-
5. Code substitution II
--------------------------------------------------------------------------------
This is new feature but also easy to fix using OllyScript. Check this in our CRACKME3.EXE:
0040100C . 50 PUSH EAX
0040100D . 53 PUSH EBX
0040100E . FF15 0000D800 CALL DWORD PTR DS:[D80000]
00401014 . 5B POP EBX
00401015 . 58 POP EAX
Code from 40100C to 401015 is injected instead original line below (I sow it in original exe before packing):
0040100C C705 F9204000 00000000 MOV DWORD PTR DS:[4020F9],0
But this line is executed within that D8???? block. Check comments below. First we enter in call, then;
00D80004 PUSH EBP
00D80005 PUSH EAX
00D80006 PUSH EBX
00D80007 PUSHFD
00D80008 CALL 00D8000D
00D8000D POP EBP
00D8000E SUB EBP,41B79A <----------------------- Calculating reference value.
00D80014 LEA EAX,DWORD PTR SS:[EBP+41B7CD] <- That value+constant gives pointer to correct value in internal tab.
00D8001A MOV EBX,DWORD PTR DS:[EAX] <-------- That encrypted value is taken.
00D8001C MOV EAX,DWORD PTR DS:[EAX+4] <------ It takes second value.
00D8001F XOR EBX,EAX <-------------------------- Decrypts first one with it, and that is 4020F9.
00D80021 ADD EAX,EBX <-------------------------- And EAX is 0.
00D80023 MOV DWORD PTR DS:[EBX],EAX <-------- So we have MOV DWORD[4020F9],0 here! Rest is not important for us.
00D80025 AND EAX,FFFF0000
00D8002A LEA EBX,DWORD PTR SS:[EBP+41B7C9]
00D80030 MOV EBX,DWORD PTR DS:[EBX]
00D80032 SHR EAX,18
00D80035 CMP EBX,EAX
00D80037 POPFD
00D80038 POP EBX
00D80039 POP EAX
00D8003A POP EBP
00D8003B RETN
Knowing this, I made new script "Krypton 0.5 - code pattern II" that will just emulate this and fix our substituded opcodes. You need to edit this script too.
-
6. Code substitution III
--------------------------------------------------------------------------------
This is new feature also and it substitute this kind of opcodes:
00401066 833D A0214000 12 CMP DWORD PTR DS:[4021A0],12
With this:
00401066 FF15 0000E000 CALL DWORD PTR DS:[E00000]
0040106C 90 NOP
And within that call, it will emulate this opcode execution. Inside there are little more code so I will show just important lines:
00E0000D POP EBP
00E0000E SUB EBP,41B7E6
00E00014 LEA EAX,DWORD PTR SS:[EBP+41B7F7] <--- Again is calculated reference value/pointer.
00E00031 MOV EBX,DWORD PTR DS:[EAX] <---------- Take encrypted value.
00E00039 MOV EAX,DWORD PTR DS:[EAX+4] <-------- Take second value.
00E00041 XOR EBX,EAX <---------------------------- Decrypt it. EBX will be 4021A0.
00E0004B ADD EAX,EBX <---------------------------- In EAX it must get that 12 byte so calculate...
00E00055 AND EAX,FFFF0000 <---------------------- ...calculate...
00E00067 MOV EBX,DWORD PTR DS:[EBX] <---------- EBX=DWORD PTR DS:[4021A0] now.
00E00075 SHR EAX,18 <----------------------------- ...calculate...
00E00089 CMP EBX,EAX <--------------------------- And here it is, emulation of that comparing.
00E000BB POP EBX <-------------------------------- Restoring values and returning.
00E000BC POP EAX
00E000BD POP EBP
00E000BE RETN
That's it! Now we can make script for emulating this and that will write original instruction in our exe. That script is "Krypton 0.5 - code pattern II". You need to edit this script too.
