Example for nice custom obfuscation [Archive] - RCE Messageboard's Regroupment

View Full Version : Example for nice custom obfuscation

OHPen

July 28th, 2007, 14:17

Hi,

i recently found a nice software product which is related to the topic of network security. After taking a deeper look at the applications kernel i saw that it seems to use a custom packer/protector which is also using obfuscation to prevent reverse engineering.

This is the entry of the application kernel:

Code:



.text:0042795E                 public start

.text:0042795E start:                                  ; CODE XREF: sectio%n:004588F7j

.text:0042795E                                         ; DATA XREF: sectio%n:004588F2o

.text:0042795E                 das

.text:0042795F                 nop

.text:00427960                 pusha

.text:00427961                 nop

.text:00427962                 pushf

.text:00427963                 test    esp, esp

.text:00427965                 jnz     short loc_427969

.text:00427965 ; ---------------------------------------------------------------------------

.text:00427967                 db 0C7h

.text:00427968                 db 5

.text:00427969 ; ---------------------------------------------------------------------------

.text:00427969

.text:00427969 loc_427969:                             ; CODE XREF: .text:00427965j

.text:00427969                 popf

.text:0042796A                 mov     eax, fs:30h

.text:0042796F                 mov     eax, [eax+0Ch]

.text:00427972                 nop

.text:00427973                 pushf

.text:00427974                 test    esp, esp

.text:00427976                 jnz     short near ptr loc_427978+2

.text:00427978

If someone wants to take a deeper look at the application, pm me and i can provide the link. It's pretty strange to trace the app

Regards,

OHPen

LLXX

July 28th, 2007, 22:53

From what I see, they're just injecting the "pushf | test esp esp | jnz $+2 | /hc7 5 | popf" sequence many times into the compiler-generated code, which is usually done with an _asm { ... } macro.

OHPen

July 29th, 2007, 00:24

Yeah, looks like the use of a macro. The packer also uses a similar single step prevention mechanism as securom. It's easy to cheat by setting breakpoint instead of single stepping the pop instructions....

Actually i stuck here:

Code:





sectio%n:00459457 loc_459457:                             ; CODE XREF: sub_45942Cp

sectio%n:00459457 push    dword ptr fs:0

sectio%n:0045945D mov     fs:0, esp

sectio%n:00459463 xor     eax, eax

sectio%n:00459463 ; ---------------------------------------------------------------------------

sectio%n:00459465 db  8Dh ; ì

sectio%n:00459466 db 0C0h ; +

sectio%n:00459467 db  90h ; É

sectio%n:00459468 ; ---------------------------------------------------------------------------

sectio%n:00459468 pop     dword ptr fs:0

sectio%n:0045946E add     esp, 4

sectio%n:00459471 retn

If tracing a few instruction i come to this address. Before there is no condition jump or anything else what can alter the instruction flow. At address 00459465 i got an invalid instruction exception and the application refuses to go on.

Any idea ?

LLXX

July 29th, 2007, 03:48

The exception handler takes care of that... didn't you see the fs:0?

OHPen

July 29th, 2007, 08:15

, it was 7.am. After I came back from work. Seems the better choise had been to go to bed instead of taking another look at the app

.
I now left the place after passing control back to the application. What was irritating me tonight was that i missed a loop. Those instruction had been executed for a couple of times.

I also discovered that is seems not to be a polymorphic protector stub because another exe file of the application is protected by it. Both have the same stub and differing only in some decryption constants for the stored data.

OHPen

blabberer

July 29th, 2007, 11:58

is it ida's disassembly ?

8dc0 is lea eax,eax (albeit illegal use of register but it should be disassembled correctly iirc atleast ollydbg disasembles it that way)
if single stepped mormally ollydbg says cant step into unknown instruction

if it is forced to step into unknown instruction it turns into an exception (options -> debugging options -> security -> step into unknown commands -> checkmark -> ok)

Log data, item 0
Address=004AFFED
Message=Illegal instruction

so what ever refers it here CODE XREF: sub_45942Cp has pushed the exception handler on stack

if you are debugging this in ollydbg view seh chain -> follow handler (or simply select esp+4 follow in disassembler -> set and f2 bp
and run this and trace the handler

OHPen

July 29th, 2007, 12:36

hi blabberer,

yeah it is an ida disassembly and no it is not directly disassembled into the right instruction. Also im not able to assign it to be code manually. Dunno why....

im not a friend of olly although i know that most of you guys use it atm. Actually i use the internal ida debugger a lot and also sice. I do not often use olly because i dont like its gui and the handling of it in general.

PS: I already traced the handler. It is used the unpack certain areas of the following code if i analysed it correctly.

Regards,

PAPiLLiON

OHPen

July 29th, 2007, 12:37

'doh