PDA

View Full Version : Unpacked app deletes itself


5aLIVE
September 24th, 2007, 12:37
I wanted to evaluate a tool today which doesn't have a trial, I foolishly used a serial which is checked online and reported as being leaked and was therefore blacklisted. The system then shuts my system down.

The keylicensing algo is a crypto nightmare (Adler32/BASE64/BLOWFISH/LockBoxMD5/SHA1) and well beyond my current abilites.

I removed the registry entry for the serial and restarted the app which now reports it is no longer registered. I set my firewall to block the app and reentered the blacklisted serial. Now the app refuses to run without online validation.

I used Regmon and filemon to check what files and hives were being accessed, but I found nothing out of the ordinary(to me anyway).

Okay I thought, let's disassemble it and see if I can find the message box and work back from there. Hmm, its packed. Okay I unpacked it and ran it again, the unpacked program deletes the itself and then shuts down! What a pain.

Can anyone suggest how I proceed from here? I found the DeleteFileA API thinking that would be a good place to start but the program shuts down before reaching it? I'll need to confirm this to be certain. (Confirmed)

I can't add attachments to show the resolved imports tree so listed them below I hope this is okay : Can anyone suggest what other APIs are worth a look?

At this point, all I really want is to do remove the blacklisting. Having the upacked app running with a patch would be a bonus.

Code:

FThunk: 001031E0 NbFunc: 0000002C
1 001031E0 kernel32.dll 0080 DeleteCriticalSection
1 001031E4 kernel32.dll 0242 LeaveCriticalSection
1 001031E8 kernel32.dll 0097 EnterCriticalSection
1 001031EC kernel32.dll 0217 InitializeCriticalSection
1 001031F0 kernel32.dll 036F VirtualFree
1 001031F4 kernel32.dll 036C VirtualAlloc
1 001031F8 kernel32.dll 024D LocalFree
1 001031FC kernel32.dll 0249 LocalAlloc
1 00103200 kernel32.dll 013F GetCurrentThreadId
1 00103204 kernel32.dll 021B InterlockedDecrement
1 00103208 kernel32.dll 021F InterlockedIncrement
1 0010320C kernel32.dll 0374 VirtualQuery
1 00103210 kernel32.dll 0380 WideCharToMultiByte
1 00103214 kernel32.dll 0266 MultiByteToWideChar
1 00103218 kernel32.dll 03B4 lstrlen
1 0010321C kernel32.dll 03B1 lstrcpyn
1 00103220 kernel32.dll 0244 LoadLibraryExA
1 00103224 kernel32.dll 01CE GetThreadLocale
1 00103228 kernel32.dll 01AE GetStartupInfoA
1 0010322C kernel32.dll 0199 GetProcAddress
1 00103230 kernel32.dll 0177 GetModuleHandleA
1 00103234 kernel32.dll 0175 GetModuleFileNameA
1 00103238 kernel32.dll 016C GetLocaleInfoA
1 0010323C kernel32.dll 0169 GetLastError
1 00103240 kernel32.dll 010A GetCommandLineA
1 00103244 kernel32.dll 00F1 FreeLibrary
1 00103248 kernel32.dll 00D1 FindFirstFileA
1 0010324C kernel32.dll 00CD FindClose
1 00103250 kernel32.dll 00B7 ExitProcess
1 00103254 kernel32.dll 00B8 ExitThread
1 00103258 kernel32.dll 006D CreateThread
1 0010325C kernel32.dll 038D WriteFile
1 00103260 kernel32.dll 0359 UnhandledExceptionFilter
1 00103264 kernel32.dll 0308 SetFilePointer
1 00103268 kernel32.dll 02FF SetEndOfFile
1 0010326C kernel32.dll 02C6 RtlUnwind
1 00103270 kernel32.dll 02A5 ReadFile
1 00103274 kernel32.dll 0298 RaiseException
1 00103278 kernel32.dll 01B0 GetStdHandle
1 0010327C kernel32.dll 015C GetFileSize
1 00103280 kernel32.dll 01BD GetSystemTime
1 00103284 kernel32.dll 015F GetFileType
1 00103288 kernel32.dll 0050 CreateFileA
1 0010328C kernel32.dll 0032 CloseHandle

FThunk: 00103294 NbFunc: 00000004
1 00103294 user32.dll 0128 GetKeyboardType
1 00103298 user32.dll 01C9 LoadStringA
1 0010329C user32.dll 01DD MessageBoxA
1 001032A0 user32.dll 002B CharNextA

FThunk: 001032A8 NbFunc: 00000003
1 001032A8 advapi32.dll 01EE RegQueryValueExA
1 001032AC advapi32.dll 01E4 RegOpenKeyExA
1 001032B0 advapi32.dll 01CB RegCloseKey

FThunk: 001032B8 NbFunc: 00000003
1 001032B8 oleaut32.dll 0006 SysFreeString
1 001032BC oleaut32.dll 0005 SysReAllocStringLen
1 001032C0 oleaut32.dll 0004 SysAllocStringLen

FThunk: 001032C8 NbFunc: 00000004
1 001032C8 kernel32.dll 0350 TlsSetValue
1 001032CC kernel32.dll 034F TlsGetValue
1 001032D0 kernel32.dll 0249 LocalAlloc
1 001032D4 kernel32.dll 0177 GetModuleHandleA

FThunk: 001032DC NbFunc: 00000012
1 001032DC advapi32.dll 020B ReportEventA
1 001032E0 advapi32.dll 0200 RegisterEventSourceA
1 001032E4 advapi32.dll 01FB RegSetValueExA
1 001032E8 advapi32.dll 01EE RegQueryValueExA
1 001032EC advapi32.dll 01E9 RegQueryInfoKeyA
1 001032F0 advapi32.dll 01E4 RegOpenKeyExA
1 001032F4 advapi32.dll 01DD RegFlushKey
1 001032F8 advapi32.dll 01DB RegEnumValueA
1 001032FC advapi32.dll 01D8 RegEnumKeyExA
1 00103300 advapi32.dll 01D4 RegDeleteValueA
1 00103304 advapi32.dll 01D2 RegDeleteKeyA
1 00103308 advapi32.dll 01CF RegCreateKeyExA
1 0010330C advapi32.dll 01CB RegCloseKey
1 00103310 advapi32.dll 01AB OpenProcessToken
1 00103314 advapi32.dll 014E LookupPrivilegeValueA
1 00103318 advapi32.dll 0125 GetUserNameA
1 0010331C advapi32.dll 00B2 DeregisterEventSource
1 00103320 advapi32.dll 001E AdjustTokenPrivileges

FThunk: 00103328 NbFunc: 0000006D
1 00103328 kernel32.dll 03AE lstrcpy
1 0010332C kernel32.dll 03AA lstrcmpW
1 00103330 kernel32.dll 03A8 lstrcmp
1 00103334 kernel32.dll 0396 WriteProcessMemory
1 00103338 kernel32.dll 0392 WritePrivateProfileStringA
1 0010333C kernel32.dll 038D WriteFile
1 00103340 kernel32.dll 0380 WideCharToMultiByte
1 00103344 kernel32.dll 037C WaitForSingleObject
1 00103348 kernel32.dll 0374 VirtualQuery
1 0010334C kernel32.dll 0372 VirtualProtect
1 00103350 kernel32.dll 0370 VirtualFreeEx
1 00103354 kernel32.dll 036D VirtualAllocEx
1 00103358 kernel32.dll 036C VirtualAlloc
1 0010335C kernel32.dll 0348 TerminateProcess
1 00103360 kernel32.dll 0342 SuspendThread
1 00103364 kernel32.dll 0341 SleepEx
1 00103368 kernel32.dll 0340 Sleep
1 0010336C kernel32.dll 033F SizeofResource
1 00103370 kernel32.dll 032E SetThreadLocale
1 00103374 kernel32.dll 02C0 RestoreLastError
1 00103378 kernel32.dll 0308 SetFilePointer
1 0010337C kernel32.dll 0306 SetFileAttributesA
1 00103380 kernel32.dll 0303 SetEvent
1 00103384 kernel32.dll 0302 SetErrorMode
1 00103388 kernel32.dll 02FF SetEndOfFile
1 0010338C kernel32.dll 02C1 ResumeThread
1 00103390 kernel32.dll 02BE ResetEvent
1 00103394 kernel32.dll 02B4 RemoveDirectoryA
1 00103398 kernel32.dll 02B2 ReleaseMutex
1 0010339C kernel32.dll 02A5 ReadFile
1 001033A0 kernel32.dll 0276 OpenProcess
1 001033A4 kernel32.dll 0266 MultiByteToWideChar
1 001033A8 kernel32.dll 0265 MulDiv
1 001033AC kernel32.dll 0260 MoveFileExA
1 001033B0 kernel32.dll 0256 LockResource
1 001033B4 kernel32.dll 0248 LoadResource
1 001033B8 kernel32.dll 0243 LoadLibraryA
1 001033BC kernel32.dll 0242 LeaveCriticalSection
1 001033C0 kernel32.dll 0217 InitializeCriticalSection
1 001033C4 kernel32.dll 01FE GlobalUnlock
1 001033C8 kernel32.dll 01FB GlobalSize
1 001033CC kernel32.dll 01FA GlobalReAlloc
1 001033D0 kernel32.dll 01F6 GlobalHandle
1 001033D4 kernel32.dll 01F7 GlobalLock
1 001033D8 kernel32.dll 01F3 GlobalFree
1 001033DC kernel32.dll 01EF GlobalFindAtomA
1 001033E0 kernel32.dll 01EE GlobalDeleteAtom
1 001033E4 kernel32.dll 01EC GlobalAlloc
1 001033E8 kernel32.dll 01EA GlobalAddAtomA
1 001033EC kernel32.dll 01DD GetVersionExA
1 001033F0 kernel32.dll 01DC GetVersion
1 001033F4 kernel32.dll 01D7 GetUserDefaultLCID
1 001033F8 kernel32.dll 01D6 GetTimeZoneInformation
1 001033FC kernel32.dll 01D3 GetTickCount
1 00103400 kernel32.dll 01CE GetThreadLocale
1 00103404 kernel32.dll 01CA GetTempPathA
1 00103408 kernel32.dll 01BA GetSystemInfo
1 0010340C kernel32.dll 01B2 GetStringTypeExA
1 00103410 kernel32.dll 01B0 GetStdHandle
1 00103414 kernel32.dll 01AC GetShortPathNameA
1 00103418 kernel32.dll 0199 GetProcAddress
1 0010341C kernel32.dll 0195 GetPrivateProfileStringA
1 00103420 kernel32.dll 0177 GetModuleHandleA
1 00103424 kernel32.dll 0176 GetModuleFileNameW
1 00103428 kernel32.dll 0175 GetModuleFileNameA
1 0010342C kernel32.dll 016C GetLocaleInfoA
1 00103430 kernel32.dll 016B GetLocalTime
1 00103434 kernel32.dll 0169 GetLastError
1 00103438 kernel32.dll 015C GetFileSize
1 0010343C kernel32.dll 0157 GetFileAttributesA
1 00103440 kernel32.dll 0154 GetExitCodeThread
1 00103444 kernel32.dll 0153 GetExitCodeProcess
1 00103448 kernel32.dll 0151 GetEnvironmentVariableA
1 0010344C kernel32.dll 0146 GetDiskFreeSpaceA
1 00103450 kernel32.dll 0140 GetDateFormatA
1 00103454 kernel32.dll 013F GetCurrentThreadId
1 00103458 kernel32.dll 013D GetCurrentProcessId
1 0010345C kernel32.dll 013C GetCurrentProcess
1 00103460 kernel32.dll 010E GetComputerNameA
1 00103464 kernel32.dll 010B GetCommandLineW
1 00103468 kernel32.dll 00FE GetCPInfo
1 0010346C kernel32.dll 00F7 GetACP
1 00103470 kernel32.dll 00F3 FreeResource
1 00103474 kernel32.dll 00F1 FreeLibrary
1 00103478 kernel32.dll 00EC FormatMessageA
1 0010347C kernel32.dll 00E0 FindResourceA
1 00103480 kernel32.dll 00DA FindNextFileA
1 00103484 kernel32.dll 00D1 FindFirstFileA
1 00103488 kernel32.dll 00CD FindClose
1 0010348C kernel32.dll 00C4 FileTimeToSystemTime
1 00103490 kernel32.dll 00C3 FileTimeToLocalFileTime
1 00103494 kernel32.dll 00C2 FileTimeToDosDateTime
1 00103498 kernel32.dll 00A4 EnumResourceNamesA
1 0010349C kernel32.dll 0098 EnumCalendarInfoA
1 001034A0 kernel32.dll 0097 EnterCriticalSection
1 001034A4 kernel32.dll 0082 DeleteFileA
1 001034A8 kernel32.dll 0080 DeleteCriticalSection
1 001034AC kernel32.dll 006D CreateThread
1 001034B0 kernel32.dll 0068 CreateRemoteThread
1 001034B4 kernel32.dll 0063 CreateProcessA
1 001034B8 kernel32.dll 005D CreateMutexA
1 001034BC kernel32.dll 0053 CreateFileW
1 001034C0 kernel32.dll 0050 CreateFileA
1 001034C4 kernel32.dll 004C CreateEventA
1 001034C8 kernel32.dll 0048 CreateDirectoryA
1 001034CC kernel32.dll 0040 CopyFileA
1 001034D0 kernel32.dll 0039 CompareStringW
1 001034D4 kernel32.dll 0038 CompareStringA
1 001034D8 kernel32.dll 0032 CloseHandle

FThunk: 001034E0 NbFunc: 00000003
1 001034E0 version.dll 000B VerQueryValueA
1 001034E4 version.dll 0002 GetFileVersionInfoSizeA
1 001034E8 version.dll 0001 GetFileVersionInfoA

