SHADOW_UA Posted June 13, 2014 Posted June 13, 2014 (edited) Packer: Modified UPX UnpackME_PC-RET.zip Edited June 13, 2014 by SHADOW785 2
njkermk Posted June 14, 2014 Posted June 14, 2014 (edited) unpacked UnpackME_dump.7z Edited June 14, 2014 by njkermk
kakamail Posted June 14, 2014 Posted June 14, 2014 After unpacking exception raise at 0x44D739, i fixed exception1 by changing [00471800]->0. And then i meet another exception, don't know how to bypass this one
njkermk Posted June 14, 2014 Posted June 14, 2014 (edited) kakamail a little help to you Edited June 14, 2014 by njkermk
DMichael Posted June 14, 2014 Posted June 14, 2014 kakamail a little help to you trace_logs_checksum_pe.png what is the software in the screenshot?
LCF-AT Posted June 14, 2014 Posted June 14, 2014 Hi, there are only 2 calls to extra UPX code and one little routine where the real bytes get written into after access the second call.So this little xoring dosen't match in the dumped file = created no real code at VA 0044D734 = still non code to execute = access violations.Just fix both calls to UPX (see inside what it calls) and fix stolen code routine = unpacked and no violations anymore.Optional you can also patch the TLS (0040603D) check which I always do in delphi. <00406075> call 00405854 <00403F4E> call 00403DF8 <0044D734> PUSH EBX ADD ESP,-0x1C MOV EBX,EAX MOV EDX,ESP MOV EAX,EBX CALL 0044D69C TEST AL,AL JNZ SHORT @L00000001 MOV EDX,ESP MOV EAX,EBX CALL 0044E0C4 @L00000001: ADD ESP,0x1C POP EBX RETN nop ; I added nop because command below has 3 bytes in original LEA EAX,DWORD PTR DS:[EAX] ; just a little MultiASM bug PUSH EBP MOV EBP,ESP PUSH EBX MOV EBX,EAX CMP BYTE PTR DS:[EBX+0xA4],0x0 JNZ SHORT @L00000002 MOV EAX,DWORD PTR DS:[EBX+0x30] TEST EAX,EAX JE SHORT @L00000003 LEA EDX,DWORD PTR SS:[EBP+0x8] PUSH EDX PUSH 0x0 PUSH 0xB020 PUSH EAX CALL 004069D4 JMP SHORT @L00000003 @L00000002: MOV EAX,DWORD PTR DS:[EBX+0xA8] CALL 00413BF4 MOV EAX,0x8 CALL 00402A28 MOV EDX,DWORD PTR SS:[EBP+0x8] MOV DWORD PTR DS:[EAX],EDX MOV EDX,DWORD PTR SS:[EBP+0xC] MOV DWORD PTR DS:[EAX+0x4],EDX MOV EDX,EAX MOV EAX,DWORD PTR DS:[EBX+0xA8] CALL 00413AB4 @L00000003: POP EBX POP EBP RETN 0x8 greetz UnpackME_Unpacked.rar
kakamail Posted June 14, 2014 Posted June 14, 2014 @njkermk: hi, it seems you used notepad++ to compare 2 files. Can you tell me the way you found that area? As i did, i set bp on memory and then i saw Xor function.@LCF-AT: Hi, is there any way to recognize these 2 calls? (Yes, experience is one way)
LCF-AT Posted June 14, 2014 Posted June 14, 2014 Hi again, 1.) Unpack the file normaly = OEP / Dump / Fix 2.) Test dump = access violations 3.) Check AV address Address=0044D739 Message=Access violation when reading [68BF1DD4] KiUser API you can hook too. 0012FC8C 0012FC94 0012FC90 0012FCB0 0012FC94 C0000005 <-- Violation 0012FC98 00000000 0012FC9C 00000000 0012FCA0 0044D739 0044D739 <--- address of Vio 4.) Check the Violation code address 0044D733 RETN 0044D734 ADC EAX,0xCDE4C481 0044D739 FIMUL DWORD PTR DS:[EBX+0xE8C1CDD4] <-- Vio here 0044D73F POP ECX So you see above is a ret command = end of routine above and at ....34 start some strange code till some bytes below there you can see again normal code.Now the first command does not call a exception at ...34 its just a ADC command so now just check the top of ....34 VA whether this get access too if you set a HWBP on it or analyse the file + search for references = References to 0044D734 Address Disassembly 0044A5A9 CALL 0044D734 0044D96E CALL 0044D734 we found 2 call commands who access this VA directly.So now we know that the first address get access is 0044D734 and there should also start the real code.Now just set a HWBP access on 0044D734 in dump and run. 0047114E MOV EAX,DWORD PTR DS:[ECX] <-- here the access 00471150 JMP SHORT 00471155 <--- you stop here EAX E4C48270 <--- DWORD inside of [VA] ECX 0044D734 <--- Our VA EDX 00000010 EBX 0044F0CC ESP 0012FF80 EBP 0012FFC0 ESI FFFFFFFF EDI 7C920228 ntdll.7C920228 EIP 00471150 In the stack you can see from where it was called from some bytes below = you got one call now. Now if you check this one call at... 00403F4E CALL 00471135 ....then check what inside happens.... 