Now you can use all those scripts, little edit them, find OEP in CRACKME3.EXE, use all scripts we mentioned and fix image. Then dump file and rebuild IAT with ImpREC. That is it! Dumped file will work OK.
But there is still two kinds of encryption that we didn't see in this crackme. More about that in 7. chapter.
-
7. On-the-fly code decryption/encryption
--------------------------------------------------------------------------------
This on-the-fly or runtime decryption/encryption is nothing new in a world of protectors. You will not find it in CRACKME3.EXE because source code needs to have markers so Krypton can know what code blocks it needs to encrypt. I have tried to modify some sources but files just crushed after protecting, obviusly this feature is still buggy. But I will descrybe it on another example; Krypton.exe itself has this kind of encryption.
There are two kind of markers that Krypton uses, crypt and clear. In both cases certain code blocks are still encrypted after file is unpacked and OEP code is being executed. Example of such code block is below (picture is taken from Krypton.exe version 0.5):
Picture shows OEP of Kryptor.exe. At the 401025 you see call to algorithm that will decrypt code below it. Below call you can see some block of junky code, that is encrypted original code. Krypton will decrypt that code block but not in main image, it will decrypt it in some other virtual block. There it will execute that code and then jump back to continue normal work. There is one difference betveen clear and crypt algorithm. Both algos are the same only clear algorithm will erase encrypted code block after using it. Clear option is used only for code that can be exeuted only once. Crypt option will leave it so that code block can be executed more than once. Let we continue our example, what do we have here:
00401000 PUSH 0
00401002 CALL Krypton.00403A9D
00401007 MOV DWORD PTR DS:[4063B5],EAX
0040100C PUSH Krypton.0040682C
00401011 CALL Krypton.00403A91
00401016 CALL Krypton.00403AA3
0040101B PUSH 1E426 <---------------------- Parameter for decrypting.
00401020 PUSH 0B070C <--------------------- Second one.
00401025 CALL DWORD PTR DS:[B20000] <------ Decryptor call.
0040102B INTO <---------------------------- Start of encrypted code.
0040102C POP SS
0040102D SBB EAX,A9CBEDB6
00401032 SAHF
...
...
...
004010F7 INS BYTE PTR ES:[EDI],DX
004010F8 AAM 0D
004010FA LOOPDNE SHORT Krypton.00401135
004010FC MOV CH,1A
004010FE XCHG DWORD PTR SS:[ESP+69DFE2D8],ECX
00401105 INC EBP
00401106 XOR AL,8C
00401108 AAM 90
0040110A NOP
0040110B NOP
0040110C PUSH Krypton.00405452
00401111 CALL DWORD PTR DS:[3C8476]
00401117 CALL Krypton.00403B5D
If you enter to decryptor call at 401025, you will find similar algorithm like in IAT redirection or code obfuscation. Below are only important opcodes, junk is removed:
00B20014 POP EBP
00B20015 SUB EBP,416B3B
00B2001B MOV ESI,DWORD PTR SS:[EBP+416E1F]
00B20045 XOR DWORD PTR SS:[ESP+20],ESI
00B2006B XOR WORD PTR SS:[ESP+24],SI
00B20092 MOV ECX,DWORD PTR SS:[ESP+20]
00B200B8 MOV EBX,DWORD PTR SS:[ESP+24]
00B200E3 LEA EDI,DWORD PTR SS:[EBP+417248]
00B20110 MOV ESI,EAX
00B20139 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00B2015C MOV ECX,EDI
00B20184 ADD ECX,6
00B201AF MOV DWORD PTR DS:[EDI],25FF
00B201D4 MOV DWORD PTR DS:[EDI+2],ECX
00B201FD MOV DWORD PTR DS:[EDI+6],ESI
00B2021F MOV EBX,DWORD PTR SS:[ESP+24]
00B2024B AND EBX,FFFF0000
00B20278 CMP EBX,10000
00B202A5 JNZ 00B20443
00B20347 MOV ECX,DWORD PTR SS:[ESP+20]
00B2036C MOV ESI,EAX
00B2038E DEC ESI00B203D5 INC ESI
00B203F6 MOV BYTE PTR DS:[ESI],0 <------------ Erase code in exe.
