Log in

View Full Version : help: packer identification

fuex
July 26th, 2007, 05:54
Hi,

I have just stumbled across a suspicious small executable on the computer Im using right now (vacation in Taiwan, I have to guess a lot when using Chinese localized software :eek.

As I have some spare time right now, I would like to unpack it. Luckily I have the essential reversing tools on my USB flash drive

PEiD identifies it as "UPX 0.80 - 1.24 DLL -> Markus & Laszlo" but I dont believe that. At least it doesnt look like UPX to me... (though Im unexperienced at unpacking so please dont blame me.) What I have noticed so far: there seems to be a loop which XORs some code in the unpacker section and some DIV 0 exception later on. A lot of things are push'ed and pop'ed, probably obfuscation.

Any help appreciated!

DANGER: MALWARE
password: infected
OHPen
July 26th, 2007, 07:35
hi fuex,

i played a bit with your target while disassembling another one just for the fun. Your are right if you think it's no UPX because this unpacking stub of your tiny app is definitifly not a common UPX stub...

I don't think that your target is playing with obfuscation, but im not 100 % sure. I also got kick on the exception but you can try to just nop the instruction, it should work.

If i have a bit time later i will take a more brief look into your tiny app.

Cheer

PAPi
LLXX
July 26th, 2007, 07:59
Unless I got a corrupted file, that is DEFINITELY obfuscated.

Code:
00419943: 60                           pushad

00419944: 57                           push      edi

00419945: 333424                       xor       esi,[esp]

00419948: 5F                           pop       edi

00419949: C1CF05                       ror       edi,005

0041994C: C1C705                       rol       edi,005

0041994F: 33DF                         xor       ebx,edi

00419951: 61                           popad

00419952: E8C8000000                   call     .000419A1F

00419957:

...

00419A1F: 81C24639587F                 add       edx,07F583946 ; 00419957

00419A25: 54                           push      esp ; +4      ; 00419957 ...esp...

00419A26: 81EA4639587F                 sub       edx,07F583946

00419A2C: 891424                       mov       [esp],edx     ; 00419957 ...edx...

00419A2F: 53                           push      ebx     ; 00419957 ...edx... ...ebx...

[ ... ]

00419A32: 8BD4                         mov       edx,esp ; edx points to ...ebx...

00419A34: 52                           push      edx ;    00419957 ...edx... ...ebx... &...ebx...

00419A35: 6808000000                   push      000000008

00419A3A: 5A                           pop       edx ; edx --> 8

00419A3B: 011424                       add       [esp],edx ;  00419957 ...edx... ...ebx... &00419957

00419A3E: 5A                           pop       edx  ; edx --> &00419957

00419A3F: 8B1A                         mov       ebx,[edx] ; ebx = 00419957

00419A41: 684F030000                   push      00000034F

00419A46: 2B1C24                       sub       ebx,[esp] ; ebx = 00419608

00419A49: 83C404                       add       esp,004   ; 00419608 ...edx... ...ebx...

00419A4C: 891A                         mov       [edx],ebx ; 00419608 ...edx... ...ebx...

00419A4E: 8BDC                         mov       ebx,esp   ; 

00419A50: 8B1B                         mov       ebx,[ebx] ; 00419608 ...edx... ...ebx...

00419A52: 83C404                       add       esp,004   ; 00419608 ...edx...

00419A55: 50                           push      eax       ; 00419608 ...edx... ...eax...

00419A56: 83C404                       add       esp,004   ; 00419608 ...edx...

00419A59: 5A                           pop       edx       ; 00419608

00419A5A: C3                           retn

...

[ ... ]

0041961B: E860020000                   call     .000419880



[ ... ]

00419882: 60                           pushad

00419883: E806000000                   call     .00041988E ; edx = 0

00419888: EB02                         jmps     .00041988C

...

0041988C: EB0C                         jmps     .00041989A

0041988E: 2BD2                         sub       edx,edx

00419890: C3                           retn

...

0041989B: BF00000000                   mov       edi,000000000 ; edi = 0

004198A0: EB02                         jmps     .0004198A4



004198A4: E800000000                   call     .0004198A9

004198A9: 33C0                         xor       eax,eax ; eax = 0

004198AB: 8B1424                       mov       edx,[esp] ; edx = 004198a9

004198AE: 58                           pop       eax ; eax = 004198a9

004198AF: 81EA270D3801                 sub       edx,001380D27 ; edx = FF098B82

004198B5: 2BC1                         sub       eax,ecx

004198B7: 2BC9                         sub       ecx,ecx

004198B9: 81F10B580000                 xor       ecx,00000580B ; ecx = 0000580B

004198BF: 81C193B23701                 add       ecx,00137B293 ; ecx = 01380A9E

004198C5: F9                           stc

004198C6: 03CA                         add       ecx,edx ; ecx = 00419620

004198C8: BE44160000                   mov       esi,000001644 ; esi = 00001644

004198CD: 81F6DC160000                 xor       esi,0000016DC ; esi = 00000098

004198D3: A915040000                   test      eax,000000415

004198D8: BF74090000                   mov       edi,000000974 ; edi = 00000974

004198DD: C1F81B                       sar       eax,01B

decryption loop 1:

004198E0: 3139                         xor       [ecx],edi ; [ 00419620 ] = F72BFE77 ^ 00000974 = F72BF703

004198E2: 41                           inc       ecx

004198E3: 41                           inc       ecx

004198E4: 41                           inc       ecx

004198E5: 41                           inc       ecx ; ecx = 00419624

004198E6: B8995F0000                   mov       eax,000005F99 ; eax = 00005f99

004198EB: 2BF0                         sub       esi,eax ; esi = ffffa0ff

004198ED: 81C6985F0000                 add       esi,000005F98 ; esi = 00000097

004198F3: F9                           stc

004198F4: 81C7E3080000                 add       edi,0000008E3 ; 00001257

004198FA: F8                           clc

004198FB: 1BC3                         sbb       eax,ebx

004198FD: 33C0                         xor       eax,eax

004198FF: 48                           dec       eax ; eax = FFFFFFFF

00419900: 03C6                         add       eax,esi ; eax = 00000096

00419902: 0F89D8FFFFFF                 jns      .0004198E0

00419908: F8                           clc

00419909: 61                           popad

0041990A: 83D04B                       adc       eax,04B

0041990D: 56                           push      esi

0041990E: 53                           push      ebx

0041990F: 83C408                       add       esp,008

00419912: 50                           push      eax

00419913: 60                           pushad

00419914: 90                           nop

00419915: BE0C55336F                   mov       esi,06F33550C

0041991A: 61                           popad

0041991B: E800000000                   call     .000419920

00419920: 56                           push      esi

00419921: 5E                           pop       esi

00419922: 58                           pop       eax
Who would be able to write this sort of code anyway? Would be rather tedious manually.
OHPen
July 26th, 2007, 08:20
@LLXX: hehe, if you consider this as obfuscation, it has one But you are right i was concentrated on obfuscation techniques like jumping direktly in opcode, which is more know to me.
fuex
July 26th, 2007, 11:29
Quote:
[Originally Posted by LLXX;67411]Unless I got a corrupted file, that is DEFINITELY obfuscated.


you didnt get a corrupted one, the code is so weird indeed. I havent tried using IDA graph feature or something like that yet but it's too messy anyway I guess.

Happy single-stepping goes on
LLXX
July 26th, 2007, 22:05
What we need is a good dataflow analyzer, since most of the code above seems to do some computation but then the result is ignored or discarded, e.g.
Code:
00419913: 60                           pushad

00419914: 90                           nop

00419915: BE0C55336F                   mov       esi,06F33550C

0041991A: 61                           popad
I'm thinking this code was generated by an automatic polymorphic obfuscator.
FrankRizzo
July 27th, 2007, 11:56
Quote:
[Originally Posted by LLXX;67411]Who would be able to write this sort of code anyway? Would be rather tedious manually.


There was an old disk based copy protection product called Super Lock, that was like this. And that was the late 80's, so I doubt it was tool generated, I think some guy sat down, and started writing the most bizarre assembly, and just kept going. The WHOLE thing jumped back and forth, did 1 non-jmp opcode per segment of code. So:

Code:
mov ax, 0001

jmp blah



mov bx, ax

jmp joe


And the jumps where back and forth, all over the place, it was a mess. I was glad there was Unguard (A tool that came with CopyIIPC), that ripped it.

On the plus side, I heard through the grapevine that the programmer had gotten it to work, and stated that he would change it "when hell froze over". So, it was as much for him, as it was for us!
fuex
July 30th, 2007, 02:44
I can hardly imagine someone wrote this by hand. have a look....

I have traced some "popfd" trap-flag exception tricks and jumps into opcode, opcode modifications, and 2 XOR decryption loops but now it's really getting confusing.


http://img263.imageshack.us/img263/3709/mnsopm4.jpg
http://img263.imageshack.us/my.php?image=mnsopm4.jpg ("URL=http://img263.imageshack.us/my.php?image=mnsopm4.jpg")
trickyboy
July 31st, 2007, 12:10
here my work .

malware detect some programs:

Code:


00AFFAD4   00AFFC2C  ASCII "s5credmgr.exe"



00AFFAD4   00AFFC3A  ASCII "minisniffer.exe"



00AFFAD4   00AFFC4A  ASCII "packetcapture.exe"



00AFFAD4   00AFFC5C  ASCII "peepnet.exe"