FThunk: 001034F0 NbFunc: 00000052
1 001034F0 gdi32.dll 0253 UnrealizeObject
1 001034F4 gdi32.dll 024B StretchDIBits
1 001034F8 gdi32.dll 024A StretchBlt
1 001034FC gdi32.dll 0244 SetWindowOrgEx
1 00103500 gdi32.dll 0242 SetWinMetaFileBits
1 00103504 gdi32.dll 0240 SetViewportOrgEx
1 00103508 gdi32.dll 023D SetTextColor
1 0010350C gdi32.dll 0239 SetStretchBltMode
1 00103510 gdi32.dll 0236 SetROP2
1 00103514 gdi32.dll 0232 SetPixel
1 00103518 gdi32.dll 022C SetMapMode
1 0010351C gdi32.dll 0223 SetEnhMetaFileBits
1 00103520 gdi32.dll 021F SetDIBColorTable
1 00103524 gdi32.dll 021A SetBrushOrgEx
1 00103528 gdi32.dll 0217 SetBkMode
1 0010352C gdi32.dll 0216 SetBkColor
1 00103530 gdi32.dll 0210 SelectPalette
1 00103534 gdi32.dll 020F SelectObject
1 00103538 gdi32.dll 0208 SaveDC
1 0010353C gdi32.dll 0202 RoundRect
1 00103540 gdi32.dll 0201 RestoreDC
1 00103544 gdi32.dll 01F7 Rectangle
1 00103548 gdi32.dll 01F6 RectVisible
1 0010354C gdi32.dll 01F4 RealizePalette
1 00103550 gdi32.dll 01EF Polyline
1 00103554 gdi32.dll 01E1 PlayEnhMetaFile
1 00103558 gdi32.dll 01DE PatBlt
1 0010355C gdi32.dll 01D2 MoveToEx
1 00103560 gdi32.dll 01CF MaskBlt
1 00103564 gdi32.dll 01CE LineTo
1 00103568 gdi32.dll 01CC LPtoDP
1 0010356C gdi32.dll 01C8 IntersectClipRect
1 00103570 gdi32.dll 01C4 GetWindowOrgEx
1 00103574 gdi32.dll 01C2 GetWinMetaFileBits
1 00103578 gdi32.dll 01BD GetTextMetricsA
1 0010357C gdi32.dll 01B7 GetTextExtentPointA
1 00103580 gdi32.dll 01B6 GetTextExtentPoint32W
1 00103584 gdi32.dll 01B5 GetTextExtentPoint32A
1 00103588 gdi32.dll 01AA GetSystemPaletteEntries
1 0010358C gdi32.dll 01A6 GetStockObject
1 00103590 gdi32.dll 01A5 GetRgnBox
1 00103594 gdi32.dll 019D GetPixel
1 00103598 gdi32.dll 019B GetPaletteEntries
1 0010359C gdi32.dll 0196 GetObjectA
1 001035A0 gdi32.dll 0176 GetEnhMetaFilePaletteEntries
1 001035A4 gdi32.dll 0175 GetEnhMetaFileHeader
1 001035A8 gdi32.dll 0173 GetEnhMetaFileDescriptionA
1 001035AC gdi32.dll 0172 GetEnhMetaFileBits
1 001035B0 gdi32.dll 016C GetDeviceCaps
1 001035B4 gdi32.dll 016B GetDIBits
1 001035B8 gdi32.dll 016A GetDIBColorTable
1 001035BC gdi32.dll 0168 GetDCOrgEx
1 001035C0 gdi32.dll 0166 GetCurrentPositionEx
1 001035C4 gdi32.dll 0161 GetClipBox
1 001035C8 gdi32.dll 0151 GetBrushOrgEx
1 001035CC gdi32.dll 014B GetBitmapBits
1 001035D0 gdi32.dll 00DF ExtTextOutW
1 001035D4 gdi32.dll 00DE ExtTextOutA
1 001035D8 gdi32.dll 00D8 ExcludeClipRect
1 001035DC gdi32.dll 0095 Ellipse
1 001035E0 gdi32.dll 0090 DeleteObject
1 001035E4 gdi32.dll 008E DeleteEnhMetaFile
1 001035E8 gdi32.dll 008D DeleteDC
1 001035EC gdi32.dll 0051 CreateSolidBrush
1 001035F0 gdi32.dll 004E CreateRoundRectRgn
1 001035F4 gdi32.dll 004C CreateRectRgn
1 001035F8 gdi32.dll 0049 CreatePenIndirect
1 001035FC gdi32.dll 0048 CreatePen
1 00103600 gdi32.dll 0046 CreatePalette
1 00103604 gdi32.dll 0040 CreateHalftonePalette
1 00103608 gdi32.dll 003B CreateFontIndirectA
1 0010360C gdi32.dll 0038 CreateEnhMetaFileA
1 00103610 gdi32.dll 0034 CreateDIBitmap
1 00103614 gdi32.dll 0033 CreateDIBSection
1 00103618 gdi32.dll 002E CreateCompatibleDC
1 0010361C gdi32.dll 002D CreateCompatibleBitmap
1 00103620 gdi32.dll 002A CreateBrushIndirect
1 00103624 gdi32.dll 0028 CreateBitmap
1 00103628 gdi32.dll 0024 CopyEnhMetaFileA
1 0010362C gdi32.dll 0022 CombineRgn
1 00103630 gdi32.dll 001D CloseEnhMetaFile
1 00103634 gdi32.dll 0013 BitBlt

