jump to navigation

Understanding what API-functions are used in EXECryptor October 31, 2007

Posted by reversengineering in OTHER, TOOLS.



Here you will find how list of API-functions and their hashs can be usefull in researching EXECryptor.

As you may knew, StrongBit recently released new version of EXECryptor – 2.4.1 with improved antidebugg and antitrace features. While unpacking console part of it, i’ve noticed that it detects my debugger (patched OllyDbg with FantOm plugin).

So let’s imagine that we are trying to understand this new antidebug trick. We’ll unpack console part (EXECrypt.exe) or just dump it running and then start to analyze it in Ida.

PhantOm consist of 2 drivers named FRDTSC and EXTREMEHIDE, that are loaded and used to hide OllyDbg. So, first of all we’ll try to search this strings in Ida and of cource we will find them. Ok, then we will look where this strings are used and find interesting procedure that is used with PhantOm driver’s names…….

Download it from http://www.box.net/shared/pnqxu5nvq6 (7-Zip, 50 kB).

Hope, it will be usefull for you.

About these ads


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 45 other followers

%d bloggers like this: