Log in

View Full Version : help: packer identification


fuex
July 26th, 2007, 05:54
Hi,

I have just stumbled across a suspicious small executable on the computer Im using right now (vacation in Taiwan, I have to guess a lot when using Chinese localized software :eek.

As I have some spare time right now, I would like to unpack it. Luckily I have the essential reversing tools on my USB flash drive

PEiD identifies it as "UPX 0.80 - 1.24 DLL -> Markus & Laszlo" but I dont believe that. At least it doesnt look like UPX to me... (though Im unexperienced at unpacking so please dont blame me.) What I have noticed so far: there seems to be a loop which XORs some code in the unpacker section and some DIV 0 exception later on. A lot of things are push'ed and pop'ed, probably obfuscation.

Any help appreciated!

DANGER: MALWARE
password: infected

OHPen
July 26th, 2007, 07:35
hi fuex,

i played a bit with your target while disassembling another one just for the fun. Your are right if you think it's no UPX because this unpacking stub of your tiny app is definitifly not a common UPX stub...

I don't think that your target is playing with obfuscation, but im not 100 % sure. I also got kick on the exception but you can try to just nop the instruction, it should work.

If i have a bit time later i will take a more brief look into your tiny app.

Cheer

PAPi

LLXX
July 26th, 2007, 07:59
Unless I got a corrupted file, that is DEFINITELY obfuscated.

Code:
00419943: 60 pushad
00419944: 57 push edi
00419945: 333424 xor esi,[esp]
00419948: 5F pop edi
00419949: C1CF05 ror edi,005
0041994C: C1C705 rol edi,005
0041994F: 33DF xor ebx,edi
00419951: 61 popad
00419952: E8C8000000 call .000419A1F
00419957:
...
00419A1F: 81C24639587F add edx,07F583946 ; 00419957
00419A25: 54 push esp ; +4 ; 00419957 ...esp...
00419A26: 81EA4639587F sub edx,07F583946
00419A2C: 891424 mov [esp],edx ; 00419957 ...edx...
00419A2F: 53 push ebx ; 00419957 ...edx... ...ebx...
[ ... ]
00419A32: 8BD4 mov edx,esp ; edx points to ...ebx...
00419A34: 52 push edx ; 00419957 ...edx... ...ebx... &...ebx...
00419A35: 6808000000 push 000000008
00419A3A: 5A pop edx ; edx --> 8
00419A3B: 011424 add [esp],edx ; 00419957 ...edx... ...ebx... &00419957
00419A3E: 5A pop edx ; edx --> &00419957
00419A3F: 8B1A mov ebx,[edx] ; ebx = 00419957
00419A41: 684F030000 push 00000034F
00419A46: 2B1C24 sub ebx,[esp] ; ebx = 00419608
00419A49: 83C404 add esp,004 ; 00419608 ...edx... ...ebx...
00419A4C: 891A mov [edx],ebx ; 00419608 ...edx... ...ebx...
00419A4E: 8BDC mov ebx,esp ;
00419A50: 8B1B mov ebx,[ebx] ; 00419608 ...edx... ...ebx...
00419A52: 83C404 add esp,004 ; 00419608 ...edx...
00419A55: 50 push eax ; 00419608 ...edx... ...eax...
00419A56: 83C404 add esp,004 ; 00419608 ...edx...
00419A59: 5A pop edx ; 00419608
00419A5A: C3 retn
...
[ ... ]
0041961B: E860020000 call .000419880

[ ... ]
00419882: 60 pushad
00419883: E806000000 call .00041988E ; edx = 0
00419888: EB02 jmps .00041988C
...
0041988C: EB0C jmps .00041989A
0041988E: 2BD2 sub edx,edx
00419890: C3 retn
...
0041989B: BF00000000 mov edi,000000000 ; edi = 0
004198A0: EB02 jmps .0004198A4

004198A4: E800000000 call .0004198A9
004198A9: 33C0 xor eax,eax ; eax = 0
004198AB: 8B1424 mov edx,[esp] ; edx = 004198a9
004198AE: 58 pop eax ; eax = 004198a9
004198AF: 81EA270D3801 sub edx,001380D27 ; edx = FF098B82
004198B5: 2BC1 sub eax,ecx
004198B7: 2BC9 sub ecx,ecx
004198B9: 81F10B580000 xor ecx,00000580B ; ecx = 0000580B
004198BF: 81C193B23701 add ecx,00137B293 ; ecx = 01380A9E
004198C5: F9 stc
004198C6: 03CA add ecx,edx ; ecx = 00419620
004198C8: BE44160000 mov esi,000001644 ; esi = 00001644
004198CD: 81F6DC160000 xor esi,0000016DC ; esi = 00000098
004198D3: A915040000 test eax,000000415
004198D8: BF74090000 mov edi,000000974 ; edi = 00000974
004198DD: C1F81B sar eax,01B
decryption loop 1:
004198E0: 3139 xor [ecx],edi ; [ 00419620 ] = F72BFE77 ^ 00000974 = F72BF703
004198E2: 41 inc ecx
004198E3: 41 inc ecx
004198E4: 41 inc ecx
004198E5: 41 inc ecx ; ecx = 00419624
004198E6: B8995F0000 mov eax,000005F99 ; eax = 00005f99
004198EB: 2BF0 sub esi,eax ; esi = ffffa0ff
004198ED: 81C6985F0000 add esi,000005F98 ; esi = 00000097
004198F3: F9 stc
004198F4: 81C7E3080000 add edi,0000008E3 ; 00001257
004198FA: F8 clc
004198FB: 1BC3 sbb eax,ebx
004198FD: 33C0 xor eax,eax
004198FF: 48 dec eax ; eax = FFFFFFFF
00419900: 03C6 add eax,esi ; eax = 00000096
00419902: 0F89D8FFFFFF jns .0004198E0
00419908: F8 clc
00419909: 61 popad
0041990A: 83D04B adc eax,04B
0041990D: 56 push esi
0041990E: 53 push ebx
0041990F: 83C408 add esp,008
00419912: 50 push eax
00419913: 60 pushad
00419914: 90 nop
00419915: BE0C55336F mov esi,06F33550C
0041991A: 61 popad
0041991B: E800000000 call .000419920
00419920: 56 push esi
00419921: 5E pop esi
00419922: 58 pop eax
Who would be able to write this sort of code anyway? Would be rather tedious manually.

OHPen
July 26th, 2007, 08:20
@LLXX: hehe, if you consider this as obfuscation, it has one But you are right i was concentrated on obfuscation techniques like jumping direktly in opcode, which is more know to me.

fuex
July 26th, 2007, 11:29
Quote:
[Originally Posted by LLXX;67411]Unless I got a corrupted file, that is DEFINITELY obfuscated.


you didnt get a corrupted one, the code is so weird indeed. I havent tried using IDA graph feature or something like that yet but it's too messy anyway I guess.

Happy single-stepping goes on

LLXX
July 26th, 2007, 22:05
What we need is a good dataflow analyzer, since most of the code above seems to do some computation but then the result is ignored or discarded, e.g.
Code:
00419913: 60 pushad
00419914: 90 nop
00419915: BE0C55336F mov esi,06F33550C
0041991A: 61 popad
I'm thinking this code was generated by an automatic polymorphic obfuscator.

FrankRizzo
July 27th, 2007, 11:56
Quote:
[Originally Posted by LLXX;67411]Who would be able to write this sort of code anyway? Would be rather tedious manually.


There was an old disk based copy protection product called Super Lock, that was like this. And that was the late 80's, so I doubt it was tool generated, I think some guy sat down, and started writing the most bizarre assembly, and just kept going. The WHOLE thing jumped back and forth, did 1 non-jmp opcode per segment of code. So:

Code:
mov ax, 0001
jmp blah

mov bx, ax
jmp joe


And the jumps where back and forth, all over the place, it was a mess. I was glad there was Unguard (A tool that came with CopyIIPC), that ripped it.

On the plus side, I heard through the grapevine that the programmer had gotten it to work, and stated that he would change it "when hell froze over". So, it was as much for him, as it was for us!

fuex
July 30th, 2007, 02:44
I can hardly imagine someone wrote this by hand. have a look....

I have traced some "popfd" trap-flag exception tricks and jumps into opcode, opcode modifications, and 2 XOR decryption loops but now it's really getting confusing.


http://img263.imageshack.us/img263/3709/mnsopm4.jpg
http://img263.imageshack.us/my.php?image=mnsopm4.jpg ("URL=http://img263.imageshack.us/my.php?image=mnsopm4.jpg")

trickyboy
July 31st, 2007, 12:10
here my work .

malware detect some programs:

Code:

00AFFAD4 00AFFC2C ASCII "s5credmgr.exe"

00AFFAD4 00AFFC3A ASCII "minisniffer.exe"

00AFFAD4 00AFFC4A ASCII "packetcapture.exe"

00AFFAD4 00AFFC5C ASCII "peepnet.exe"

00AFFAD4 00AFFC68 ASCII "capturenet.exe"

