I tried to follow your instruction, I set "breakpoint" on load using "sxe ld" (not sure is it the correct way to set bp on LoadLibraryA, I tried to simply set a dll bp on EKC6420.DLL or function bp on LoadLibraryA which it doesn't break), but it does seems to stop when it importing EKC6420.DLL. I then produce a memory dump using ".dump /mfh" but have no idea of how to produce an executable from the dump.
As you can see I have 0 exp on this lol so it definitely take more then 6 minutes for me to do it.
I don't use WinDbg. OllyDbg or x96Dbg or Ida (other archs). This being x64, use x96Dbg. If you get random "stalls", it is because you left a BP somewhere in the module. (Disable all, except for your LoadLibraryA)...
If you set any BPs on an executable protected by ElecKey, it'll muss it up. "bp LoadLibraryA". Allow the kernel to load it, let it execute until it returns to main executable, step over the add sp. You'll see a jmp just above. Set EIP to follow, continue until you see a jmp *ax (rax, eax). That is your jump to OEP. Step, at OEP. Dump. 60 seconds tops.
IAT technically doesn't need rebuilding, you just need to undo ASLR, if you don't want a few skitzy AVs freaking out. If using Scylla for dumping, it doesn't correctly calculate some IAT sizes. Use original packed executable for that info. Wipe ssbt header AND from file (change section size, AND IMAGE SIZE). Rebase image to 140000000 (UE games...) OEP offset can be seen during those steps to jmp rax after that first jmp. Set your .text and .rdata sections to remove WRITABLE. They do not need it, skitzy AVs will also flag because of that. Pretty the timestamp. 5 minutes to do.
Basically, ElecKey adds a section to the PE header, and its own code to end of file, encrypts/scrambles/obfuscates .text section, sets OEP to ElecKey. Just undo those things and copy over your dumped .text section in this case. (That way you'll keep a clean IAT...)
*Oh, the v17 above is v17a VR. So for some, it'll just close/not work.
