ExeCrypt 1.0 OEP Finder + IAT Repair.txt

1、/ execriptor v1+iat戀礀瀀甀爀漀洀愀昀漀/ iat solutions exist as 3 form琀栀椀猀挀栀愀渀最攀猀椀洀瀀氀礀眀栀椀琀樀甀洀瀀洀漀猀琀攀愀猀礀/ other form is in change.0046B669 8947 04 MOV DWORD PTR DS:EDI+4,EAX漀琀栀攀爀椀猀伀嘀圀伀刀倀吀刀匀嬀崀堀/ 0046B66C 8902 MOV DWORD PTR DS:EDX,EAX戀甀琀愀氀氀渀攀攀搀/ this line (see in script)昀椀渀搀攀椀瀀/ fill $RESULT,1,eb昀漀爀琀栀攀挀爀挀漀爀瀀猀攀甀搀漀

2、挀爀挀琀栀愀琀栀愀瘀攀琀栀椀猀瀀爀漀最爀愀洀/ well enjoyvar addr瘀愀爀攀爀爀漀爀var temp洀猀最氀攀爀琀msg clear all hadware breackpoint昀椀渀搀攀椀瀀攀挀mov temp, $RESULT戀瀀栀眀猀琀攀洀瀀砀run/ 0046B0E0 . 2C 39 SUB AL,39匀吀伀匀夀吀倀吀刀匀嬀崀/ 0046B0E3 - .E2 C5 LOOPD SHORT UnPackMe.0046B0AA倀堀匀/ 0046B0E7 . 46 INC ESI一堀/ 0046B0E9 . 3168 3E XOR DWORD PTR DS:EAX+3E,E

3、BP倀夀吀倀吀刀匀嬀堀崀/ 0046B0F2 . 128D C804876A ADC CL,BYTE PTR SS:EBP+6A8704C8/msg temp戀瀀栀眀挀琀攀洀瀀add temp,2/ 0046B0E3 .E2 C5 LOOPD SHORT UnPackMe.0046B0AA伀嘀匀堀/ 戀瀀栀眀猀琀攀洀瀀砀run/ 0046B0E3 .E2 C5 LOOPD SHORT UnPackMe.0046B0AA伀嘀堀圀伀刀倀吀刀匀匀嬀匀倀崀欀攀爀渀攀氀/ now is decoded/msg temp戀瀀栀眀挀琀攀洀瀀/ start iat change n*1-倀堀/ 0046B64

4、9 72 08 JB SHORT UnPackMe.0046B653琀漀/ 0046B643 . 81FB 00000070 CMP EBX,70000000攀戀洀瀀匀伀刀吀唀渀倀愀挀欀攀/ 瘀愀爀椀愀琀find eip, #7208#昀椀氀氀刀匀唀吀攀戀find eip, #83f801#洀漀瘀椀愀琀刀匀唀吀bp iat1渀漀眀最漀琀漀漀琀栀攀爀眀愀礀find eip, #e841?#/ 堀圀伀刀倀吀刀匀匀嬀倀崀/ 0046B11F . B9 AC060000 MOV ECX,6AC唀渀倀愀挀欀攀/ 0046B129 . 8985 D22F4000 MOV DWORD PTR SS:EBP+

5、402FD2,EAX渀漀眀戀瀀/ 洀漀瘀琀攀洀瀀刀匀唀吀bphws temp, x洀猀最琀攀洀瀀run戀瀀栀眀挀琀攀洀瀀mov addr,esp/ now in esp堀唀渀倀愀挀欀攀漀搀甀氀攀渀琀爀礀倀漀椀渀琀/ ECX 000006AC堀渀琀搀氀氀椀愀猀琀匀礀猀琀攀洀愀氀氀刀攀琀/ EBX 7FFD6000匀倀/ EBP 00068897匀唀渀倀愀挀欀攀/ EDI 0046BD7B UnPackMe.0046BD7B倀唀渀倀愀挀欀攀/ folow in dump esp.bp access dwordbphws addr,r洀猀最愀搀搀爀run/ 0046B7DF- 50 PUSH EAX

6、 ; UnPackMe.0046B78E堀伀刀堀堀/ 0046B7E2 64:FF30 PUSH DWORD PTR FS:EAX伀嘀圀伀刀倀吀刀匀嬀堀崀匀倀/ 0046B7E8 EB 01 JMP SHORT UnPackMe.0046B7EB/ push eax./ 渀漀眀椀渀椀愀琀爀攀洀攀洀戀攀爀/ 戀挀椀愀琀find eip, #7408#昀椀氀氀刀匀唀吀攀戀run戀瀀栀眀挀愀搀搀爀mov addr,eax/ EAX - 0046B78E UnPackMe.0046B78E堀/ EDX 7C91EB94 ntdll.KiFastSystemCallRet堀/ ESP 0012FFC4倀

7、/ ESI FFFFFFFF渀琀搀氀氀/ EIP 0046B7DF UnPackMe.0046B7DFbphws addr,x爀甀渀bphwc addr/ 0046B78E 55 PUSH EBP伀嘀倀匀倀/ 0046B791 57 PUSH EDI伀嘀堀圀伀刀倀吀刀匀匀嬀倀崀/ 0046B795 8BB8 C4000000 MOV EDI,DWORD PTR DS:EAX+C4倀唀匀圀伀刀倀吀刀匀嬀崀/ 0046B79D 33FF XOR EDI,EDI倀伀倀圀伀刀倀吀刀匀嬀崀/ 0046B7A2 8380 C4000000 08 ADD DWORD PTR DS:EAX+C4,8伀嘀圀伀刀

8、倀吀刀匀嬀堀崀/ 0046B7AF C1C7 07 ROL EDI,7攀搀椀栀愀瘀攀洀椀漀攀瀀栀攀爀攀椀猀愀渀搀挀栀愀渀最攀琀漀漀攀瀀伀嘀圀伀刀倀吀刀匀嬀堀崀/ 0046B7B8 edi have oep now is ok B8 00000000 MOV EAX,0倀伀倀/ 0046B7BE C9 LEAVE刀吀一/ 猀琀椀sti猀琀椀sti猀琀椀sti猀琀椀sti猀琀椀sti猀琀椀stimov addr,edi/ 0046B7B8 edi reach my oepbp addr洀猀最琀栀攀漀攀瀀椀猀/msg addr爀甀渀bc addr愀渀攀椀瀀cmt eip,- this is the OEP, dump and fix the iat(iat is resolved.) 爀攀琀