quosego Posted September 10, 2009 Posted September 10, 2009 Perhaps but if someone can make use of my above notes, he's already passed the stage that he gets spoonfed.. So let's hope Lorens will learn form it and not use it blindly. @Lorens, No problemo..
crypto Posted September 10, 2009 Posted September 10, 2009 (edited) What are the 28656 bytes getting decrypted here quosego:005DEEE5 FE0F DEC BYTE PTR DS:[EDI]005DEEE7 47 INC EDI005DEEE8 49 DEC ECX005DEEE9 ^ 75 FA JNZ SHORT WinLicen.005DEEE5 Edited September 11, 2009 by crypto
ZenLoren Posted September 14, 2009 Posted September 14, 2009 Hi All,I am digging with rebuilding the IAT & would like to ask where does it store API address from Kernel32, User32 & which offset is Patched ?Kernel32:(1) InterlockedExchange (2) InterlockedCompareExchange (3) GetStartupInfoA (4) TerminateProcess (5) GetCurrentProcess (6) UnhandledExceptionFilter (7) SetunhandledExceptionFilter (8) IsDebuggerPresent(9) QueryPerformanceCounter (10) GetTickCount (11) GetCurrentThreadId (12) GetCurrentProcessId (13) GetSystemtimeAsFileTime (14) Sleep (15) GetACP (16) GetLocaleInfoA (17) GetThreadLocale (18) GetVersionExAUser32: (1) EnableWindow (2) SendMessageA (3) IsIconic (4) DrawIcon(5) GetClientRect (6) LoadIconA (7) GetSystemMetricsI have digged out & found below things will be providing with direct offset & only relevant things. Posting my full notes will create a big post.Let see how it does it. ESI = FirstThunkEDI = 90 90 90 90 90 90 90 90 90 90 90 90 (1) 00800FE0 mov edi,dword ptr ss:[esp] ; Load the Offset in EDI(2) 008011D9 stos byte ptr es:[edi] ; Store 90 nop(3) 00801203 stos byte ptr es:[edi] ; E9 Save at EDI OpCode of JMP(4) 00801359 stos dword ptr es:[edi] ; forming a Relative jump to Real ImportAfter this EDI = 90 E9 ?? ?? ?? ?? ; ?? is the Relative jump address. Is this WL trick OR _declspec (dllimport) has not been used when compiling an executable. This is also known as "jump Thunk table"So far so good. We know the offset & relative jumps taking place. we recover all of MFC80.dll some function from MSVCR80.dll can be found 4 or 5 still missing.See in Dump Window ESI & how it gets cleared. I have noted 3 of them direct offset given. There is few more to find.(1) 00801385 xor dword ptr ds:[esi-4],eax(2) 00800D15 mov dword ptr ds:[ecx],0(3) 007FDBD1 mov dword ptr ds:[esi-4],ebxIf any API from Kernel32, User32, we land at this offset007FE736 lea ebx,dword ptr ss:[ebp+A96616F] ; EAX=InterlockedExchangeI digged into many routines & completely lost inside the codes, any body any Hints OR Tutorial to refer. Cheers, Lorens
quosego Posted September 14, 2009 Posted September 14, 2009 (edited) 90 e9 relative is a WL trick making surw it won't run on other computers after dumping (Relative stuff will be different ). It must be restored to their original confirmation FF25 [dword].Kernel/advapi/user API's are usually written by a cisc VM using a similar method as the orignal, however they will be redirected to a memory buffer where part of the API will be ran obfuscated there and part in the actual dll. So they won't go directly to the API in question. Again these must also be restored to FF25 [dword].To find out where they get written, just mem bp the text section when arriving at the IAT writing. Any access to the text section will be a API written to the IAT or a direct jmp in code.There are some script that fix WL IAts and also a few tuts. With a few mods they all should be valid. Edited September 14, 2009 by quosego
ahmadmansoor Posted September 14, 2009 Posted September 14, 2009 (edited) Can I ask why this unpack not work with me . I am trying to to make some test . but this unpack file don't want to work on my PC @EvOlUtIoN: pls can u make another one .. I need to complete my test Thanks Edited September 14, 2009 by ahmadmansoor
thisistest Posted September 20, 2009 Posted September 20, 2009 006599FC /0F85 0D000000 jnz WinLicen.00659A0F00659A02 |83BD 2923740A 0>cmp dword ptr ss:[ebp+A742329],000659A09 |0F84 7F000000 je WinLicen.00659A8E00659A0F \FFB5 D6E27B0A push dword ptr ss:[ebp+A7BE2D6]00659A15 FFB5 D2E27B0A push dword ptr ss:[ebp+A7BE2D2]00659A1B FFB5 CEE27B0A push dword ptr ss:[ebp+A7BE2CE]00659A21 FFB5 CAE27B0A push dword ptr ss:[ebp+A7BE2CA]00659A27 FFB5 C6E27B0A push dword ptr ss:[ebp+A7BE2C6]00659A2D FFB5 C2E27B0A push dword ptr ss:[ebp+A7BE2C2]00659A33 FFB5 B6E27B0A push dword ptr ss:[ebp+A7BE2B6]00659A39 FFB5 B2E27B0A push dword ptr ss:[ebp+A7BE2B2]00659A3F FFB5 BEE27B0A push dword ptr ss:[ebp+A7BE2BE]00659A45 FFB5 BAE27B0A push dword ptr ss:[ebp+A7BE2BA]00659A4B FFB5 AEE27B0A push dword ptr ss:[ebp+A7BE2AE]00659A51 FFB5 AAE27B0A push dword ptr ss:[ebp+A7BE2AA]00659A57 8D85 F0E27B0A lea eax,dword ptr ss:[ebp+A7BE2F0]00659A5D 50 push eax00659A5E 8D85 B11A740A lea eax,dword ptr ss:[ebp+A741AB1]00659A64 50 push eax00659A65 FF95 1535740A call dword ptr ss:[ebp+A743515]00659A6B 83C4 38 add esp,3800659A6E 6A 40 push 4000659A70 8D85 DAE27B0A lea eax,dword ptr ss:[ebp+A7BE2DA]00659A76 50 push eax ; WinLicen.006596B800659A77 8D85 B11A740A lea eax,dword ptr ss:[ebp+A741AB1]00659A7D 50 push eax00659A7E 6A 00 push 000659A80 FF95 6523740A call dword ptr ss:[ebp+A742365]00659A86 6A 01 push 100659A88 FF95 DD0E740A call dword ptr ss:[ebp+A740EDD]---------------------------Exception Information---------------------------Please, contact the software developers with the following codes. Thank you. (press CTRL+C on this window to copy to clipboard) Version = 2.08 CheckIN = 0CheckOUT = 0ProcIN = 0ProcOUT = 0ExitIN = 0ExitOUT = 0TPin = 0HWIn = 0IntV = e462778e, f7780b88, ebac0647, e0677588------------------------------------------------------
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now