FThunk: 0010363C NbFunc: 000000CC
1 0010363C user32.dll 02D6 WindowFromPoint
1 00103640 user32.dll 02D3 WinHelpA
1 00103644 user32.dll 02D1 WaitMessage
1 00103648 user32.dll 02C6 ValidateRect
1 0010364C user32.dll 02BC UpdateWindow
1 00103650 user32.dll 02B5 UnregisterClassW
1 00103654 user32.dll 02B4 UnregisterClassA
1 00103658 user32.dll 02AF UnhookWindowsHookEx
1 0010365C user32.dll 02AB TranslateMessage
1 00103660 user32.dll 02AA TranslateMDISysAccel
1 00103664 user32.dll 02A5 TrackPopupMenu
1 00103668 user32.dll 029A SystemParametersInfoA
1 0010366C user32.dll 0293 ShowWindow
1 00103670 user32.dll 0291 ShowScrollBar
1 00103674 user32.dll 0290 ShowOwnedPopups
1 00103678 user32.dll 028F ShowCursor
1 0010367C user32.dll 0285 SetWindowRgn
1 00103680 user32.dll 028C SetWindowsHookExW
1 00103684 user32.dll 028B SetWindowsHookExA
1 00103688 user32.dll 0288 SetWindowTextW
1 0010368C user32.dll 0287 SetWindowTextA
1 00103690 user32.dll 0284 SetWindowPos
1 00103694 user32.dll 0283 SetWindowPlacement
1 00103698 user32.dll 0282 SetWindowLongW
1 0010369C user32.dll 0281 SetWindowLongA
1 001036A0 user32.dll 027B SetTimer
1 001036A4 user32.dll 0271 SetScrollRange
1 001036A8 user32.dll 0270 SetScrollPos
1 001036AC user32.dll 026F SetScrollInfo
1 001036B0 user32.dll 026D SetRect
1 001036B4 user32.dll 026B SetPropA
1 001036B8 user32.dll 0264 SetMenuItemInfoW
1 001036BC user32.dll 0263 SetMenuItemInfoA
1 001036C0 user32.dll 025E SetMenu
1 001036C4 user32.dll 0258 SetForegroundWindow
1 001036C8 user32.dll 0257 SetFocus
1 001036CC user32.dll 024E SetCursor
1 001036D0 user32.dll 024B SetClipboardData
1 001036D4 user32.dll 0248 SetClassLongA
1 001036D8 user32.dll 0245 SetCapture
1 001036DC user32.dll 0244 SetActiveWindow
1 001036E0 user32.dll 0241 SendMessageW
1 001036E4 user32.dll 023C SendMessageA
1 001036E8 user32.dll 0235 ScrollWindow
1 001036EC user32.dll 0232 ScreenToClient
1 001036F0 user32.dll 022D RemovePropA
1 001036F4 user32.dll 022C RemoveMenu
1 001036F8 user32.dll 022B ReleaseDC
1 001036FC user32.dll 022A ReleaseCapture
1 00103700 user32.dll 021B RegisterClipboardFormatA
1 00103704 user32.dll 021B RegisterClipboardFormatA
1 00103708 user32.dll 021A RegisterClassW
1 0010370C user32.dll 0217 RegisterClassA
1 00103710 user32.dll 0216 RedrawWindow
1 00103714 user32.dll 020C PtInRect
1 00103718 user32.dll 0203 PostThreadMessageA
1 0010371C user32.dll 0202 PostQuitMessage
1 00103720 user32.dll 0201 PostMessageW
1 00103724 user32.dll 0200 PostMessageA
1 00103728 user32.dll 01FE PeekMessageA
1 0010372C user32.dll 01F4 OpenClipboard
1 00103730 user32.dll 01F3 OffsetRect
1 00103734 user32.dll 01EF OemToCharA
1 00103738 user32.dll 01EB MsgWaitForMultipleObjects
1 0010373C user32.dll 01E4 MessageBoxW
1 00103740 user32.dll 01DD MessageBoxA
1 00103744 user32.dll 01DC MessageBeep
1 00103748 user32.dll 01D8 MapWindowPoints
1 0010374C user32.dll 01D7 MapVirtualKeyW
1 00103750 user32.dll 01D4 MapVirtualKeyA
1 00103754 user32.dll 01CA LoadStringW
1 00103758 user32.dll 01C9 LoadStringA
1 0010375C user32.dll 01C0 LoadKeyboardLayoutA
1 00103760 user32.dll 01BC LoadIconA
1 00103764 user32.dll 01B8 LoadCursorA
1 00103768 user32.dll 01B6 LoadBitmapA
1 0010376C user32.dll 01B3 KillTimer
1 00103770 user32.dll 01B1 IsZoomed
1 00103774 user32.dll 01B0 IsWindowVisible
1 00103778 user32.dll 01AF IsWindowUnicode
1 0010377C user32.dll 01AD IsWindowEnabled
1 00103780 user32.dll 01AC IsWindow
1 00103784 user32.dll 01A9 IsRectEmpty
1 00103788 user32.dll 01A7 IsIconic
1 0010378C user32.dll 01A1 IsDialogMessage
1 00103790 user32.dll 019F IsChild
1 00103794 user32.dll 0194 InvalidateRect
1 00103798 user32.dll 0193 IntersectRect
1 0010379C user32.dll 018F InsertMenuItemA
1 001037A0 user32.dll 018E InsertMenuA
1 001037A4 user32.dll 018B InflateRect
1 001037A8 user32.dll 017C GetWindowThreadProcessId
1 001037AC user32.dll 017A GetWindowTextLengthW
1 001037B0 user32.dll 017B GetWindowTextW
1 001037B4 user32.dll 0178 GetWindowTextA
1 001037B8 user32.dll 0175 GetWindowRect
1 001037BC user32.dll 0174 GetWindowPlacement
1 001037C0 user32.dll 0170 GetWindowLongW
1 001037C4 user32.dll 016F GetWindowLongA
1 001037C8 user32.dll 016D GetWindowDC
1 001037CC user32.dll 0164 GetTopWindow
1 001037D0 user32.dll 015E GetSystemMetrics
1 001037D4 user32.dll 015D GetSystemMenu
1 001037D8 user32.dll 015B GetSysColor
1 001037DC user32.dll 015A GetSubMenu
1 001037E0 user32.dll 0158 GetScrollRange
1 001037E4 user32.dll 0157 GetScrollPos
1 001037E8 user32.dll 0156 GetScrollInfo
1 001037EC user32.dll 014B GetPropA
1 001037F0 user32.dll 0146 GetParent
1 001037F4 user32.dll 016B GetWindow
1 001037F8 user32.dll 013E GetMessageTime
1 001037FC user32.dll 013D GetMessagePos
1 00103800 user32.dll 013B GetMessageA
1 00103804 user32.dll 013A GetMenuStringW
1 00103808 user32.dll 0139 GetMenuStringA
1 0010380C user32.dll 0138 GetMenuState
1 00103810 user32.dll 0136 GetMenuItemInfoW
1 00103814 user32.dll 0135 GetMenuItemInfoA
1 00103818 user32.dll 0134 GetMenuItemID
1 0010381C user32.dll 0133 GetMenuItemCount
1 00103820 user32.dll 012D GetMenu
1 00103824 user32.dll 0129 GetLastActivePopup
1 00103828 user32.dll 0127 GetKeyboardState
1 0010382C user32.dll 0124 GetKeyboardLayoutList
1 00103830 user32.dll 0123 GetKeyboardLayout
1 00103834 user32.dll 0122 GetKeyState
1 00103838 user32.dll 0121 GetKeyNameTextW
1 0010383C user32.dll 0120 GetKeyNameTextA
1 00103840 user32.dll 011B GetIconInfo
1 00103844 user32.dll 0118 GetForegroundWindow
1 00103848 user32.dll 0117 GetFocus
1 0010384C user32.dll 0112 GetDlgItem
1 00103850 user32.dll 010F GetDesktopWindow
1 00103854 user32.dll 010E GetDCEx
1 00103858 user32.dll 010D GetDC
1 0010385C user32.dll 010C GetCursorPos
1 00103860 user32.dll 0109 GetCursor
1 00103864 user32.dll 0102 GetClipboardData
1 00103868 user32.dll 0100 GetClientRect
1 0010386C user32.dll 00FE GetClassNameW
1 00103870 user32.dll 00FD GetClassNameA
1 00103874 user32.dll 00FA GetClassInfoW
1 00103878 user32.dll 00F7 GetClassInfoA
1 0010387C user32.dll 00F4 GetCapture
1 00103880 user32.dll 00EC GetActiveWindow
1 00103884 user32.dll 00EA FrameRect
1 00103888 user32.dll 00E4 FindWindowA
1 0010388C user32.dll 00E3 FillRect
1 00103890 user32.dll 00E2 ExitWindowsEx
1 00103894 user32.dll 00E0 EqualRect
1 00103898 user32.dll 00DF EnumWindows
1 0010389C user32.dll 00DC EnumThreadWindows
1 001038A0 user32.dll 00CD EnumClipboardFormats
1 001038A4 user32.dll 00C9 EndPaint
1 001038A8 user32.dll 00C5 EnableWindow
1 001038AC user32.dll 00C4 EnableScrollBar
1 001038B0 user32.dll 00C3 EnableMenuItem
1 001038B4 user32.dll 00C2 EmptyClipboard
1 001038B8 user32.dll 00C0 DrawTextW
1 001038BC user32.dll 00BD DrawTextA
1 001038C0 user32.dll 00B9 DrawMenuBar
1 001038C4 user32.dll 00B8 DrawIconEx
1 001038C8 user32.dll 00B7 DrawIcon
1 001038CC user32.dll 00B6 DrawFrameControl
1 001038D0 user32.dll 00B4 DrawFocusRect
1 001038D4 user32.dll 00B3 DrawEdge
1 001038D8 user32.dll 00A3 DispatchMessageW
1 001038DC user32.dll 00A2 DispatchMessageA
1 001038E0 user32.dll 009A DestroyWindow
1 001038E4 user32.dll 0098 DestroyMenu
1 001038E8 user32.dll 0096 DestroyCursor
1 001038EC user32.dll 0096 DestroyCursor
1 001038F0 user32.dll 0092 DeleteMenu
1 001038F4 user32.dll 0090 DefWindowProcW
1 001038F8 user32.dll 008F DefWindowProcA
1 001038FC user32.dll 008D DefMDIChildProcW
1 00103900 user32.dll 008C DefMDIChildProcA
1 00103904 user32.dll 008B DefFrameProcW
1 00103908 user32.dll 008A DefFrameProcA
1 0010390C user32.dll 0062 CreateWindowExW
1 00103910 user32.dll 0061 CreateWindowExA
1 00103914 user32.dll 005F CreatePopupMenu
1 00103918 user32.dll 005E CreateMenu
1 0010391C user32.dll 005D CreateMDIWindowW
1 00103920 user32.dll 0058 CreateIcon
1 00103924 user32.dll 0043 CloseClipboard
1 00103928 user32.dll 0041 ClientToScreen
1 0010392C user32.dll 003D ChildWindowFromPoint
1 00103930 user32.dll 003A CheckMenuItem
1 00103934 user32.dll 0037 CharUpperBuffW
1 00103938 user32.dll 0038 CharUpperW
1 0010393C user32.dll 001D CallWindowProcW
1 00103940 user32.dll 001C CallWindowProcA
1 00103944 user32.dll 001B CallNextHookEx
1 00103948 user32.dll 0010 BringWindowToTop
1 0010394C user32.dll 000E BeginPaint
1 00103950 user32.dll 002B CharNextA
1 00103954 user32.dll 0028 CharLowerBuffA
1 00103958 user32.dll 0027 CharLowerA
1 0010395C user32.dll 0036 CharUpperBuffA
1 00103960 user32.dll 0035 CharUpperA
1 00103964 user32.dll 0003 AdjustWindowRectEx
1 00103968 user32.dll 0001 ActivateKeyboardLayout

