Jump to content
Tuts 4 You

Recommended Posts

Cyb3rHack3r
Posted

Hay, Guys 


 


 


 


So i need little help, I am new to malaware reverse engineering but i really love to learn more


 


Now i am trying to Decompile a malware which is complied using perl2exe


 


Now like i said i am new i tried my best but because i have never Decompiled a perl2exe file before


 


So i am not fully sure how i should do it, I tried to search on the net and found some really 


 


Interesting information like the exe contains encrypted perl code but its decrypted during runtime 


 


So can any one tell me how i can decompile the file and get the decrypted source code


 


By the way i tried this tool called exe2perl which is suppose to be decompiler but i got a error saying 


 


"signature not found, exiting" so any help is appreciated.


Cyb3rHack3r
Posted (edited)

This method may work for you.  Malware might have some extra tricks though.  I found this article while trying something similar with python.

http://www.fileoffset.com/re/tutorials/perl2exe.htm

 

Actually i came across this site as well but i wasn't able to follow the tut fully, i was able to follow till the part

 

Once there, step in.At this point, you should go to the Temp directory and find the folder and dropped p2x<version>.dll (here on in p2x.dll).

 

It made sense to me till that part but later when he said 

 

Load this up in IDA.There is a routine in the p2x.dll which will loop over the decrypted TOC, the TOC contains a list of filenames, sizes and a flag indicating whether it is encrypted or not.As its enumerating the list (at startup) it will compare the filename to a list of file extensions

 

He lost me there, If you understand that part can you explain it to me ?

Edited by Cyb3rHack3r
Posted

The CALL EAX is the OEP to the DLL that was dumped in the temp folder.   If you go to the temp folder you will find it.  When I just did it, it is stored in a subfolder in the name of the DLL.   The file is packed with UPX.   Loading it up in IDA isn't really needed but it may help to analyze the DLL, unpack it first.  

 

If you just Step In on CALL EAX you can use Analyze This plugin for Olly to analyze the file.

 

Find the code they mention in that about drop_zone.  This code is a loop of all the files that can be decrypted.  That jump is detecting if it's DLL or not.  You want that to jump no matter what because when a DLL is detected it will dump it to the drop_zone.  So forcing everything in the TOC to think it's a DLL will call the routine to dump the file to tmp folder.  Force the jump to the drop_zone.  At the end of the drop_zone routine it will JMP back on the loop to the next file.  After the list is completed copy all the files out of the tmp folder or they will be deleted when it's finished.

In the example file Example_code_Perl2Exe_8-9.exe you will get a _main.pl file that looks like this.
 

#!/usr/bin/perlprint "\n[*] Perl2exe Perl sourcecode revealer test code\n".      "    by Thijs (Thice) Bosschert\n".      "    v1.0 17-06-2012\n\n";# Comment: This is a test commentprint "\n[*] This is just a test line.\n\n";

Hope that helps explain it.

 


   

Cyb3rHack3r
Posted (edited)

The CALL EAX is the OEP to the DLL that was dumped in the temp folder.   If you go to the temp folder you will find it.  When I just did it, it is stored in a subfolder in the name of the DLL.   The file is packed with UPX.   Loading it up in IDA isn't really needed but it may help to analyze the DLL, unpack it first.  

 

If you just Step In on CALL EAX you can use Analyze This plugin for Olly to analyze the file.

 

Find the code they mention in that about drop_zone.  This code is a loop of all the files that can be decrypted.  That jump is detecting if it's DLL or not.  You want that to jump no matter what because when a DLL is detected it will dump it to the drop_zone.  So forcing everything in the TOC to think it's a DLL will call the routine to dump the file to tmp folder.  Force the jump to the drop_zone.  At the end of the drop_zone routine it will JMP back on the loop to the next file.  After the list is completed copy all the files out of the tmp folder or they will be deleted when it's finished.

In the example file Example_code_Perl2Exe_8-9.exe you will get a _main.pl file that looks like this.

 

#!/usr/bin/perl

print "\n[*] Perl2exe Perl sourcecode revealer test code\n".

" by Thijs (Thice) Bosschert\n".

" v1.0 17-06-2012\n\n";

# Comment: This is a test comment

print "\n[*] This is just a test line.\n\n";

Hope that helps explain it.

 

   

 

Thanks for the reply and the help, I never actually thought of checking if the dll is packed or not 

 

I jest assumed it was not packed which is why i kept getting no where, But unfortunately even after unpacking the dll

 

i am still stuck at the part you mentioned the "Drop_zone", I was able to find that section 

 

but what am i suppose to do there, the ".text:28091C0D jnz drop_file" looks something like "JNZ 28091A0E" after i rename it ?, Should i step into it ?

 

 

 

EDIT: Never mind i finally was able to make it work, Thanks for all your help :D

Edited by Cyb3rHack3r
Posted

Great, glad you got it.


Yeah all you really need to do is edit those JNZ to JMP, set a soft break point on the first op code for when the loop exits and F9 let it run.  I noticed the addresses were slightly off compared to the example on that page, sorry forgot to mention that.  Just some extra info, if you search the memory for _main.pl you will find a table of the all the files with their info, size, date, etc.   Good luck. - jack     


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...