004711F2 MOV EDX,0x10 ; set counter 004711AA MOV ECX,0x44D734 ; stolen code VA 0047114E MOV EAX,DWORD PTR DS:[ECX] ; [VA] to eax 004711CC XOR EAX,DWORD PTR DS:[0x471800] ; xor value with 123 0047115C MOV DWORD PTR DS:[ECX],EAX ; mov new dword back to [VA] 004711DC ADD ECX,0x4 ; add 4 bytes to VA 00471225 DEC EDX ; sub one byte to counter 0047113F JNZ SHORT 0047114E ; Dosen't jump if edx 0 = loop end ....so you see there happen a xoring at VA 44D734 with a value which is stored at [0x471800] and the new bytes get copied to code = results of xoring = original DWORD get xored with value X = new DWORD = copied to code at same VA.The counter has a lenght of 10 = 10 x 4 bytes = 40 bytes to xor startet from VA 44D734 till 44D734 + 40 bytes = lenght of code which get changed. So the main thing is here which value you have inside of VA [0x471800] = xoring value.If you check this in original file then you will see... 00471800 00000123 ....and in my dump I have a value of... 00471800 00000365 ...so you see it differs.Now check where it does copy the value 365 in your dumped file...set HWBP access on this VA and run... 004710BD MOV DWORD PTR DS:[0x471800],EBX <--- ebx = 365 004710C3 JMP SHORT 004710C6 <-- you stop Stack +20 = call from 00406075 CALL 00471000 <-- second call you need to check ..... 00471129 MOV EAX,0x400080 00471108 MOV EDX,0x3D0 00471069 XOR EBX,EBX 00471038 CMP BYTE PTR SS:[EAX],0x0 ; check for 00 byte / loop top 004710F5 JNZ SHORT 004710DA ; jump if not 00 byte inside [VA] ----------------- 004710F7 NOP ; <-- set BP here = 00 byte in [VA] ----------------- 004710DA INC EAX ; inc VA 004710CB DEC EDX 0047101B JNZ SHORT 00471038 ; jumps if edx not 00 and jumps back to loop top ----------------- 0047101D JMP SHORT 00471020 ; <-- set BP here edx = 00 ----------------- Now you stop at 004710F7 VA eax = VA 00400082 which holds a 00 byte inside. 004710F7 NOP 0047102A INC EBX 004710DA INC EAX 004710CB DEC EDX 0047101B JNZ SHORT 00471038 <--- same VA as above 0047101D JMP SHORT 00471020 <--- so we need to stop here = edx 00 Remove BP at 004710F7 and keep 2. BP on at VA 0047101D EAX 00400450 <--- VA we got after this loop ECX 0012FFB0 EDX 00000000 <--- edx 0 loop end EBX 00000365 <--- ebx 365 ESP 0012FF80 EBP 0012FFC0 ESI FFFFFFFF EDI 7C920228 ntdll.7C920228 EIP 0047101D 004710BC MOV DWORD PTR SS:[0x471800],EBX <-- 365 to xor location VA holder 00471049 RDTSC 00471090 MOV ECX,DWORD PTR SS:[ESP] 0047100A SUB ECX,0x826 = 00405854 after in ecx 00471080 LEA EAX,DWORD PTR DS:[ECX+0x4A850] = 004500A4 in eax 004710AE CALL ECX = call 00405854 = missing original call back and return to code.... Now if you check the same with the original file then you get this... 0047101D JMP SHORT 00471020 <-- here you stop EAX 00400450 <--- VA we got after this loop ECX 24575965 EDX 00000000 EBX 00000123 <-- Other value ESP 0012FF80 EBP 0012FFC0 ESI 00000000 EDI 30000007 EIP 0047101D ...if you now check the VA you got in eax at the end = 00400450 then you see it does belong to your PE Header and in the original file you can see a lot trash code inside of this address which you not have in your dumped file and that the different. Solutions can be: ------------------------------ Fix missing 2 calls + restore original code / 40 bytes as I did in my dumped file. or Just change... 004711CC XOR EAX,DWORD PTR DS:[0x471800] to 004711CC XOR EAX,0x123 004711D1 NOP or Just copy original PE Header into your dumped file at any patch location you want. All three ways are possible and simplest fix is the xor eax,123 patch. So I hope this little short tutorial is helpfully for you now. greetz 4
njkermk Posted June 15, 2014 Posted June 15, 2014 (edited) what is the software in the screenshot? Notepad++ Compare plugin @njkermk: hi, it seems you used notepad++ to compare 2 files. Can you tell me the way you found that area? As i did, i set bp on memory and then i saw Xor function. @LCF-AT: Hi, is there any way to recognize these 2 calls? (Yes, experience is one way) I simply compared the "Run trace" logs both programs using a compare plugin Edited June 15, 2014 by njkermk 1
kakamail Posted June 15, 2014 Posted June 15, 2014 @LCF-AT: Thank for your detailed tutorial, very useful. @njkerm: hi, thank for that new useful command!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now