FThunk: 00103970 NbFunc: 00000001
1 00103970 kernel32.dll 0340 Sleep

FThunk: 00103978 NbFunc: 00000016
1 00103978 oleaut32.dll 0094 SafeArrayPtrOfIndex
1 0010397C oleaut32.dll 001A SafeArrayPutElement
1 00103980 oleaut32.dll 0019 SafeArrayGetElement
1 00103984 oleaut32.dll 0013 SafeArrayGetUBound
1 00103988 oleaut32.dll 0014 SafeArrayGetLBound
1 0010398C oleaut32.dll 0028 SafeArrayRedim
1 00103990 oleaut32.dll 000F SafeArrayCreate
1 00103994 oleaut32.dll 0074 VarBstrFromBool
1 00103998 oleaut32.dll 0072 VarBstrFromDate
1 0010399C oleaut32.dll 0071 VarBstrFromCy
1 001039A0 oleaut32.dll 007D VarBoolFromStr
1 001039A4 oleaut32.dll 0068 VarCyFromStr
1 001039A8 oleaut32.dll 005E VarDateFromStr
1 001039AC oleaut32.dll 0054 VarR8FromStr
1 001039B0 oleaut32.dll 0040 VarI4FromStr
1 001039B4 oleaut32.dll 00AE VarNot
1 001039B8 oleaut32.dll 00AD VarNeg
1 001039BC oleaut32.dll 0093 VariantChangeTypeEx
1 001039C0 oleaut32.dll 000B VariantCopyInd
1 001039C4 oleaut32.dll 000A VariantCopy
1 001039C8 oleaut32.dll 0009 VariantClear
1 001039CC oleaut32.dll 0008 VariantInit

FThunk: 001039D4 NbFunc: 0000000C
1 001039D4 ole32.dll 0093 CreateStreamOnHGlobal
1 001039D8 ole32.dll 00D7 IsAccelerator
1 001039DC ole32.dll 00F7 OleDraw
1 001039E0 ole32.dll 0113 OleSetMenuDescriptor
1 001039E4 ole32.dll 0066 CoTaskMemFree
1 001039E8 ole32.dll 0117 ProgIDFromCLSID
1 001039EC ole32.dll 0143 StringFromCLSID
1 001039F0 ole32.dll 0012 CoCreateInstance
1 001039F4 ole32.dll 0024 CoGetClassObject
1 001039F8 ole32.dll 006A CoUninitialize
1 001039FC ole32.dll 003C CoInitialize
1 00103A00 ole32.dll 00D8 IsEqualGUID

FThunk: 00103A08 NbFunc: 00000003
1 00103A08 oleaut32.dll 00C8 GetErrorInfo
1 00103A0C oleaut32.dll 0023 GetActiveObject
1 00103A10 oleaut32.dll 0006 SysFreeString

FThunk: 00103A18 NbFunc: 00000019
1 00103A18 comctl32.dll 0052 ImageList_SetIconSize
1 00103A1C comctl32.dll 003D ImageList_GetIconSize
1 00103A20 comctl32.dll 0055 ImageList_Write
1 00103A24 comctl32.dll 0045 ImageList_Read
1 00103A28 comctl32.dll 003A ImageList_GetDragImage
1 00103A2C comctl32.dll 0033 ImageList_DragShowNolock
1 00103A30 comctl32.dll 004F ImageList_SetDragCursorImage
1 00103A34 comctl32.dll 0032 ImageList_DragMove
1 00103A38 comctl32.dll 0031 ImageList_DragLeave
1 00103A3C comctl32.dll 0030 ImageList_DragEnter
1 00103A40 comctl32.dll 0038 ImageList_EndDrag
1 00103A44 comctl32.dll 002C ImageList_BeginDrag
1 00103A48 comctl32.dll 003C ImageList_GetIcon
1 00103A4C comctl32.dll 004B ImageList_Remove
1 00103A50 comctl32.dll 0035 ImageList_DrawEx
1 00103A54 comctl32.dll 004C ImageList_Replace
1 00103A58 comctl32.dll 0034 ImageList_Draw
1 00103A5C comctl32.dll 0039 ImageList_GetBkColor
1 00103A60 comctl32.dll 004E ImageList_SetBkColor
1 00103A64 comctl32.dll 004D ImageList_ReplaceIcon
1 00103A68 comctl32.dll 0029 ImageList_Add
1 00103A6C comctl32.dll 003E ImageList_GetImageCount
1 00103A70 comctl32.dll 002F ImageList_Destroy
1 00103A74 comctl32.dll 002E ImageList_Create
1 00103A78 comctl32.dll 0011 InitCommonControls

FThunk: 00103A80 NbFunc: 00000002
1 00103A80 shell32.dll 0167 ShellExecuteA
1 00103A84 shell32.dll 0120 SHFileOperation

FThunk: 00103A8C NbFunc: 00000004
1 00103A8C shell32.dll 0138 SHGetPathFromIDList
1 00103A90 shell32.dll 0136 SHGetMalloc
1 00103A94 shell32.dll 0127 SHGetDesktopFolder
1 00103A98 shell32.dll 0110 SHBrowseForFolder

FThunk: 00103AA0 NbFunc: 00000002
1 00103AA0 comdlg32.dll 006A FindTextA
1 00103AA4 comdlg32.dll 006E GetOpenFileNameA

FThunk: 00103AAC NbFunc: 00000001
1 00103AAC winmm.dll 00A6 timeGetTime

FThunk: 00103AB4 NbFunc: 00000004
1 00103AB4 imagehlp.dll 0069 UnMapAndLoad
1 00103AB8 imagehlp.dll 0020 MapAndLoad
1 00103ABC imagehlp.dll 001B ImageRvaToVa
1 00103AC0 imagehlp.dll 0011 ImageDirectoryEntryToData

FThunk: 00103AC8 NbFunc: 0000000C
1 00103AC8 advapi32.dll 0240 StartServiceA
1 00103ACC advapi32.dll 0241 StartServiceCtrlDispatcherA
1 00103AD0 advapi32.dll 023B SetServiceStatus
1 00103AD4 advapi32.dll 0203 RegisterServiceCtrlHandlerA
1 00103AD8 advapi32.dll 01C2 QueryServiceStatus
1 00103ADC advapi32.dll 01BD QueryServiceConfigA
1 00103AE0 advapi32.dll 01AE OpenServiceA
1 00103AE4 advapi32.dll 01AC OpenSCManagerA
1 00103AE8 advapi32.dll 00B1 DeleteService
1 00103AEC advapi32.dll 0066 CreateServiceA
1 00103AF0 advapi32.dll 0044 ControlService
1 00103AF4 advapi32.dll 0040 CloseServiceHandle

FThunk: 00103AFC NbFunc: 00000002
1 00103AFC kernel32.dll 01DD GetVersionExA
1 00103B00 kernel32.dll 01B7 GetSystemDefaultUILanguage

FThunk: 00103B08 NbFunc: 00000001
1 00103B08 advapi32.dll 0064 CreateProcessWithLogonW


xenakis
September 24th, 2007, 13:30
Googling "system shutdown api" (without the quotes) tells me you should look into ExitWindowsEx. Good luck.

5aLIVE
September 24th, 2007, 13:34
Hi xenakis, I tried the very same thing. You'll notice that this isn't one of the imports listed though.
Whoops yes it is. I overlooked that thanks.

LLXX
September 24th, 2007, 14:13
1. Adler32 is just a 32-bit checksum, nothing more complex than CRC32.

2. Base64 is not considered cryptographic.

3. You might want to investigate more on the Blowfish/MD5/SHA though, and since it seems like you just posted the results of an automated scan, there is the possibility that the protection does not involve them (try the same analyser on the well-known md5sum.exe, even though it has absolutely no protection at all) but is only a part of the program's working.

4. Redirect the validation server's address to localhost via HOSTS file or your router (preferred, I've seen some protections that circumvent the HOSTS file), if it is standard HTTP then setting up a local server to handle the requests should not be too difficult. Again, monitor the traffic generated. Although I don't see any network-related imports in that list, there are several service-related calls which suggest that another process is responsible for the validation.

5. An unpacked file that deletes itself, will only do so if you run it, and you don't need to run it to analyse it. Hint: It's probably checking the file on the disk. bp kernel32.CreateFileA/W and work from there. Again, maybe an external service is doing this.

6. Beware of debugger detection.

5aLIVE
September 24th, 2007, 14:52
Hi, thanks for the helpful tips.

Quote:
[Originally Posted by LLXX;68800]
1. Adler32 is just a 32-bit checksum, nothing more complex than CRC32.

>I'll need to read up on that, I hadn't heard of it before.

Quote:
[Originally Posted by LLXX;68800]
2. Base64 is not considered cryptographic.

>I can't argue with that.

