About SM decrypted. Execryptor

iamcnk · 06/17/2007, 18:33

Sly2 said that sm was decryted, who have it? i want it

only for OllyDBG. Plz !!

sly2 · 06/17/2007, 18:50

i have this & no other

decrypted sm.dll is a normal sm.dll without execryptor protection, but with morphed code (VERY difficult!!!) in most importand procedures...

homeroll · 06/17/2007, 19:05

Quote:

Originally posted by sly2@Jun 17 2007, 18:50
i have this & no other

so what ur sayin is that ur the only 1 that have it?

sly2 · 06/17/2007, 19:19

i unpack this from execryptor...

when you or anyone unpack sm.dll to, then i will be not allone with it

SwaDDie · 06/18/2007, 05:58

For good cracker all unpackers is newbie stuff..They can unpack and pack files only with ASM code, but the best eay is use unpacker you will wait only 5 seconds

but you will unpack it with ASM code you will get more XP in the cracking...
If someone create packer, someone can create unpacker :P

sly2 · 06/18/2007, 14:59

1. show me unpacker for execryptor

2. do you know, that all exe or dll files are in assembler

3. show me anyone, that can unpack execryptor in 5 seconds (EntryPoint seek, IAT seek & fixing, Relocations fixing)... (i dont speak about morph procedures. these are VERY dificult. i talk with "good" cracker, he wont to demorph it, its to dificult, nearly imposible...)

and i hope, you know, what you talking about...

SwaDDie · 06/18/2007, 15:22

I said that unpacker can unpack file in 5 sec... Take mmm UPX pack it and Use Upx unpacker you will see how fast it is..
Yeah morphine is very good as Armadillo.. That's true

the best thing it is that execryptor hasn't unpacker, so I love every packing which canot be unpacked :P
If you want unpack it you need crate packer...
ASM code = assambler, just Olly

So "ggod" cracker will crack all stuff because he's good

Morphine code demorph mb is imposible then it is decripted whith another cript code..
Or just it's code which are used one time and it's created by PRO cracker

But I woudn't take to unpack execryptor packer

I hadn't a lot of time to sit down on one sm.dll

sly2 · 06/18/2007, 15:31

you dont need to unpack sm.dll, it's now unpacked

olly is ONLY a debugger

in unpacked sm.dll is more of self changing code. pro cracker? it dont see, that was a "pro" cracker...

it's a feature of execryptor, thats all

tell me why not to crack sm.dll. its good practice for me

it's funny too, but cost more time...

SwaDDie · 06/18/2007, 17:28

OK it's good

Yeah cracking is good practice and good challenge for everyone who know somethng...
OK if you have unpacked sm

I will say my minds like newbie because I don't know how it rename

srry..
can you add NOP's in the section then user have get logged.It's something like patch which always is 1 for connection to server

Do you understand my minds

?

iamcnk · 06/18/2007, 17:42

sly2 have reason, u can see the debugged code but uncrypt all the code reallocate it in his memory and all its too hard work

sly2 · 06/18/2007, 19:17

@iamcnk:
you are almost right, the code is unpacked, you can see really clear code, but parts of the code are morphed (self changing and at other place), look here:

Code:

