As the name says, this script will help you find out if an EXECryptor target (preferably unpacked) uses SDK -- only C++ for now -- and attempt to retrieve the APIs from found references. If you think of faster methods of detection, let me know. I should've used the backtracer from start, damn :-)
Anyway, enjoy!
TODO:
- tracer for real entry of APIs;
- forgot some checks, will fix on a later release;
P.S.: Tested on Uninstall Tool and PlayClaw (first uses direct SDK flow, while second uses inverted SDK flow)..
EXECryptor_GetDate(): 0x41B089 ... Found
EXECryptor_GetHardwareID(): 0x41B0C2 ... Found
EXECryptor_IsAppProtected(): 0x41B0CD ... Found
EXECryptor_GetEXECryptorVersion(): 0x41B0D8 ... Found
EXECryptor_GetReleaseDate(): 0x41B0E6 ... Found
EXECryptor_EncryptStr(): 0x41B11F ... Found
EXECryptor_DecryptStr(): 0x41B137 ... Found
EXECryptor_EncryptStrW(): 0x41B14F ... Found
EXECryptor_DecryptStrW(): 0x41B167 ... Found
EXECryptor_GetTrialDaysLeft(): 0x41B17F ... Found
EXECryptor_GetTrialRunsLeft(): 0x41B18E ... Found
EXECryptor_SecureWrite(): 0x41B19D ... Found
EXECryptor_SecureRead(): 0x41B1FC ... Found
EXECryptor_SecureWriteW(): 0x41B279 ... Found
EXECryptor_SecureReadW(): 0x41B2DB ... Found
EXECryptor_MessageBoxA(): 0x41B35A ... Found
EXECryptor_GetProcAddr(): 0x41B374 ... Found
EXECryptor_AntiDebug(): 0x41B388 ... Found
EXECryptor_ProtectImport(): 0x41B391 ... Found
EXECryptor_VerifySerialNumber(): 0x41B39A ... Found
EXECryptor_VerifySerialNumberW(): 0x41B3A8 ... Found
EXECryptor_DecodeSerialNumber(): 0x41B3B6 ... Found
EXECryptor_DecodeSerialNumberW(): 0x41B3C4 ... Found
EXECryptor_IsRegistered(): 0x41B3D2 ... Found
EXECryptor_RegConst_0(): 0x41B3DE ... Found
EXECryptor_RegConst_1(): 0x41B3E6 ... Found
EXECryptor_RegConst_2(): 0x41B3EF ... Found
EXECryptor_RegConst_3(): 0x41B3F8 ... Found
EXECryptor_RegConst_4(): 0x41B401 ... Found
EXECryptor_RegConst_5(): 0x41B40A ... Found
EXECryptor_RegConst_6(): 0x41B413 ... Found
EXECryptor_RegConst_7(): 0x41B41C ... Found
EXECryptor_GetDate(): 0x454D60 ... Found
EXECryptor_GetHardwareID(): 0x454D50 ... Found
EXECryptor_IsAppProtected(): 0x454D40 ... Found
EXECryptor_GetEXECryptorVersion(): 0x454D30 ... Found
EXECryptor_GetReleaseDate(): 0x454CF0 ... Found
EXECryptor_EncryptStr(): 0x454CA0 ... Found
EXECryptor_DecryptStr(): 0x454C50 ... Found
EXECryptor_EncryptStrW(): 0x454C00 ... Found
EXECryptor_DecryptStrW(): 0x454BB0 ... Found
EXECryptor_GetTrialDaysLeft(): 0x454BA0 ... Found
EXECryptor_GetTrialRunsLeft(): 0x454B90 ... Found
EXECryptor_SecureWrite(): 0x454B00 ... Found
EXECryptor_SecureRead(): 0x454A70 ... Found
EXECryptor_SecureWriteW(): 0x4549D0 ... Found
EXECryptor_SecureReadW(): 0x454940 ... Found
EXECryptor_MessageBoxA(): 0x454920 ... Found
EXECryptor_GetProcAddr(): 0x454900 ... Found
EXECryptor_AntiDebug(): 0x4548F0 ... Found
EXECryptor_ProtectImport(): 0x4548E0 ... Found
EXECryptor_VerifySerialNumber(): 0x4548D0 ... Found
EXECryptor_VerifySerialNumberW(): 0x4548C0 ... Found
EXECryptor_DecodeSerialNumber(): 0x4548B0 ... Found
EXECryptor_DecodeSerialNumberW(): 0x4548A0 ... Found
EXECryptor_IsRegistered(): 0x454890 ... Found
EXECryptor_RegConst_0(): 0x454880 ... Found
EXECryptor_RegConst_1(): 0x454870 ... Found
EXECryptor_RegConst_2(): 0x454860 ... Found
EXECryptor_RegConst_3(): 0x454850 ... Found
EXECryptor_RegConst_4(): 0x454840 ... Found
EXECryptor_RegConst_5(): 0x454830 ... Found
EXECryptor_RegConst_6(): 0x454820 ... Found
EXECryptor_RegConst_7(): 0x454810 ... Found
发表于 2010-3-25 14:31
发表于 2010-3-25 15:42