Quote:
[Originally Posted by LLXX;68800]
3. You might want to investigate more on the Blowfish/MD5/SHA though, and since it seems like you just posted the results of an automated scan, there is the possibility that the protection does not involve them (try the same analyser on the well-known md5sum.exe, even though it has absolutely no protection at all) but is only a part of the program's working.


>You are quite correct to suggest I ran a cryptographic scan on the file PEiD (Krypto Analyzer). I realize why you suggest these algorithms might not be in use. Although I am reasonably confident in that most if not all of them probably are given that a keygen I found for a earlier version lists them. Perhaps with time I'll be able to tackle crypto crackmes some day.

Quote:
[Originally Posted by LLXX;68800]
4. Redirect the validation server's address to localhost via HOSTS file or your router (preferred, I've seen some protections that circumvent the HOSTS file), if it is standard HTTP then setting up a local server to handle the requests should not be too difficult. Again, monitor the traffic generated. Although I don't see any network-related imports in that list, there are several service-related calls which suggest that another process is responsible for the validation.


>Hmm. The program opens a browser to display online help, It was when accessing this that I had the key blacklisted. I see advapi32.dll service related imports that must be used here. I'll see what I can find, I know it uses windows sockets so far, I was hoping to patch the server check if possible.

Quote:
[Originally Posted by LLXX;68800]
5. An unpacked file that deletes itself, will only do so if you run it, and you don't need to run it to analyse it. Hint: It's probably checking the file on the disk. bp kernel32.CreateFileA/W and work from there. Again, maybe an external service is doing this.


>An interesting idea, a quick look at the Win32 API manual lists CreateFileA/W has a flag called "FILE_FLAG_DELETE_ON_CLOSE" which
indicates the operating system is to delete the file immediately after all of its handles have been closed. So that is definitely worth some investigating.


Quote:
[Originally Posted by LLXX;68800]
6. Beware of debugger detection.

>Will do. I've been using hardware breakpoints up to now.

xenakis
September 24th, 2007, 20:01
Quote:
[Originally Posted by 5aLIVE;68796]
Okay I unpacked it and ran it again, the unpacked program deletes the itself and then shuts down!

Just a guess, but if the program is doing what I think it is doing this happens the other way around: program shuts down Windows, then upon rebooting the file is deleted. The unpacked program detects it is unpacked, invokes MoveFileEx with MOVEFILE_DELAY_UNTIL_REBOOT, then shuts down (and reboots) with ExitWindowsEx. Could be wrong, but worth checking out.
But as mentioned above, the easiest way to avoid all this is to BP on CreateFileA/W to catch the program checking the file on disk. And forget about the FILE_FLAG_DELETE_ON_CLOSE flag, as far as I know you can't delete the invoking program this way. Happy hunting.

OHPen
September 25th, 2007, 10:00
@xenakis: i think it pretty difficult to hint to a possible way the application is doin' the shutdown with following removal from disk due to the variety of Possibilities.

@5aLIVE: A part of a disassembly would be nice. Try to isolate the shutdown controlling call and erase it if possible. Then mistakes won't be a pain in the ass any longer

Cheers and OHPen aka PAPiLLiON

xenakis
September 25th, 2007, 11:41
That's why I started my post with "Just a guess"
The OP should indeed post a little more information. As far as I have read he/she doesn't seem to even know how the program is shutting down the machine.

5aLIVE
September 26th, 2007, 07:39
I found where to patch the unpacked app to stop it from shutting Windows down. Works okay when changing the code/flag in memory but the exe detects changes if i write the change to the file. So must be CRC check somewhere. I've also found the general area where it detects if a blacklisted key has been used, I'm learning as I go so I don't see much point in posting code up just yet. I've still to find out what it is being check to test for this.

I've learned quite a bit just by single stepping through the code although I have much to learn. I know for example that the key is checked using the LDAP protocol as far as I can tell.

The only recent crack I've seen of this tool is a a loader is patched to the compressed exe to bypass the CRC(s). I would prefer to run it unpacked and hard patched if possible. So much to learn. Any tips on finding the CRC check? Is createfile normally used for this (still to search on this)?

Thanks,
5Alive

evlncrn8
September 26th, 2007, 08:31
hmm i thought of another way it could delete itself...
virtualallocex to another process -> inject code, createremotethread (to start thread @ injected code), exit its process, the remote thread can then happily delete the exe and you wouldnt see it in olly etc, because another process would do it.. filemon would surely see it though......

5aLIVE
September 26th, 2007, 16:18
In the meantime, I've had a play with the packed exe, just breaking at OEP and trying to find the message that reports a leaked key. I found that without too much hardship and then found the code which triggers the SEH to display the error. I found that okay, changed the zero flag to force a jump and the app loads up.
The app is still is still crippled, stopping me from clicking on particular checkboxes, so I need to work backwards some more to find the cause. I'm not sure if I can do this but I'll give it a go. Any hints or pointers would be great.

I'll continue playing around with this as time permits as I'm learning new things as I go.

LLXX
September 27th, 2007, 03:05
Why haven't you actually disassembled the unpacked file and inspected it?

5aLIVE
September 27th, 2007, 11:40
Quote:
[Originally Posted by LLXX;68865]Why haven't you actually disassembled the unpacked file and inspected it?


I've been using the IDA disassembly of the unpacked file as my reference when working with the packed version. The reason I started to focus on the packed version is twofold.

1. It produces the black listed error message which I've attempted to find the check. There is a SEH chain which I've attempted to follow but can't seem to find what I am looking for so far. My primary goal is to remove all traces of this program being used with a leaked key to remove this nag.

2. The app in packed form is a little "friendlier" to analyse in a OllyDbg for the moment given that it runs without CRC errors.

Would anyone like to have a look at this and perhaps give me a helping hand please? Just respond here and I'll PM whoever accepts.

Thankyou.

LLXX
September 27th, 2007, 22:01
Quote:
[Originally Posted by 5aLIVE;68874]I've been using the IDA disassembly of the unpacked file as my reference when working with the packed version. The reason I started to focus on the packed version is twofold.
I meant actually inspecting the unpacked file, NOT messing around precariously in a debugger. The former tends to uncover more details, especially since you don't go into a "step-into step-over now where am I and what's going on" thought process. I advise all practicioners of RCE to carefully look through the static disassembly and form hypotheses about the operation of the code, then get out the debugger and confirm/deny those hypotheses.

5aLIVE
September 28th, 2007, 13:16
Thats good advice which I intend to follow. EDIT#1: Removed a question I asked over 2 yeara ago about .MAP files

EDIT #2:
Dammit. I've still got this problem despite reading Blabberer and the godfather+ replies here ("http://www.woodmann.com/forum/showthread.php?t=8865&highlight=mapconv"): What else could be causes a map file not be applied correctly to a debugged program?

From the IDA map file:
Start Length Name Class
0001:00000000 0000F1000H .main BSS
0002:00000000 0000D7000H .data DATA
0003:00000000 000004000H .rdata DATA
0004:00000000 000004000H .mackt DATA

The above is the same using Olly memory view.
Memory map
Address Size Owner Section Contains Type Access Initial Mapped as
00400000 00001000 myapp PE header Imag R RWE
00401000 000F1000 myapp .main Imag R RWE
004F2000 000D7000 myapp .data code Imag R RWE
005C9000 00004000 myapp .rdata data,resourc Imag R RWE
005CD000 00004000 myapp .mackt imports Imag R RWE

Is the addres of the PE header also the image base?

I tried loading the TQN Delphi 6 and 7 signature file directly into Olly using the Godup plugin.
5 procedures are recognised, with 33 being unrecognised. When I first ran IDA Free it didn't recognise a compiler (Delphi 6&7 .sigs were missing) so I copied these and manually applied the Delphi 6 sig file to the disassembly. The disassembled output recognised a lot of known Delphi functions.

PEiD recognised the app as Delphi 6-7, but the Godup plugin Resource analyser doesn't detect a signature.

Thanks.

5aLIVE
September 30th, 2007, 17:06
Any suggestions what the problem could be? The image base is the usual 400000h ,VA =401000h.

