Jump to content
Tuts 4 You

[UnpackMe] Simple UnpackMe


SHADOW_UA

Recommended Posts

After unpacking exception raise at 0x44D739, i fixed exception1 by changing [00471800]->0. And then i meet another exception, don't know how to bypass this one :D

Link to comment
Share on other sites

Hi,


 


there are only 2 calls to extra UPX code and one little routine where the real bytes get written into after access the second call.So this little xoring dosen't match in the dumped file = created no real code at VA 0044D734 = still non code to execute = access violations.Just fix both calls to UPX (see inside what it calls) and fix stolen code routine = unpacked and no violations anymore.Optional you can also patch the TLS (0040603D) check which I always do in delphi. :)



<00406075>
call 00405854
<00403F4E>
call 00403DF8
<0044D734>
PUSH EBX
ADD ESP,-0x1C
MOV EBX,EAX
MOV EDX,ESP
MOV EAX,EBX
CALL 0044D69C
TEST AL,AL
JNZ SHORT @L00000001
MOV EDX,ESP
MOV EAX,EBX
CALL 0044E0C4 @L00000001:
ADD ESP,0x1C
POP EBX
RETN
nop ; I added nop because command below has 3 bytes in original
LEA EAX,DWORD PTR DS:[EAX] ; just a little MultiASM bug
PUSH EBP
MOV EBP,ESP
PUSH EBX
MOV EBX,EAX
CMP BYTE PTR DS:[EBX+0xA4],0x0
JNZ SHORT @L00000002
MOV EAX,DWORD PTR DS:[EBX+0x30]
TEST EAX,EAX
JE SHORT @L00000003
LEA EDX,DWORD PTR SS:[EBP+0x8]
PUSH EDX
PUSH 0x0
PUSH 0xB020
PUSH EAX
CALL 004069D4
JMP SHORT @L00000003 @L00000002:
MOV EAX,DWORD PTR DS:[EBX+0xA8]
CALL 00413BF4
MOV EAX,0x8
CALL 00402A28
MOV EDX,DWORD PTR SS:[EBP+0x8]
MOV DWORD PTR DS:[EAX],EDX
MOV EDX,DWORD PTR SS:[EBP+0xC]
MOV DWORD PTR DS:[EAX+0x4],EDX
MOV EDX,EAX
MOV EAX,DWORD PTR DS:[EBX+0xA8]
CALL 00413AB4 @L00000003:
POP EBX
POP EBP
RETN 0x8

greetz


UnpackME_Unpacked.rar

Link to comment
Share on other sites

@njkermk: hi, it seems you used notepad++ to compare 2 files. Can you tell me the way you found that area? As i did, i set bp on memory and then i saw Xor function.@LCF-AT: Hi, is there any way to recognize these 2 calls? (Yes, experience is one way)

Link to comment
Share on other sites

Hi again,


 


1.) Unpack the file normaly = OEP / Dump / Fix


2.) Test dump = access violations


3.) Check AV address



Address=0044D739 Message=Access violation when reading [68BF1DD4] KiUser API you can hook too.
0012FC8C 0012FC94
0012FC90 0012FCB0
0012FC94 C0000005 <-- Violation
0012FC98 00000000
0012FC9C 00000000
0012FCA0 0044D739 0044D739 <--- address of Vio

4.) Check the Violation code address



0044D733 RETN
0044D734 ADC EAX,0xCDE4C481
0044D739 FIMUL DWORD PTR DS:[EBX+0xE8C1CDD4] <-- Vio here
0044D73F POP ECX

So you see above is a ret command = end of routine above and at ....34 start some strange code till some bytes below there you can see again normal code.Now the first command does not call a exception at ...34 its just a ADC command so now just check the top of ....34 VA whether this get access too if you set a HWBP on it or analyse the file + search for references =



References to 0044D734
Address Disassembly
0044A5A9 CALL 0044D734
0044D96E CALL 0044D734

we found 2 call commands who access this VA directly.So now we know that the first address get access is 0044D734 and there should also start the real code.Now just set a HWBP access on 0044D734 in dump and run.



0047114E MOV EAX,DWORD PTR DS:[ECX] <-- here the access
00471150 JMP SHORT 00471155 <--- you stop here EAX E4C48270 <--- DWORD inside of [VA]
ECX 0044D734 <--- Our VA
EDX 00000010
EBX 0044F0CC
ESP 0012FF80
EBP 0012FFC0
ESI FFFFFFFF
EDI 7C920228 ntdll.7C920228
EIP 00471150

In the stack you can see from where it was called from some bytes below = you got one call now.


 


Now if you check this one call at...



00403F4E CALL 00471135

....then check what inside happens....



