snoopy Posted July 19, 2011 Posted July 19, 2011 (edited) Hey Guys,Recently got into the nice field of coding unpackers instead of using WinDBG scripts/ plugins.What I am facing is something that has to do with coding a import reconstructor.I am simply testing it on a UPX protected file to get a good understanding.IAT on my original unprotected file is at 41410C (VA).When the file is packed the PEheader is being changed to RVA 17A94 (417A94) this is a fake IAT address.Now what I am trying to do is figuring out how to code a tool to rebuild it for me.So I first need to find the real IAT. I read that Imprec could use 2 techniques: signature scanning, API 'hooking'.When I signature scan for FF25 [Jmp Address] I am able to find IAT. The problem is though that it looks like UPX has it scrambled.If I look at the original code I see this at the end of the jmp table (IAT table):0041409c 417c25ff 004140a0 25ff0041 004140a4 00414184 image00400000+0x14184004140a8 0001418c 004140ac 00000000 004140b0 00000000 004140b4 0001420c 004140b8 0001410c 004140bc 000141c4 So I would need to grab the 1418C RVA as the starting address to rebuild IAT. based on Humans source for his PE reconstructor: Mov Esi, [importrva] Mov Edi, [tmpexe] Or Esi, Esi Je > no_imports Add Esi, Edinext_thunk: Mov Ecx, [Esi + IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk] Or Ecx, Ecx Je > no_imports Mov Edx, [Esi + IMAGE_IMPORT_DESCRIPTOR.FirstThunk] Add Ecx, Edi Add Edx, Edinext_api: Mov Eax, [Ecx] Or Eax, Eax Je > nextdll Mov [Edx], Eax Add Ecx, 4 Add Edx, 4 Jmp <next_apinextdll: Add Esi, SizeOf IMAGE_IMPORT_DESCRIPTOR Jmp <next_thunkThis code seems to nicely show IAT. Iczelion is almost doing the exact same thing in his tutorial.Problem I am facing is the following:When going to the jmp table which IAT uses and going to the end. All I see is zero's, And now IAT is not being rebuilded correctly.00414098 00414174 image00400000+0x141740041409c 417c25ff 004140a0 25ff0041 004140a4 00414184 image00400000+0x14184004140a8 00000000 004140ac 00000000 004140b0 00000000 004140b4 00000000 004140b8 00000000 004140bc 00000000 004140c0 00000000 Can someone englighten what is going wrong for me. Am I at the wrong jump table?? I can't believe UPX would scramble IAT that easily.Thanks in advance. Edited July 19, 2011 by snoopy
rendari Posted July 20, 2011 Posted July 20, 2011 Best not try reinvent the wheel:/>http://forum.tuts4you.com/index.php?showtopic=20714
JeRRy Posted July 20, 2011 Posted July 20, 2011 (edited) Writing Dynamic Unpackers for Fun with TitanEngine (By NCR)/>http://code.google.com/p/fuu/downloads/listedit : attachedWriting.Dynamic.Unpackers.for.Fun.with.TitanEngine.NCR.ENG.rar Edited July 20, 2011 by JeRRy 1
hepL3r Posted July 20, 2011 Posted July 20, 2011 (edited) Writing Dynamic Unpackers for Fun with TitanEngine (By NCR) />http://code.google.com/p/fuu/downloads/list Error 403 (Forbidden) Your client does not have permission to get URL /p/fuu/downloads/list from this server. That’s all we know. !!! Edited July 20, 2011 by hepL3r
snoopy Posted July 20, 2011 Author Posted July 20, 2011 I appreciate the replies about Titan Engine and APOX did a fine job. But it's not really the answer I am looking for.Eventhough UPX seems very simple UPX has scrambled IAT. It first injects a fake Import Table Address in the PEheader.Builds 6 imports in that fake area.The real area on a tool I coded myself and packed with UPX is 41410C. It's the start of the actual IMPORT TABLE like described in my first post.What happens is that from address 414000 the Jump Thunk Table is shown. At the end of the table on the original file is the Original First Thunk, from that it perfectly rebuilds IAT like described in my first post.But when having the file packed with UPX the Original First Thunk (at address 4140A8 is destroyed) and that's what causing the problems.The RVA should be 1481C but on the UPX packed file Original First Thunk is 000000000. What I do not understand is the fact that Import Rec is able to find and rebuild IAT perfectly fine. So the question still stands actually.
kao Posted July 20, 2011 Posted July 20, 2011 @hepL3r: is this the case: http://en.wikipedia.org/wiki/Google_Code#Access_restrictions ? Someone could certainly mirror the files for you. @Snoopy: UPX builds new import table and destroys original one to save some extra bytes. Get UPX sources and study functions unsigned PackW32Pe::processImports() // pass 1void PackW32Pe::processImports(unsigned myimport, unsigned) // pass 2void PackW32Pe::rebuildImports(upx_byte *& extrainfo) and you'll see how it's working. As for dynamic unpacking, it doesn't matter if file is packed by UPX, NSPACK or any other trivial PE packer - import rebuilding process is always the same. You can look at, for example, at OllyDump sources.
CodeExplorer Posted July 20, 2011 Posted July 20, 2011 Writing Dynamic Unpackers for Fun with TitanEngine (By NCR)attachedThere is also a Spanish Version;and FUU installer;@hepL3r: let me know if you need them too.
CodeExplorer Posted July 20, 2011 Posted July 20, 2011 I din't saw the Jerry post; still let me know if someting else needed from there
Apuromafo Posted July 21, 2011 Posted July 21, 2011 (edited) coding unpacker-> reading original sources:http://upx.sourceforge.net/ deroko unpack dream reverser->http://deroko.phearless.org/doer.html using a loader for repair the iat/log iat and dump when reach the oep->http://deroko.phearless.org/engines.html FUU NCR +that tutorial are great->http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1201-1300/1281-Writing.Dynamics.Unpackers.for.Fun.with.TitanEngine.NCR.rar /español />http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1301-1400/1359-Writing.Dynamic.Unpackers.for.Fun.with.TitanEngine.NCR.ENG.7z /english />http://reversinglabs.com/products/TitanEngine.php other things.. Lua script in quickunpack->http://forum.tuts4you.com/index.php?showtopic=11488 do a upx gui for upx -d ->example http://ricardonarvaja.info/WEB/OTROS/HERRAMIENTAS/V-W-X-Y-Z/Visual%20UPX%2002%2Bupx125%20por%20Emadicius.rar cff explorer upx menu->http://www.ntcore.com/exsuite.php ->Download the Explorer Suite heaventools UPX plugin->http://heaventools.com/overview.htm UPX, Upack and NsPack Static Unpackers do by hand with ollydbg as was showed in many tuts and not lost time is other way ^^ pushad/popad, only seeying where end, where get the dlls and done are many tools can unpack upx, the theme is there not many people that understand what do in real oep for that is necesary do tutorials as can do.. greetings Apuromafo Edited July 21, 2011 by Apuromafo
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now