10004A00  55       PUSH EBP
10004A01  8BEC      MOV EBP,ESP
10004A03  83EC 44     SUB ESP,44   &#60;- &#91;COLOR=red&#93;to this place all ok&#91;/COLOR&#93;
10004A06 - E9 53660300   JMP 1003B05E  &#60;- the really code self making at here
10004A0B  E8 438E0600   CALL 1006D853
10004A10  C6       ???                   &#59; Unknown command
10004A11  24 97      AND AL,97
10004A13  6368 4A     ARPL WORD PTR DS&#58;&#91;EAX+4A&#93;,BP
10004A16  5D       POP EBP
10004A17  04 91      ADD AL,91
10004A19  57       PUSH EDI
10004A1A  E8 61750300   CALL 1003BF80
10004A1F  84C5      TEST CH,AL
10004A21  E6 DA      OUT 0DA,AL
10004A23  4B       DEC EBX
10004A24  0041 B1     ADD BYTE PTR DS&#58;&#91;ECX-4F&#93;,AL
10004A27  E8 54750300   CALL 1003BF80
10004A2C  89E9      MOV ECX,EBP
10004A2E  6D       INS DWORD PTR ES&#58;&#91;EDI&#93;,DX
10004A2F  1141 0C     ADC DWORD PTR DS&#58;&#91;ECX+C&#93;,EAX
10004A32  81C1 8B12FC50  ADD ECX,50FC128B
10004A38 - E9 B8180300   JMP 100362F5
10004A3D  8A00      MOV AL,BYTE PTR DS&#58;&#91;EAX&#93;
10004A3F  8845 F7     MOV BYTE PTR SS&#58;&#91;EBP-9&#93;,AL
10004A42  8A45 F6     MOV AL,BYTE PTR SS&#58;&#91;EBP-A&#93;
10004A45  24 07      AND AL,7
10004A47  8845 F5     MOV BYTE PTR SS&#58;&#91;EBP-B&#93;,AL
10004A4A  33C0      XOR EAX,EAX
10004A4C - E9 9C700300   JMP 1003BAED
10004A51  E8 51F60300   CALL 100440A7
10004A56  58       POP EAX
10004A57  7B 7B      JPO SHORT 10004AD4
10004A59 ^ 77 E8      JA SHORT 10004A43
10004A5B  17       POP SS
10004A5C  810400 6E4326A0 ADD DWORD PTR DS&#58;&#91;EAX+EAX&#93;,A026436E
10004A63  872C24     XCHG DWORD PTR SS&#58;&#91;ESP&#93;,EBP
10004A66  52       PUSH EDX
10004A67  E8 69F00300   CALL 10043AD5
10004A6C  390F      CMP DWORD PTR DS&#58;&#91;EDI&#93;,ECX
10004A6E  9A E25D00D1 F26>CALL FAR 68F2&#58;D1005DE2
10004A75  BA B60310E9   MOV EDX,E91003B6
10004A7A  B6 0E      MOV DH,0E
10004A7C  04 00      ADD AL,0
10004A7E  E8 0AB40500   CALL 1005FE8D
10004A83 - E9 57850300   JMP 1003CFDF
10004A88 - E9 007A0600   JMP 1006C48D
10004A8D - E9 C6A50300   JMP 1003F058
10004A92  C600 23     MOV BYTE PTR DS&#58;&#91;EAX&#93;,23
10004A95  58       POP EAX
10004A96  51       PUSH ECX
10004A97  57       PUSH EDI
10004A98  BF B4BF0510   MOV EDI,1005BFB4
10004A9D - E9 D0120300   JMP 10035D72
10004AA2  89E8      MOV EAX,EBP
10004AA4  81C5 C308D63D  ADD EBP,3DD608C3
10004AAA  81C5 01742DD2  ADD EBP,D22D7401
10004AB0  8B6D 00     MOV EBP,DWORD PTR SS&#58;&#91;EBP&#93;
10004AB3 - E9 8BA40300   JMP 1003EF43
10004AB8  8BD0      MOV EDX,EAX
10004ABA  81E1 D2EEA7F8  AND ECX,F8A7EED2
10004AC0 - E9 64F80500   JMP 10064329
10004AC5  8B45 08     MOV EAX,DWORD PTR SS&#58;&#91;EBP+8&#93;
10004AC8  50       PUSH EAX
10004AC9  837D EC 05   CMP DWORD PTR SS&#58;&#91;EBP-14&#93;,5
10004ACD  0F94C0     SETE AL
10004AD0 - E9 D9450600   JMP 100690AE
10004AD5  68 8D95DC9D   PUSH 9DDC958D
10004ADA  871C24     XCHG DWORD PTR SS&#58;&#91;ESP&#93;,EBX
10004ADD  8BF3      MOV ESI,EBX
10004ADF  5B       POP EBX
10004AE0  81E6 D3DF249E  AND ESI,9E24DFD3
10004AE6  81F6 40B6AD8B  XOR ESI,8BADB640
10004AEC  81C6 CF245CF8  ADD ESI,F85C24CF
10004AF2  873424     XCHG DWORD PTR SS&#58;&#91;ESP&#93;,ESI
10004AF5 - E9 0FF60300   JMP 10044109
10004AFA  03C5      ADD EAX,EBP
10004AFC  81C0 C4259198  ADD EAX,989125C4
10004B02  8B00      MOV EAX,DWORD PTR DS&#58;&#91;EAX&#93;
10004B04  E8 0C1E0300   CALL 10036915
10004B09  56       PUSH ESI
10004B0A ^ E2 AA      LOOPD SHORT 10004AB6
10004B0C  ED       IN EAX,DX
10004B0D  53       PUSH EBX
10004B0E  68 D4670610   PUSH 100667D4
10004B13  E9 20000000   JMP 10004B38
10004B18  B7 92      MOV BH,92
10004B1A  4E       DEC ESI
10004B1B  4E       DEC ESI
10004B1C  836D 85 8B   SUB DWORD PTR SS&#58;&#91;EBP-7B&#93;,-75
10004B20  E5 5D      IN EAX,5D
10004B22  C3       RET

@SwaDDie:

sorry NO, you dont change jump's or call's to NOP's

greets

Sly

SwaDDie · 06/19/2007, 06:18

Ok if NOP's not working.. Yeah i memory it's not working..Hmm so you can create other code which at load moment changes old code to new code...But it will be probably detected by GMGuard...
And that code has been very clear for 0x33 server...
And if your seeing code hops to other position it is very big ****..Because you can know what that code do then it hops ...
Which disambler soft you use ?
I'm working with Olly

and for easy stuff use DeDe or PEiD...
And some HexEditor...

sly2 · 06/19/2007, 09:30

dede is for delphi!!!
sm.dll was writen in vc++ .net

PEiD can tell you, whitch packing soft was used...

i prefer lordpe, imprec, relox, rdg, and as degugger ida & olly (with plugins)

greets

Sly

InvincibleNoOB · 06/19/2007, 16:20

It's all about unpacker.
I tryied most of em ,but the result wasn't what i wanted.
EDit:Thanks sly

PEiD for the win!