| View previous topic :: View next topic |
| Author |
Message |
jakeabc
How do I cheat?
![]() Reputation: 0
Joined: 02 May 2016
Posts: 1
|
 Posted: Mon May 02, 2016 6:33 am Post subject: Why encrypt or compress a .exe? |
 |
|
A .exe can be encrypted or compressed to make it more difficult to serial phish. My question is why do they do that? I mean, isn't the .exe decrypted/decompressed when in RAM or not?
Depending on the above answer, is there any advantage of using Cheat Engine over Ollydbg for serial phishing? Are they both memory editors?
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue May 03, 2016 3:36 am Post subject: |
|
|
Depends on how its protected. If it is just compressed, yes when it runs it will be uncompressed in memory in order to work. However, if a virtual machine is used the data can be altered in a way that decompression is not going to be helpful. Packers like VMProtect, Themida/WinLicense, and similar make use of this technique.
In either way protecting the exe is more or less a deterrent for newbies that use automated tools or follow tutorials on how to unpack/crack things.
OllyDbg is a full-scale debugger with a disassembler engine. It is made to be used for debugging specifically. You can edit memory and such with it but it is not the main focus of it.
Cheat Engine is a memory editor that includes a debugger.
In terms of which is better, personally OllyDbg blows Cheat Engine out of the water in terms of debugging, and Cheat Engine blows Olly out of the water with memory editing. They are both good at what they are designed to do. It is up to you to decide which is best for what you are trying to do.
_________________
- Retired. |
|
| Back to top |
|
|
ulysse31
Master Cheater
![]() Reputation: 2
Joined: 19 Mar 2015
Posts: 324
Location: Paris
|
| Posted: Wed May 04, 2016 11:35 am Post subject: |
|
|
Those that have VM protect features mean that they don't actually unpack on VM ? in which case they are unusable for their original use on VMs?
Even though you are experienced enough to unpack everything yourself don't you still rely on script while doing unpacking work ? as doing all of it manually is a loss of time ?
|
|
| Back to top |
|
|
STN
I post too much
 Reputation: 43
Joined: 09 Nov 2005
Posts: 2676
|
| Posted: Wed May 04, 2016 1:03 pm Post subject: |
|
|
| ulysse3131 wrote: | Those that have VM protect features mean that they don't actually unpack on VM ? in which case they are unusable for their original use on VMs?
Even though you are experienced enough to unpack everything yourself don't you still rely on script while doing unpacking work ? as doing all of it manually is a loss of time ? |
VMProtect is a protector, it doesn't mean it protects something from being run in a 'VM'. Actually there is an option in it for that. And yes it makes it unusable. There aren't always scripts for themida especially for new versions.
Protectors are capable of virtualizing/modifying original code to the point you will scratch your head to make sense of it and yes that includes advanced reversers, it is in memory yes but not an easy task to figure out where it is
Sure you can eventually reverse anything but is it worth the time wasted ? Ask 3dm, they gave up on denuvo. They might be able to crack it again but they prolly didn't think it was worth it anymore. So this is why encrypt exe
_________________
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Wed May 04, 2016 8:28 pm Post subject: |
|
|
| ulysse3131 wrote: | Those that have VM protect features mean that they don't actually unpack on VM ? in which case they are unusable for their original use on VMs?
Even though you are experienced enough to unpack everything yourself don't you still rely on script while doing unpacking work ? as doing all of it manually is a loss of time ? |
VM's that are well coded don't unpack data, they rewrite it. Code is virtualized and encrypted in a manner that it is not mean to be undone. (Not saying that it can't be, just that it's designed not to be.)
Some VMs do a shit job and are generally not used because of it now where the code is virtualized but devirtualized on the fly when needed. While when it first came out it proved effective, it was defeated and made an example of in terms of how something thought to be secure isn't.
Protectors like WinLicese and Themida have a handful of VMs that can be used to help protect code, however, they have all been defeated in the recent years. There is now scripts for OllyDbg to automate the entire unpacking process of these protectors but they still serve well to deter newbie crackers.
More modern protectors are moving into system based encryption where the executable is designed specifically for the given users system. Sharing the binary renders it useless and wont work on another persons machine.
Using a licensed protector has its ups and downs. Ups being that it is a focused developed project that the company usually stands behind for a long-term life span. Meaning more and more innovative things are added over time. However, a downside is that a lot of things will make use of the same protector and become a prime target to reversers.
If you have the knowledge and time, the best method of protection is creating your own in-house protector that makes use of newer technologies such as code virtualization and full file encryption. If possible a system where the binaries are generated per-user is even better. Just keep in mind there are multiple levels of protecting a file:
- Compression
- Encryption
- Anti-Debugging / Anti-Reversing
- Anti-Tampering
- Validation (Information, User, etc.)
Only effecting one or two of these levels leaves you at risk.
_________________
- Retired. |
|
| Back to top |
|
|
ulysse31
Master Cheater
![]() Reputation: 2
Joined: 19 Mar 2015
Posts: 324
Location: Paris
|
| Posted: Thu May 05, 2016 3:58 am Post subject: |
|
|
Okay great, thanks for the answers.
I am exactly the newbie cracker held off by themida. Had LCF's script working 1 year back but well not anymore and haven't managed to dive deep into unpacking yet but i guess this summer..
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