00AFFAD4   00AFFC68  ASCII "capturenet.exe"



00AFFAD4   00AFFC77  ASCII "wireshark.exe"



00AFFAD4   00AFFC85  ASCII "aps.exe"



00AFFAD4   00AFFC8D  ASCII "sockmon5.exe"



00AFFAD4   00AFFC9A  ASCII "gametroyhorsedetect.exe"



00AFFAD4   00AFFCB2  ASCII "filemon.exe"



00AFFAD4   00AFFCBE  ASCII "regmon.exe"


download a file:
Code:


http://www.1a123.com/dd/vv.exe


create a .dll : (HIDDEN Attribute)
Code:


0012FF48   00D6880E  |FileName = "C:\DOCUME~1\TRICKY~1\LOCALS~1\Temp\sxw.dll"


load above dll, continue unpacking malware.

That is my dump at OEP.

pass to unzip: dump

Hope it useful.
fuex
August 1st, 2007, 06:57
Thank you, Trickyboy! that's interesting information for me.

but may I ask you: how did you find the OEP in this mess? could you give me any tips how to do that in reasonable time?
trickyboy
August 1st, 2007, 10:55
It's very simple. I think file is packed and if it want to do anything, it will unpack original code to (code) section.

First, check bypass All exception (00000000 -> FFFFFFFF) in Option.

Second, "set memory breakpoint on access" for (code) section.

Next, Shift+F9 and wait anti debug trick run.... (access violation on reading... up... up... and break) .Continue Shift+F9 and wait anti debug trick run...

(above dll is loaded)

Untill it break on: (your offset maybe different)
Code:


00D60273      880429                  MOV BYTE PTR DS:[ECX+EBP],AL

00D60276      45                      INC EBP

00D60277      3B6C24 60               CMP EBP,DWORD PTR SS:[ESP+60]

00D6027B    ^ 0F82 20FFFFFF           JB 00D601A1

00D60281      5F                      POP EDI

00D60282      5E                      POP ESI

00D60283      5D                      POP EBP

00D60284      33C0                    XOR EAX,EAX

00D60286      5B                      POP EBX

00D60287      83C4 2C                 ADD ESP,2C

00D6028A      C3                      RETN


Set BP on "RETN" instruction. Return ....

View (code) section, it's still NULL (00 bytes). Well, i think malware ready for unpack code to that section. Try to "set memory breakpoint on access".. Run and break :

Code:


0040D34C      8A07                    MOV AL,BYTE PTR DS:[EDI]

0040D34E      47                      INC EDI                                              ; mnso.00401000

0040D34F      2C E8                   SUB AL,0E8

0040D351      3C 01                   CMP AL,1

0040D353    ^ 77 F7                   JA SHORT mnso.0040D34C

0040D355      8B07                    MOV EAX,DWORD PTR DS:[EDI]

0040D357      807A 01 00              CMP BYTE PTR DS:[EDX+1],0

0040D35B      74 14                   JE SHORT mnso.0040D371

0040D35D      8A1A                    MOV BL,BYTE PTR DS:[EDX]

0040D35F      381F                    CMP BYTE PTR DS:[EDI],BL

0040D361    ^ 75 E9                   JNZ SHORT mnso.0040D34C

0040D363      8A5F 04                 MOV BL,BYTE PTR DS:[EDI+4]

0040D366      66:C1E8 08              SHR AX,8

0040D36A      C1C0 10                 ROL EAX,10

0040D36D      86C4                    XCHG AH,AL

0040D36F      EB 0A                   JMP SHORT mnso.0040D37B


wait wait wait..... That's is part which will write code to (code) section. Scroll down a bit, Hey :

Code:


0040D44D      FF95 16000000           CALL DWORD PTR SS:[EBP+16]                           ; kernel32.VirtualProtect

0040D453      5A                      POP EDX                                              ; ntdll.7C910738

0040D454      5B                      POP EBX                                              ; ntdll.7C910738

0040D455      59                      POP ECX                                              ; ntdll.7C910738

0040D456      5E                      POP ESI                                              ; ntdll.7C910738

0040D457      83C3 0C                 ADD EBX,0C

0040D45A    ^ E2 E1                   LOOPD SHORT mnso.0040D43D

0040D45C      E8 7E020000             CALL mnso.0040D6DF

0040D461      61                      POPAD

0040D462      9D                      POPFD

0040D463    - E9 DE43FFFF             JMP mnso.00401846

0040D468      8BB5 67FFFFFF           MOV ESI,DWORD PTR SS:[EBP-99]

0040D46E      0BF6                    OR ESI,ESI                                           ; mnso.00401000

0040D470      0F84 A4000000           JE mnso.0040D51A

I think "Red Jump" is Jump to OEP. Set BP on it. Run and.... you know what will happen after.

Sorry for my poor english.