00B2041F LOOPDNE SHORT 00B203B5 <------------- Do that untill ECX=0 (jump to INC ESI)00B2046A MOV EBX,DWORD PTR SS:[ESP+24]
00B20493 MOV ECX,DWORD PTR SS:[ESP+20]
00B204B8 LEA EDI,DWORD PTR SS:[EBP+417248]
00B204E3 XOR EAX,EAX
00B20508 MOV AX,BX00B20554 NEG CL
00B20577 ADD BYTE PTR DS:[EDI],CL
00B2059B XOR BYTE PTR DS:[EDI],CL
00B205BE ROL BYTE PTR DS:[EDI],CL
00B205E3 NEG CL
00B20606 SUB BYTE PTR DS:[EDI],AL
00B20629 ADD BYTE PTR DS:[EDI],AH
00B20653 XOR BYTE PTR DS:[EDI],AL
00B20674 ROL BYTE PTR DS:[EDI],CL
00B2069C XOR BYTE PTR DS:[EDI],AH
00B206E6 LOOPDNE SHORT 00B206EA
Ok, above code snippet is whole ago that is doing this decrypting but I will explain just what is happening with our encrypted code.
First, encrypted code is copied to allocated block:
00B20139 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
Then, it is decrypted there:
00B20721 50 PUSH EAX
00B20722 8BF8 MOV EDI,EAX
00B20724 32C0 XOR AL,AL
00B20726 B9 FFFFFFFF MOV ECX,-1
00B2072B F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00B2072D F7D9 NEG ECX
00B2072F 49 DEC ECX
00B20730 5E POP ESI ; Krypton.00401108
00B20731 8BD9 MOV EBX,ECX
00B20733 BF 1F564000 MOV EDI,40561F
00B20738 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00B2073A 8BC3 MOV EAX,EBX
00B2073C 33DB XOR EBX,EBX
00B2073E 33C9 XOR ECX,ECX
00B20740 BE 1F564000 MOV ESI,40561F
00B20745 803E 22 CMP BYTE PTR DS:[ESI],22
00B20748 75 01 JNZ SHORT 00B2074B
00B2074A 46 INC ESI ; Krypton.00401108
00B2074B 4E DEC ESI ; Krypton.00401108
00B2074C 49 DEC ECX
00B2074D 41 INC ECX
00B2074E 46 INC ESI ; Krypton.00401108
00B2074F 803E 2E CMP BYTE PTR DS:[ESI],2E
00B20752 ^75 F9 JNZ SHORT 00B2074D
00B20754 83C6 04 ADD ESI,4
00B20757 83C1 04 ADD ECX,4
00B2075A 55 PUSH EBP
00B2075B 8BE8 MOV EBP,EAX
00B2075D 803E 20 CMP BYTE PTR DS:[ESI],20
00B20760 75 05 JNZ SHORT 00B20767
00B20762 BB 01000000 MOV EBX,1
00B20767 8BD1 MOV EDX,ECX
00B20769 2BF1 SUB ESI,ECX
00B2076B BF AF544000 MOV EDI,4054AF
00B20770 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00B20772 8BCA MOV ECX,EDX
00B20774 890D 4E544000 MOV DWORD PTR DS:[40544E],ECX
00B2077A 8305 4E544000 03 ADD DWORD PTR DS:[40544E],3
00B20781 2BF1 SUB ESI,ECX
00B20783 BF 4A534000 MOV EDI,40534A
00B20788 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00B2078A C607 20 MOV BYTE PTR DS:[EDI],20
00B2078D C647 01 25 MOV BYTE PTR DS:[EDI+1],25
00B20791 C647 02 31 MOV BYTE PTR DS:[EDI+2],31
00B20795 8BCA MOV ECX,EDX
00B20797 8BD6 MOV EDX,ESI ; Krypton.00401108
00B20799 BE AF544000 MOV ESI,4054AF
00B2079E BF 35764000 MOV EDI,407635
00B207A3 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00B207A5 4F DEC EDI
00B207A6 803F 5C CMP BYTE PTR DS:[EDI],5C
00B207A9 ^75 FA JNZ SHORT 00B207A5
00B207AB 47 INC EDI
00B207AC B9 0C000000 MOV ECX,0C
00B207B1 BE 39774000 MOV ESI,407739 ; ASCII "Krypton.cfg"
00B207B6 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00B207B8 C607 00 MOV BYTE PTR DS:[EDI],0
00B207BB 8BF2 MOV ESI,EDX
00B207BD 85DB TEST EBX,EBX
00B207BF 74 28 JE SHORT 00B207E9
00B207C1 83C6 01 ADD ESI,1
00B207C4 8BC6 MOV EAX,ESI ; Krypton.00401108
00B207C6 8BDE MOV EBX,ESI ; Krypton.00401108
00B207C8 50 PUSH EAX
00B207C9 8BF8 MOV EDI,EAX
00B207CB 32C0 XOR AL,AL
00B207CD B9 FFFFFFFF MOV ECX,-1
00B207D2 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00B207D4 F7D9 NEG ECX
00B207D6 49 DEC ECX
00B207D7 5E POP ESI ; Krypton.00401108
00B207D8 BF 7F574000 MOV EDI,40577F
00B207DD F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00B207DF C705 466E4000 01>MOV DWORD PTR DS:[406E46],1
00B207E9 8F05 0C684000 POP DWORD PTR DS:[40680C]
00B207EF EB 0E JMP SHORT 00B207FF
00B207F1 4B DEC EBX
00B207F2 44 INC ESP
00B207F3 45 INC EBP
00B207F4 45 INC EBP
00B207F5 0000 ADD BYTE PTR DS:[EAX],AL
00B207F7 0000 ADD BYTE PTR DS:[EAX],AL
00B207F9 0000 ADD BYTE PTR DS:[EAX],AL
00B207FB 0000 ADD BYTE PTR DS:[EAX],AL
00B207FD 0000 ADD BYTE PTR DS:[EAX],AL
00B207FF -FF25 0508B200 JMP DWORD PTR DS:[B20805] ; Krypton.00401109
00B20805 0911 OR DWORD PTR DS:[ECX],EDX
00B20807 40 INC EAX
00B20808 0000 ADD BYTE PTR DS:[EAX],AL
00B2080A 0000 ADD BYTE PTR DS:[EAX],AL
00B2080C 0000 ADD BYTE PTR DS:[EAX],AL
And then protector jumps to that block and execute that code from there:
00B20717 5D POP EBP
00B20718 5F POP EDI
00B20719 5E POP ESI ; Krypton.00401108
00B2071A 59 POP ECX
00B2071B 5B POP EBX
00B2071C 9D POPFD
00B2071D 58 POP EAX
00B2071E 83C4 0C ADD ESP,0C
00B20721 50 PUSH EAX
00B20722 8BF8 MOV EDI,EAX
00B20724 32C0 XOR AL,AL
00B20726 B9 FFFFFFFF MOV ECX,-1
00B2072B F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00B2072D F7D9 NEG ECX
00B2072F 49 DEC ECX
00B20730 5E POP ESI ; Krypton.00401108
00B20731 8BD9 MOV EBX,ECX
00B20733 BF 1F564000 MOV EDI,40561F
00B20738 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00B2073A 8BC3 MOV EAX,EBX
...
...
After execution it will jump to target code:
00B207DD F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00B207DF C705 466E4000 01>MOV DWORD PTR DS:[406E46],1
00B207E9 8F05 0C684000 POP DWORD PTR DS:[40680C]
00B207EF EB 0E JMP SHORT 00B207FF
00B207F1 4B DEC EBX
00B207F2 44 INC ESP
00B207F3 45 INC EBP
00B207F4 45 INC EBP
00B207F5 0000 ADD BYTE PTR DS:[EAX],AL
00B207F7 0000 ADD BYTE PTR DS:[EAX],AL
00B207F9 0000 ADD BYTE PTR DS:[EAX],AL
00B207FB 0000 ADD BYTE PTR DS:[EAX],AL
00B207FD 0000 ADD BYTE PTR DS:[EAX],AL
00B207FF -FF25 0508B200 JMP DWORD PTR DS:[B20805] ; Krypton.00401109
00B20805 0911 OR DWORD PTR DS:[ECX],EDX
00B20807 40 INC EAX
00B20808 0000 ADD BYTE PTR DS:[EAX],AL
00B2080A 0000 ADD BYTE PTR DS:[EAX],AL
00B2080C 0000 ADD BYTE PTR DS:[EAX],AL
And there you can see that all code before is erased:
So how could we fix that? Simply with binary copy-pasting. Problem could be if there is lot of these patherns that we should find them all and then force exe to decrypt that block. I was planing to write script that could decrypt all blocks like I made for IAT and rest of CODE tricks, but plugin at that time didn't support byte operands and some instructions like ROL, ROR, NEG, etc. so I couldn't make it. Todays new plugin supports some new operations and maybe it is possible to write such script but I lost interest for that.
-
And that was all for this tutorial about Krypton 0.5. This protector is really good one, but it should be more stabile. It was very fun to see what is going on inside. I have unpacked it by big help from OllyScript plugin, but there could be another approach. When Krypton unpacks file in memory it marks all calls that should point to some K-Execution with flags in dwords. Flags are from 0 to 5. On a base of that flag it knows what kind of redirection needs to place in that block. It is possible to force Krypton decrypt it code so there is no need for scripts. I couldn't find that way but you could try to dig something there.
اسکریپت های مربوط به این کرک در پست های بعدی ... >
-
Krypton 0.5 - OEP finder
This script will find OEP on target packed with Krypton 0.5. It does not require any kind of editing. Just copy below code in some text file, name it somehow and use it.
var VirtualAlloc
var start
var OEPI
var OEPII
msg "Ignore ALL exceptions and remove ALL breakpoints!!!"
gpa "VirtualAlloc","kernel32.dll"
cmp $RESULT,0
je error
mov VirtualAlloc,$RESULT
add VirtualAlloc,1
bp VirtualAlloc
esto
bc eip
rtr
bp eip
esto
bc eip
mov start,eax
bprm start,1
esto
esto
bpmc
find eip,#C3EB1EDF694E58DF5972F5EB01DF73F0DF599C83C1E79 DFFE1EB0D51E8F0FFFFFFE801000000#
cmp $RESULT,0
je error
mov OEPI,$RESULT
bphws OEPI,"x"
findop eip,#8B9513784400#
cmp $RESULT,0
je error
mov OEPII,$RESULT
add OEPII,2D
bphws OEPII,"x"
esto
bphwc OEPI
bphwc OEPII
sti
an eip
ret
error:
msg "ERROR! Sorry but some error occured :("
ret
-
Krypton 0.3/0.5 - script for standard IAT redirection
This is my old script from Krypton 0.3 tutorial. Both packer versions use this same algo. This script doesn't require editing, but it ask you for address of block where obfuscated imorts are. Copy below text to tome text file and use it as normal Olly script.
/*
================================================== =======
Krypton 0.3/0.5 - script for standard IAT redirection
================================================== =======
*/
var addr
var section
var x
var y
ask "Enter base address of redirected IAT section:"
cmp $RESULT,0
je exit
mov section,$RESULT
//First patern:
mov addr,section
ADD_SUB:
find addr,#8105????????????????A1????????812D?????????? ??????FFE0#
cmp $RESULT,0
je next
mov addr,$RESULT
add addr,2
mov x,[addr]
mov x,[x]
add addr,4
mov y,[addr]
add x,y
mov [$RESULT],000000e9
add $RESULT,1
sub x,$RESULT
sub x,4
mov [$RESULT],x
add $RESULT,4
fill $RESULT,1a,90
jmp ADD_SUB
//Second patern:
next:
mov addr,section
XOR_XOR:
find addr,#8135????????????????A1????????8135?????????? ??????FFE0#
cmp $RESULT,0
je exit
mov addr,$RESULT
add addr,2
mov x,[addr]
mov x,[x]
add addr,4
mov y,[addr]
xor x,y
mov [$RESULT],000000e9
add $RESULT,1
sub x,$RESULT
sub x,4
mov [$RESULT],x
add $RESULT,4
fill $RESULT,1a,90
jmp XOR_XOR
exit:
ret
-
Krypton 0.5 - KProtection on API fixer script
This script will fix KProtection redirection , but it needs to be manually edited from user side. Also , I have assumed that packed file has image base 400000 and that code section is at 401000. YOu can change all that in case that you file is different, but for most files this will be OK.
/*
================================================== =======
Krypton 0.5 , K-Protection on API - fixer script v0.1
================================================== =======
This script is ripped from Krypton's "K-Protect on API"
code. It will fix those CALL DWORD[xxxxxxxx] (where
xxxxxxxx is pointer to K-Protection on API code) to
JMP DWORD[yyyyyyyy] (where yyyyyyyy is pointer to
correct values in import section). After using this
script, use first one for standard IAT redirection and
then use ImpREC to grab imports.
Limitations:you need to manually edit script for any
new target; I assumed that image base is 400000;
script will probably be very slow on bigger files.
Regards, haggar.
================================================== ========
*/
var reax
var rebx
var recx
var redx
var rebp
var redi
var temp
var addr
var start
var imp
mov addr,401000
SearchCalls:
findop addr,#FF157A843C00# //Find import calls, you need edit this for new targets.
cmp $RESULT,0
je exit
mov addr,$RESULT
mov recx,$RESULT //ECX= address of our call
mov start,$RESULT
add start,2
mov start,[start]
mov start,[start]
find start,#5D81ED7CBD4100#
cmp $RESULT,0
je error
mov rebp,$RESULT
sub rebp,41BD7C
mov reax,rebp
add reax,42617D
mov rebx,42614D
add rebx,rebp
LABEL_01:
mov redx,[reax]
xor redx,[rebx]
sub redx,recx
cmp redx,0
je LABEL_02
add reax,0A
jmp LABEL_01
LABEL_02:
mov redx,reax
add redx,4
mov redx,[redx]
xor redx,[rebx]
mov temp,redx
and temp,0FF
cmp temp,0
jne error
mov redi,1
shr redx,10
mov recx,redx
mov temp,reax
add temp,8
mov temp,[temp]
and temp,0FFFF
and redx,0FFFF0000
add redx,temp
xor redx,[rebx]
and redx,0FFFF
shl redx,10
or redx,recx
mov reax,redx
cmp redi,0
je error
mov imp,addr
mov [imp],000025FF
add imp,2
mov [imp],reax
jmp SearchCalls
exit:
ret
error:
msg "ERROR!"
ret
-
Krypton 0.5 - script for fixing code pattern I
This script will fix those replaced 6-byte code patterns like
00401139 . FF15 76843D00 CALL DWORD PTR DS:[3D8476]
to original bytes.
/*
================================================== ===========
Krypton 0.5 - script for fixing code pattern I
================================================== ===========
*/
var reax
var rebx
var recx
var redx
var rebp
var temp
var addr
var start
mov addr,401000 //I have assumed that code section is at this address.
SearchCalls:
findop addr,#FF1576843C00# //Find signature of decryptor call. You need to edit this part.
cmp $RESULT,0
je exit
mov addr,$RESULT
mov recx,$RESULT
mov start,$RESULT //Find start of algorithm code (this is slowing script, but f*** it).
add start,2
mov start,[start]
mov start,[start]
find start,#5D81ED4FB84100# //Find reference address (slowing again).
cmp $RESULT,0
je error
mov rebp,$RESULT
sub rebp,41B84F //First constant.
//-------- OK, now find pointers to values -----------------
mov reax,rebp //Pointer to encrypted reference value.
add reax,41C509
mov rebx,41C4C0
add rebx,rebp
LABEL_01:
mov redx,[reax] //Taking encrypted reference value.
xor redx,[rebx] //Decrypting it.
sub redx,recx //Compare them.
cmp redx,0
je LABEL_02 //If match, go to decryption code.
add reax,0A
jmp LABEL_01
LABEL_02:
mov redx,reax
add redx,4
mov redx,[redx]
xor redx,[rebx]
mov [recx],redx //Place original dword in packed app.
and redx,0FFFF0000
mov temp,reax
add temp,8
mov temp,[temp]
and temp,0FFFF
add redx,temp
xor redx,[rebx] //Decrypt it.
and redx,0FFFF
mov temp,recx
add temp,4
and [temp],0FFFF0000
add [temp],redx
jmp SearchCalls
exit:
ret
error:
msg "ERROR! Oooops, some error has occured :("
ret
-
Krypton 0.5 - code pattern II
var reax
var rebx
var rebp
var addr
mov addr,401000 //Assumed that code section starts from here. You can edit this.
SearchCalls:
find addr,#5053FF15????E0005B58# //You need to edit this ????D800 signature.
cmp $RESULT,0
je exit
mov addr,$RESULT
add $RESULT,4
mov $RESULT,[$RESULT]
mov $RESULT,[$RESULT]
find $RESULT,#5D81ED9AB74100#
cmp $RESULT,0
je error
mov rebp,$RESULT
sub rebp,41B79A
mov reax,rebp
add reax,41B7CD
mov rebx,[reax]
add reax,4
mov reax,[reax]
xor rebx,reax
add reax,rebx
mov [addr],05C7
add addr,2
mov [addr],rebx
add addr,4
mov [addr],reax
jmp SearchCalls
exit:
ret
error:
msg "ERROR! Sorry but some error occured :("
ret
-
Krypton 0.5 - code pattern III fixer script
This script should find and fix this kind of code replacing:
00401066 FF15 0000E000 CALL DWORD PTR DS:[E00000]
0040106C 90 NOP
0040106D 75 C8 JNZ SHORT packed.00401037
to original one:
00401066 833D A0214000 12 CMP DWORD PTR DS:[4021A0],12
0040106D 75 C8 JNZ SHORT Copy_of_.00401037
You need to edit one part of script (change sig that is base
of allocated memory block).
/*
================================================== ==================
Krypton 0.5 - code III fixer script
================================================== ==================
*/
var reax
var rebx
var rebp
var temp
var addr
mov addr,401000
SearchCalls:
find addr,#FF15????E80090#
cmp $RESULT,0
je exit
mov addr,$RESULT
add $RESULT,2
mov $RESULT,[$RESULT]
mov $RESULT,[$RESULT]
find $RESULT,#5D81EDE6B74100#
cmp $RESULT,0
je error
mov rebp,$RESULT
sub rebp,41B7E6
mov reax,rebp
add reax,41B7F7
mov rebx,[reax]
add reax,4
mov reax,[reax]
xor rebx,reax
add reax,rebx
and reax,0FFFF0000
shr reax,18
add addr,7
mov temp,[addr]
sub addr,7
mov [addr],3D83
add addr,2
mov [addr],rebx
add addr,4
mov [addr],reax
add addr,1
mov [addr],temp
jmp SearchCalls
exit:
ret
error:
msg "Ooo sh** >:-( ! Sorry but some error has ocurred :("
ret
