Decrypted exe wont run

Question

I'm writing a c++ program that takes in input as an exe file, encrypts it (just xoring) and adds the encrypted exe as a resource to another exe (stub).

The stub decrypts the exe and saves it. The problem is that the decrypted exe won't run. The bytes are the same, I can open the decrypted exe in a PE editor, but it just won't run.

Any suggestions?

@JoachimPileborg PE editor suggests that this is Windows and so there is not executable flag — David Heffernan, Mar 24 '14 at 11:22
Hi and thanks for the reply. I dont have a error code because it just wont run. — Valentino, Mar 24 '14 at 11:38
*How* exactly are you attempting to run the program? (i.e., double click from Explorer, `start path\to\file.exe` from the CLI, exec() call from the decrypting program...?) — LSerni, Mar 24 '14 at 11:43

score 4 · Answer 1 · answered Mar 24 '14 at 11:28

If the original .EXE and the decrypted .EXE are really the same, and assuming that the decrypted executable is a Windows .EXE file with an .EXE extension (as your referring to .exe and PE format seems to indicate), this might mean you've stumbled into a security feature of some kind.

The behaviour of your program is that of a single-stage malware dropper. It doesn't matter if the decrypted file is not actually malicious: the system cannot know it; it sees an executable that creates another executable and attempts to execute it, and marks it as "do not execute this, ever" (for example via DisallowRun. There are other ways).

It is also possible (and, do not take this wrong, but more likely) that you're actually doing something wrong: the extension is not .EXE, the file is not exactly the same (have you checked the MD5/SHA checksums of the original and decrypted file?), you attempt to run the file while it's still open for writing...

Try looking at the Event Viewer and/or antivirus software log, if any, to see whether this may shed some light. Is this your own development machine, and do you have full Administrator rights to check policies, in case? Also, check and report the error status and/or any error message that you might get from attempting the execution.

Thank you very much. the md5 checksum are different and i dunno why.If i dissasemble original and decrypted, the asm it's vety different, Dunno why. The AV protection is off. — Valentino, Mar 24 '14 at 11:45
well... have you checked the obvious things first? You're sure you're XORing with the *same* key, and both when saving into the new executable and when creating the new file? Have you checked with a step-by-step debugger that the bytes actually read and written are what you expect them to be? (Sorry if I may sound patronizing, but fact is, you don't supply much information on how you're proceeding - let alone *why* - so I can only come up with the most obvious things). — LSerni, Mar 24 '14 at 11:50
yes maybe i've found the problem. I'm training to binary read from a exe with a char*... i try to fix — Valentino, Mar 24 '14 at 12:13
Thank you all. The problem was a easy one. I forgotten to open file in binary mode... stupid me. — Valentino, Mar 25 '14 at 12:05

Decrypted exe wont run

1 Answers1