Example

IDA Free disassembly :
.data:004F204E E8+ call @Sysutils@DateTimeToStr$qqrx16System@TDateTime

OllyDbg after apply exported .map file:

004F204E E8 99ABF1FF CALL myapp.0040CBEC

Maybe something to do with code being in the .data section rather than .code/.text section? How do I correct this if that is the case?

LLXX
September 30th, 2007, 18:04
Quote:
[Originally Posted by 5aLIVE;69002]The image base is the usual 40000h
That's rather low. The usual is texth times that.

5aLIVE
October 1st, 2007, 02:35
Quote:
[Originally Posted by LLXX;69003]That's rather low. The usual is texth times that.


That was a typo, it should of course read 400000h.

LLXX
October 1st, 2007, 02:58
I wouldn't know, since I've seen 40000 and even 10000 before (some wierd packers do it)

5aLIVE
October 1st, 2007, 09:19
Quote:
[Originally Posted by 5aLIVE;68913]
From the IDA map file:
Start Length Name Class
0001:00000000 0000F1000H .main BSS
0002:00000000 0000D7000H .data DATA

Below is the same using Olly memory view.
Memory map
Address Size Owner Section Contains Type Access Initial Mapped as
00400000 00001000 myapp PE header Imag R RWE
00401000 000F1000 myapp .main Imag R RWE
004F2000 000D7000 myapp .data code Imag R RWE
005C9000 00004000 myapp .rdata data,resourc Imag R RWE
005CD000 00004000 myapp .mackt imports Imag R RWE


Hold on a minute! Is it because the data section of the unpacked app contains code? When loading the app Olly also warns that the code section is either compressed/encrypted/or contains a large amount of embedded data. It warns that results of code analysis code be unreliable or wrong. I select no as I don't want to continue analysis.

I also get a suspicious breakpoint warning about placing breakpoints on data which further confirms that code is in the data section.

Can someone please tell me what I need to do fix this? I've skimmed through the PE format documention but still seek enlightenment.

LLXX
October 1st, 2007, 22:41
There is no real "data section" to speak of from the PE loader's point of view, they are all just sections of data loaded into memory.

Ignore the warnings, OllyDbg can seem to have a mind of its own sometimes.

blabberer
October 2nd, 2007, 12:31
if you have executable code in .data section simply edit section charecteristics in pe header to make it executable
alt+m
select 00400000 00001000 myapp PE header Imag R RWE
right click -> dump -> right click -> special -> pe header -> scroll down to section headers -> find section flags -> right click -> modify integer --> change (6000000 #### to c000000###) (read about flag description what means readable , what means writable etc

now in options debugging options (ctrl+o) you can ask ollydbg to extend code sction to extractor in sfx options which will stop the you are setting bp in data section msg box

ollydbg has a very good mind of its own and it almost warns you rightly what you are performing wrong and has solutions for the warnings embedded inside it for those (you have to apply your mind and use them justly) (these are not Like XL T-Shirt sizes one size fits for all solutions

5aLIVE
October 2nd, 2007, 13:10
Hi Blabberer, thanks for taking the trouble to reply, I was beginning to think I would have to abandon this exercise. I'll be sure to read up on the section flags and try as you suggest. You should publish a book or FAQ on all things related to OllyDbg You know your stuff (like I need to tell you that).

In your opinion, do you think that applying labels and comments with MapConv to the unpacked file with a now executable data section will be resolved by doing this? Of course I intend to produce another MAP file to capture the changes to the data section beforehand. ALthough I am unsure how this will influence the disassembly. Theres only one way to find out.

Perhaps there is something else I need to consider? The original Delphi 6/7 file was packed with a custom/scrambled version of UPX which I unpacked manually. The imports had to be resolved with Imprec to get it to run, delete itself/shutdown. Not sure if this is relevant in the grand scheme of things but I thought I'd mention it just in case.

Thanks,
5aLIVE

5aLIVE
October 2nd, 2007, 15:05
Blabberer, the section flags of the .data section are originally set to E0000040h which corresponds to mem read/write/execute already being set.
I also set SFX options to extend code to include extractor. Do I select the Stop at entry of extractor button. What about use real entry from previous run and pass exceptions to SFX extractor? Are either of these checked? Either way, I still get the BP on data message box.

Update:
I've had had another look at this and used good old notepad as my reference. Here's what I found:

Original notepad.exe:
0100010C 00100000 DD 00001000 ; BaseOfCode = 1000
01000110 00900000 DD 00009000 ; BaseOfData = 9000

UPX'd notepad.exe:
0100010C 00000100 DD 00010000 ; BaseOfCode = 10000
01000110 00600100 DD 00016000 ; BaseOfData = 16000

Manually Unpacked notepad.exe:
0100010C 00000100 DD 00010000 ; BaseOfCode = 10000 <--not recovered
01000110 00600100 DD 00016000 ; BaseOfData = 16000 <--not recovered

upx-d unpacked notepad.exe:
0100010C 00100000 DD 00001000 ; BaseOfCode = 1000 <--recovered
01000110 00900000 DD 00009000 ; BaseOfData = 9000 <-- recovered

So the unpacked file retains the base addresses of the code and data sections of the packed file. If I restore the code and data section base addresses to those of the virgin exe I should be able produce a disassembly that can be correctly mapped with labels and comments as well as removing the warning that I am placing breakpoints on the data section too. Right?

My question, then is how do I recover the base addresses of a packed file to their "virgin" values? What do I look for?
Remember that I am the file I am working with cannot be unpacked with upx -d. I tried renaming the section names to UPX0 and UPX1 and tried upx -d again, however, I still see the "file is modified/hacked/protected" error message.

I also tried the generic UPX unpacker PE Explorer plugin without success.

5aLIVE

blabberer
October 3rd, 2007, 13:10
an automated response see if you can find your answers in this if not ask

Code:


D:\upxalive>dir /b
upx301w.rar
odbg110.rar
g_ollydump300110.rar

D:\upxalive>unrar x *.*

UNRAR 3.51 freeware Copyright (c) 1993-2005 Alexander Roshal


Extracting from upx301w.rar

Creating upx301w OK
Creating upx301w\upx301w OK
Extracting upx301w\upx301w\BUGS OK
Extracting upx301w\upx301w\COPYING OK
Extracting upx301w\upx301w\LICENSE OK
Extracting upx301w\upx301w\NEWS OK
Extracting upx301w\upx301w\README OK
Extracting upx301w\upx301w\README.1ST OK
Extracting upx301w\upx301w\THANKS OK
Extracting upx301w\upx301w\TODO OK
Extracting upx301w\upx301w\upx.1 OK
Extracting upx301w\upx301w\upx.doc OK
Extracting upx301w\upx301w\upx.exe OK
Extracting upx301w\upx301w\upx.html OK

Extracting from odbg110.rar

Creating odbg110 OK
Extracting odbg110\readme.txt OK
Extracting odbg110\Cmdline.dll OK
Extracting odbg110\DBGHELP.DLL OK
Extracting odbg110\OLLYDBG.EXE OK
Extracting odbg110\OLLYDBG.HLP OK
Extracting odbg110\PSAPI.DLL OK
Extracting odbg110\BOOKMARK.DLL OK
Extracting odbg110\register.txt OK
Extracting odbg110\license.txt OK

Extracting from g_ollydump300110.rar

Creating g_ollydump300110 OK
Extracting g_ollydump300110\ollydump300110_src.zip OK
Extracting g_ollydump300110\OllyDump.dll OK
All OK

D:\upxalive>


D:\upxalive>dir /b
upx301w.rar
odbg110.rar
g_ollydump300110.rar
upx301w
odbg110
g_ollydump300110

D:\upxalive>


D:\upxalive>copy c:\WINDOWS\NOTEPAD.EXE .
1 file(s) copied.

D:\upxalive>

D:\upxalive\upx301w\upx301w>upx -o upxnotepad.exe D:\upxalive\NOTEPAD.EXE
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
UPX 3.01w Markus Oberhumer, Laszlo Molnar & John Reiser Jul 31st 2007

File size Ratio Format Name
-------------------- ------ ----------- -----------
69120 -> 48128 69.63% win32/pe upxnotepad.exe

Packed 1 file.

