796, 2006-01-18)
oepfinder vX.Y.Z by deroko/ARTeam
It has been a long time since I've released my first version of oepfinder,
yup it was slow, but I dear you to write multi-threading debugger for big
applications that will be fast!
This time new release have two tracing modes:
1. deroko/ARTeam
2. stealth
yah, both are my engines but they work completely different.
deroko/ARTeam engine:
- acts like a debugger and create proess with DEBUG_PROCESS + DEBUG_ONLY_THIS_PROCESS
- hides presence of debugger by clearing PEB.BeingDebugged
- sets PAGE_GUARD on guessed range and debuggs app
- on each access to guarded page:
- checks if eip is in guessed range?
- yes, set trap flag and infomr user (opcodes are shown in dialog)
note: Trap flag is set only if "Trace All" option is selected
- no, clears PAGE_GUARD and sets int3h after instruction that caused exception
this acts like any normal debugger using int3h to step-over instructions.
- when you find suspicious EIP, click on "Deattach" in dialog and ok on messagebox with
eip, progy will inform you about stolen bytes, pid and eip. Attach olly to it, or use
sice to break at "jmp $" :D
stealth mode:
Stealth mode is very very powerful. It will run in context of target process, avoiding
all possible debuging checks.
Once runned app with stealth mode is completely indipendent. small debugging
code is injected into target process, hooks are set and we are ready to debug app.
Heh target won't know that it is being debugged.
Default mode:
- hooks CreateThread to make nonintrusive debugger multithreading safe
- sets PAGE_GUARD on guessed range and inserts int3h after each instruction that
caused exception (eg. read/write to page_guard)
- if eip is in range user will be notified via MessageBoxA (caption : continue?)
- if you press ok, tracing continues
- if you press cancel, jmp $ is stored at eip, informing user about stolen bytes
also at this point TLS callback pointer from DataDirectory.TLS is deleted so
olly can be attached without problem or run nonintrusive importrec plugins on
our target.
Extra Fast:
- acts like Default mode but no int 3hs after instruction that caused exception.
Not accurate sometimes, but with execryptor (all protection options on) and
ASProtect worked without a problem (oep reached in less then 2-3sec)
Don't hook CreateThread:
- you can choose NOT to hook CreateThread (eg. krypton v0.5) and it will work
also without a problem but it is not safe always (just theory)
S verom u Boga, deroko/ARTeam
http://cracking.accessroot.com
http://deroko.headcoders.net
近期下载者:
相关文件:
收藏者: