Understanding what API-functions are used in EXECryptor October 31, 2007Posted by reversengineering in OTHER, TOOLS.
Here you will find how list of API-functions and their hashs can be usefull in researching EXECryptor.
As you may knew, StrongBit recently released new version of EXECryptor – 2.4.1 with improved antidebugg and antitrace features. While unpacking console part of it, i’ve noticed that it detects my debugger (patched OllyDbg with FantOm plugin).
So let’s imagine that we are trying to understand this new antidebug trick. We’ll unpack console part (EXECrypt.exe) or just dump it running and then start to analyze it in Ida.
PhantOm consist of 2 drivers named FRDTSC and EXTREMEHIDE, that are loaded and used to hide OllyDbg. So, first of all we’ll try to search this strings in Ida and of cource we will find them. Ok, then we will look where this strings are used and find interesting procedure that is used with PhantOm driver’s names…….
Download it from http://www.box.net/shared/pnqxu5nvq6 (7-Zip, 50 kB).
Hope, it will be usefull for you.