00AFFAD4 00AFFC77 ASCII "wireshark.exe"

00AFFAD4 00AFFC85 ASCII "aps.exe"

00AFFAD4 00AFFC8D ASCII "sockmon5.exe"

00AFFAD4 00AFFC9A ASCII "gametroyhorsedetect.exe"

00AFFAD4 00AFFCB2 ASCII "filemon.exe"

00AFFAD4 00AFFCBE ASCII "regmon.exe"


download a file:
Code:

http://www.1a123.com/dd/vv.exe


create a .dll : (HIDDEN Attribute)
Code:

0012FF48 00D6880E |FileName = "C:\DOCUME~1\TRICKY~1\LOCALS~1\Temp\sxw.dll"


load above dll, continue unpacking malware.

That is my dump at OEP.

pass to unzip: dump

Hope it useful.

fuex
August 1st, 2007, 06:57
Thank you, Trickyboy! that's interesting information for me.

but may I ask you: how did you find the OEP in this mess? could you give me any tips how to do that in reasonable time?

trickyboy
August 1st, 2007, 10:55
It's very simple. I think file is packed and if it want to do anything, it will unpack original code to (code) section.

First, check bypass All exception (00000000 -> FFFFFFFF) in Option.

Second, "set memory breakpoint on access" for (code) section.

Next, Shift+F9 and wait anti debug trick run.... (access violation on reading... up... up... and break) .Continue Shift+F9 and wait anti debug trick run...

(above dll is loaded)

Untill it break on: (your offset maybe different)
Code:

00D60273 880429 MOV BYTE PTR DS:[ECX+EBP],AL
00D60276 45 INC EBP
00D60277 3B6C24 60 CMP EBP,DWORD PTR SS:[ESP+60]
00D6027B ^ 0F82 20FFFFFF JB 00D601A1
00D60281 5F POP EDI
00D60282 5E POP ESI
00D60283 5D POP EBP
00D60284 33C0 XOR EAX,EAX
00D60286 5B POP EBX
00D60287 83C4 2C ADD ESP,2C
00D6028A C3 RETN



Set BP on "RETN" instruction. Return ....

View (code) section, it's still NULL (00 bytes). Well, i think malware ready for unpack code to that section. Try to "set memory breakpoint on access".. Run and break :

Code:

0040D34C 8A07 MOV AL,BYTE PTR DS:[EDI]
0040D34E 47 INC EDI ; mnso.00401000
0040D34F 2C E8 SUB AL,0E8
0040D351 3C 01 CMP AL,1
0040D353 ^ 77 F7 JA SHORT mnso.0040D34C
0040D355 8B07 MOV EAX,DWORD PTR DS:[EDI]
0040D357 807A 01 00 CMP BYTE PTR DS:[EDX+1],0
0040D35B 74 14 JE SHORT mnso.0040D371
0040D35D 8A1A MOV BL,BYTE PTR DS:[EDX]
0040D35F 381F CMP BYTE PTR DS:[EDI],BL
0040D361 ^ 75 E9 JNZ SHORT mnso.0040D34C
0040D363 8A5F 04 MOV BL,BYTE PTR DS:[EDI+4]
0040D366 66:C1E8 08 SHR AX,8
0040D36A C1C0 10 ROL EAX,10
0040D36D 86C4 XCHG AH,AL
0040D36F EB 0A JMP SHORT mnso.0040D37B




wait wait wait..... That's is part which will write code to (code) section. Scroll down a bit, Hey :

Code:

0040D44D FF95 16000000 CALL DWORD PTR SS:[EBP+16] ; kernel32.VirtualProtect
0040D453 5A POP EDX ; ntdll.7C910738
0040D454 5B POP EBX ; ntdll.7C910738
0040D455 59 POP ECX ; ntdll.7C910738
0040D456 5E POP ESI ; ntdll.7C910738
0040D457 83C3 0C ADD EBX,0C
0040D45A ^ E2 E1 LOOPD SHORT mnso.0040D43D
0040D45C E8 7E020000 CALL mnso.0040D6DF
0040D461 61 POPAD
0040D462 9D POPFD
0040D463 - E9 DE43FFFF JMP mnso.00401846
0040D468 8BB5 67FFFFFF MOV ESI,DWORD PTR SS:[EBP-99]
0040D46E 0BF6 OR ESI,ESI ; mnso.00401000
0040D470 0F84 A4000000 JE mnso.0040D51A



I think "Red Jump" is Jump to OEP. Set BP on it. Run and.... you know what will happen after.

Sorry for my poor english.