004711F2 MOV EDX,0x10 ; set counter
004711AA MOV ECX,0x44D734 ; stolen code VA
0047114E MOV EAX,DWORD PTR DS:[ECX] ; [VA] to eax
004711CC XOR EAX,DWORD PTR DS:[0x471800] ; xor value with 123
0047115C MOV DWORD PTR DS:[ECX],EAX ; mov new dword back to [VA]
004711DC ADD ECX,0x4 ; add 4 bytes to VA
00471225 DEC EDX ; sub one byte to counter
0047113F JNZ SHORT 0047114E ; Dosen't jump if edx 0 = loop end

....so you see there happen a xoring at VA 44D734 with a value which is stored at [0x471800] and the new bytes get copied to code = results of xoring = original DWORD get xored with value X = new DWORD = copied to code at same VA.The counter has a lenght of 10 = 10 x 4 bytes = 40 bytes to xor startet from VA 44D734 till 44D734 + 40 bytes = lenght of code which get changed.


 


So the main thing is here which value you have inside of VA [0x471800] = xoring value.If you check this in original file then you will see...



00471800 00000123

....and in my dump I have a value of...



00471800 00000365

...so you see it differs.Now check where it does copy the value 365 in your dumped file...set HWBP access on this VA and run...



004710BD MOV DWORD PTR DS:[0x471800],EBX <--- ebx = 365
004710C3 JMP SHORT 004710C6 <-- you stop Stack +20 = call from 00406075 CALL 00471000 <-- second call you need to check

.....



00471129 MOV EAX,0x400080
00471108 MOV EDX,0x3D0
00471069 XOR EBX,EBX
00471038 CMP BYTE PTR SS:[EAX],0x0 ; check for 00 byte / loop top
004710F5 JNZ SHORT 004710DA ; jump if not 00 byte inside [VA]
-----------------
004710F7 NOP ; <-- set BP here = 00 byte in [VA]
-----------------
004710DA INC EAX ; inc VA
004710CB DEC EDX
0047101B JNZ SHORT 00471038 ; jumps if edx not 00 and jumps back to loop top
-----------------
0047101D JMP SHORT 00471020 ; <-- set BP here edx = 00
----------------- Now you stop at 004710F7 VA eax = VA 00400082 which holds a 00 byte inside. 004710F7 NOP
0047102A INC EBX
004710DA INC EAX
004710CB DEC EDX
0047101B JNZ SHORT 00471038 <--- same VA as above
0047101D JMP SHORT 00471020 <--- so we need to stop here = edx 00 Remove BP at 004710F7 and keep 2. BP on at VA 0047101D EAX 00400450 <--- VA we got after this loop
ECX 0012FFB0
EDX 00000000 <--- edx 0 loop end
EBX 00000365 <--- ebx 365
ESP 0012FF80
EBP 0012FFC0
ESI FFFFFFFF
EDI 7C920228 ntdll.7C920228
EIP 0047101D 004710BC MOV DWORD PTR SS:[0x471800],EBX <-- 365 to xor location VA holder 00471049 RDTSC
00471090 MOV ECX,DWORD PTR SS:[ESP]
0047100A SUB ECX,0x826 = 00405854 after in ecx
00471080 LEA EAX,DWORD PTR DS:[ECX+0x4A850] = 004500A4 in eax
004710AE CALL ECX = call 00405854 = missing original call back and return to code.... Now if you check the same with the original file then you get this... 0047101D JMP SHORT 00471020 <-- here you stop EAX 00400450 <--- VA we got after this loop
ECX 24575965
EDX 00000000
EBX 00000123 <-- Other value
ESP 0012FF80
EBP 0012FFC0
ESI 00000000
EDI 30000007
EIP 0047101D

...if you now check the VA you got in eax at the end = 00400450 then you see it does belong to your PE Header and in the original file you can see a lot trash code inside of this address which you not have in your dumped file and that the different. :)


 


Solutions can be:


------------------------------


Fix missing 2 calls + restore original code / 40 bytes as I did in my dumped file.


or


Just change...



004711CC XOR EAX,DWORD PTR DS:[0x471800]
to
004711CC XOR EAX,0x123
004711D1 NOP

or


Just copy original PE Header into your dumped file at any patch location you want.


 


All three ways are possible and simplest fix is the xor eax,123 patch. :)


 


So I hope this little short tutorial is helpfully for you now. :)


 


greetz



 



 


  • Like 4
Link to comment
Share on other sites

what is the software in the screenshot?

Notepad++ Compare plugin :)

 

@njkermk: hi, it seems you used notepad++ to compare 2 files. Can you tell me the way you found that area? As i did, i set bp on memory and then i saw Xor function.

@LCF-AT: Hi, is there any way to recognize these 2 calls? (Yes, experience is one way)

 

I simply compared the "Run trace" logs both programs using a compare plugin

Edited by njkermk
  • Like 1
Link to comment
Share on other sites

@LCF-AT: Thank for your detailed tutorial, very useful.  :punk: 
@njkerm: hi, thank for that new useful command!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...