Jump to content
Tuts 4 You

Coding unpacker


snoopy

Recommended Posts

Posted (edited)

Hey Guys,

Recently got into the nice field of coding unpackers instead of using WinDBG scripts/ plugins.

What I am facing is something that has to do with coding a import reconstructor.

I am simply testing it on a UPX protected file to get a good understanding.

IAT on my original unprotected file is at 41410C (VA).

When the file is packed the PEheader is being changed to RVA 17A94 (417A94) this is a fake IAT address.

Now what I am trying to do is figuring out how to code a tool to rebuild it for me.

So I first need to find the real IAT. I read that Imprec could use 2 techniques: signature scanning, API 'hooking'.

When I signature scan for FF25 [Jmp Address] I am able to find IAT. The problem is though that it looks like UPX has it scrambled.

If I look at the original code I see this at the end of the jmp table (IAT table):

0041409c 417c25ff

004140a0 25ff0041

004140a4 00414184 image00400000+0x14184

004140a8 0001418c

004140ac 00000000

004140b0 00000000

004140b4 0001420c

004140b8 0001410c

004140bc 000141c4

So I would need to grab the 1418C RVA as the starting address to rebuild IAT. based on Humans source for his PE reconstructor:

Mov Esi, [importrva]

Mov Edi, [tmpexe]

Or Esi, Esi

Je > no_imports

Add Esi, Edi

next_thunk:

Mov Ecx, [Esi + IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk]

Or Ecx, Ecx

Je > no_imports

Mov Edx, [Esi + IMAGE_IMPORT_DESCRIPTOR.FirstThunk]

Add Ecx, Edi

Add Edx, Edi

next_api:

Mov Eax, [Ecx]

Or Eax, Eax

Je > nextdll

Mov [Edx], Eax

Add Ecx, 4

Add Edx, 4

Jmp <next_api

nextdll:

Add Esi, SizeOf IMAGE_IMPORT_DESCRIPTOR

Jmp <next_thunk

This code seems to nicely show IAT. Iczelion is almost doing the exact same thing in his tutorial.

Problem I am facing is the following:

When going to the jmp table which IAT uses and going to the end. All I see is zero's, And now IAT is not being rebuilded correctly.

00414098 00414174 image00400000+0x14174

0041409c 417c25ff

004140a0 25ff0041

004140a4 00414184 image00400000+0x14184

004140a8 00000000

004140ac 00000000

004140b0 00000000

004140b4 00000000

004140b8 00000000

004140bc 00000000

004140c0 00000000

Can someone englighten what is going wrong for me. Am I at the wrong jump table?? I can't believe UPX would scramble IAT that easily.

Thanks in advance.

Edited by snoopy
Posted

Best not try reinvent the wheel:
/>http://forum.tuts4you.com/index.php?showtopic=20714

Posted (edited)

Writing Dynamic Unpackers for Fun with TitanEngine (By NCR)


/>http://code.google.com/p/fuu/downloads/list

Error 403 (Forbidden)

Your client does not have permission to get URL /p/fuu/downloads/list from this server. That’s all we know. !!! :(

Edited by hepL3r
Posted

I appreciate the replies about Titan Engine and APOX did a fine job. But it's not really the answer I am looking for.

Eventhough UPX seems very simple UPX has scrambled IAT. It first injects a fake Import Table Address in the PEheader.

Builds 6 imports in that fake area.

The real area on a tool I coded myself and packed with UPX is 41410C. It's the start of the actual IMPORT TABLE like described in my first post.

What happens is that from address 414000 the Jump Thunk Table is shown. At the end of the table on the original file is the

Original First Thunk, from that it perfectly rebuilds IAT like described in my first post.

But when having the file packed with UPX the Original First Thunk (at address 4140A8 is destroyed) and that's what causing the problems.

The RVA should be 1481C but on the UPX packed file Original First Thunk is 000000000.

What I do not understand is the fact that Import Rec is able to find and rebuild IAT perfectly fine. So the question still stands actually.

Posted

@hepL3r: is this the case: http://en.wikipedia.org/wiki/Google_Code#Access_restrictions ? Someone could certainly mirror the files for you. :)

@Snoopy: UPX builds new import table and destroys original one to save some extra bytes. Get UPX sources and study functions


unsigned PackW32Pe::processImports() // pass 1
void PackW32Pe::processImports(unsigned myimport, unsigned) // pass 2
void PackW32Pe::rebuildImports(upx_byte *& extrainfo)

and you'll see how it's working.

As for dynamic unpacking, it doesn't matter if file is packed by UPX, NSPACK or any other trivial PE packer - import rebuilding process is always the same. You can look at, for example, at OllyDump sources.

CodeExplorer
Posted

Writing Dynamic Unpackers for Fun with TitanEngine (By NCR)

attached

There is also a Spanish Version;

and FUU installer;

@hepL3r: let me know if you need them too.

CodeExplorer
Posted

I din't saw the Jerry post;

still let me know if someting else needed from there :rolleyes:

Posted (edited)

coding unpacker->

reading original sources:http://upx.sourceforge.net/

deroko unpack dream reverser-&gt;http://deroko.phearless.org/doer.html

using a loader for repair the iat/log iat and dump when reach the oep-&gt;http://deroko.phearless.org/engines.html

FUU NCR +that tutorial are great-&gt;http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1201-1300/1281-Writing.Dynamics.Unpackers.for.Fun.with.TitanEngine.NCR.rar /español


/>http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1301-1400/1359-Writing.Dynamic.Unpackers.for.Fun.with.TitanEngine.NCR.ENG.7z /english


/>http://reversinglabs.com/products/TitanEngine.php

other things..

Lua script in quickunpack-&gt;http://forum.tuts4you.com/index.php?showtopic=11488

do a upx gui for upx -d ->example http://ricardonarvaja.info/WEB/OTROS/HERRAMIENTAS/V-W-X-Y-Z/Visual%20UPX%2002%2Bupx125%20por%20Emadicius.rar

cff explorer upx menu-&gt;http://www.ntcore.com/exsuite.php ->Download the Explorer Suite

heaventools UPX plugin-&gt;http://heaventools.com/overview.htm

UPX, Upack and NsPack Static Unpackers

do by hand with ollydbg as was showed in many tuts and not lost time is other way ^^

pushad/popad, only seeying where end, where get the dlls and done

are many tools can unpack upx, the theme is there not many people that understand what do in real oep for that is necesary do tutorials as can do.. :)

greetings Apuromafo

Edited by Apuromafo

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...