D:\upxalive\upx301w\upx301w>

D:\upxalive\upx301w\upx301w>copy upxnotepad.exe D:\upxalive
1 file(s) copied.

D:\upxalive\upx301w\upx301w>cd ..

D:\upxalive\upx301w>cd ..

D:\upxalive>



D:\upxalive>cd g_ollydump300110


D:\upxalive\g_ollydump300110>copy OllyDump.dll ..\odbg110\
1 file(s) copied.

D:\upxalive\g_ollydump300110>

D:\upxalive\g_ollydump300110>cd ..

D:\upxalive>

D:\upxalive>NOTEPAD.EXE

D:\upxalive>upxnotepad.exe

D:\upxalive>

D:\upxalive>odbg110\OLLYDBG.EXE upxnotepad.exe

D:\upxalive>upxnotepadmup.exe

D:\upxalive>
Log data
Address Message
OllyDbg v1.10
Command line: upxnotepad.exe

File 'D:\upxalive\upxnotepad.exe'
Command line plugin v1.10
Written by Oleh Yuschuk
Bookmarks sample plugin v1.06 (plugin demo)
Copyright (C) 2001, 2002 Oleh Yuschuk
OllyDump v3.00.110 by Gigapede
New process with ID 00000C48 created
01015360 Main thread with ID 00000C58 created
01000000 Module D:\upxalive\upxnotepad.exe
CRC changed, discarding .udd data
73000000 Module C:\WINDOWS\system32\WINSPOOL.DRV
763B0000 Module C:\WINDOWS\system32\comdlg32.dll
773D0000 Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.dll
77C10000 Module C:\WINDOWS\system32\msvcrt.dll
77D40000 Module C:\WINDOWS\system32\USER32.dll
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.dll
77E70000 Module C:\WINDOWS\system32\RPCRT4.dll
77F10000 Module C:\WINDOWS\system32\GDI32.dll
77F60000 Module C:\WINDOWS\system32\SHLWAPI.dll
7C800000 Module C:\WINDOWS\system32\kernel32.dll
7C900000 Module C:\WINDOWS\system32\ntdll.dll
7C9C0000 Module C:\WINDOWS\system32\SHELL32.dll
01015360 Program entry point
010154EB Hardware breakpoint 1 at upxnotep.010154EB
OllyDump -- Start "JMP [Thunk]"(0x25FF) and "CALL [Thunk]"(0x15FF) search
01001984 call[Thunk] found on 01001984 Thunk:010010D8
<--------------------------------snip---------------------------->
010075FC jmp [Thunk] found on 010075FC Thunk:0100133C
OllyDump -- Check Leaked Thunks in Thunk Blocks
OllyDump -- Resolve Forwarder
ntdll.RtlGetLastWin32Error must be forwarded API from kernel32.dll
7C802654 Export Address Table RVA:00002654
7C80903D Forwarded API ntdll.RtlGetLastWin32Error found on the ForwarderRVA:0000903D pos:360
7C80667D *pDW:0000667D Forwarder:GetLastError Forwarded:ntdll.RtlGetLastWin32Error
ntdll.RtlRestoreLastWin32Error must be forwarded API from kernel32.dll
7C802654 Export Address Table RVA:00002654
7C80918A Forwarded API ntdll.RtlRestoreLastWin32Error found on the ForwarderRVA:0000918A pos:702
7C807E20 *pDW:00007E20 Forwarder:RestoreLastError Forwarded:ntdll.RtlRestoreLastWin32Error
OllyDump -- Import Table
01001000 DLL:ADVAPI32.dll FirstThunkRVA:1000
DLL Name Address Ordinal API Name
01001000 ADVAPI32.dll 77DD6FC8 01EF RegQueryValueExW

01001018 ADVAPI32.dll 77DDD7CC 01FC RegSetValueExW
01001028 DLL:GDI32.dll FirstThunkRVA:1028
DLL Name Address Ordinal API Name
01001028 GDI32.dll 77F25923 0099 EndPage

01001084 GDI32.dll 77F159A0 020F SelectObject
0100108C DLL:kernel32.dll FirstThunkRVA:108C
DLL Name Address Ordinal API Name
0100108C kernel32.dll 7C809737 013F GetCurrentThreadId

0100116C kernel32.dll 7C862B8A 0358 UnhandledExceptionFilter
01001174 DLL:SHELL32.dll FirstThunkRVA:1174
DLL Name Address Ordinal API Name
01001174 SHELL32.dll 7CA73FA2 008B DragFinish

01001180 SHELL32.dll 7CA5F8EB 0163 ShellAboutW
01001188 DLL:USER32.dll FirstThunkRVA:1188
DLL Name Address Ordinal API Name
01001188 USER32.dll 77D4B556 0100 GetClientRect

010012AC USER32.dll 77D6E3D3 027F SetWinEventHook
010012B4 DLL:WINSPOOL.DRV FirstThunkRVA:12B4
DLL Name Address Ordinal API Name
010012B4 WINSPOOL.DRV 73006090 0100 GetPrinterDriverW

010012BC WINSPOOL.DRV 73005749 0106 OpenPrinterW
010012C4 DLL:comdlg32.dll FirstThunkRVA:12C4
DLL Name Address Ordinal API Name
010012C4 comdlg32.dll 763D48D6 0074 PageSetupDlgW

010012E4 comdlg32.dll 763C7CF3 0071 GetSaveFileNameW
010012EC DLL:msvcrt.dll FirstThunkRVA:12EC
DLL Name Address Ordinal API Name
010012EC msvcrt.dll 77C32DAE 0050 _XcptFilter

01001340 msvcrt.dll 77C4806B 0331 wcsncpy
OllyDump -- Calculating New File Size...
New Import Section Size:1000 New File Size:1F000
OllyDump -- Making New Import Table...
OllyDump -- Dump and Rebuild Finish!!


D:\upxalive>upx301w\upx301w\upx.exe -d -o upxnotepadupx.exe upxnotepad.exe
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
UPX 3.01w Markus Oberhumer, Laszlo Molnar & John Reiser Jul 31st 2007

File size Ratio Format Name
-------------------- ------ ----------- -----------
69120 <- 48128 69.63% win32/pe upxnotepadupx.exe

Unpacked 1 file.

D:\upxalive>


D:\upxalive>dir /b
upx301w.rar
odbg110.rar
g_ollydump300110.rar
upx301w
odbg110
g_ollydump300110
NOTEPAD.EXE
upxnotepad.exe
upxnotepadmup.exe
upxnotepadupx.exe
upxnotepadmupnofix.exe
upxnotepadmupnofix2000.exe
5alive3.PNG

D:\upxalive>

D:\Borland\upxalive>rar a 5alive.rar *.exe 5alive3.PNG

RAR 3.51 Copyright (c) 1993-2005 Alexander Roshal 7 Oct 2005
Shareware version Type RAR -? for help

Evaluation copy. Please register.

Creating archive 5alive.rar

Adding NOTEPAD.EXE OK
Adding upxnotepad.exe OK
Adding upxnotepadmup.exe OK
Adding upxnotepadupx.exe OK
Adding upxnotepadmupnofix.exe OK
Adding upxnotepadmupnofix2000.exe OK
Adding 5alive3.PNG OK
Done

D:\Borland\upxalive>


rename zip as rar and unrar

5aLIVE
October 3rd, 2007, 15:00
Quote:
[Originally Posted by blabberer;69083]an automated response see if you can find your answers in this if not ask


Hi Blabberer, From your automated response I can follow the majority of the steps you took with the virgin notepad.exe.

I am not clear about how you produced upxnotepadmupnofix.exe and upxnotepadmupnofix2000.exe.

I understand that you manually unpacked them both with OllyDump. With upxnotepadmupnofix.exe having the base addresses which correctly match the virgin notepad.exe, on the other hand, upxnotepadmupnofix2000.exe has a code base address of 2000h, why I don't know?

I am aware that you can enter the code and data base addresses into OllyDump before you dump memory to file. I'm not sure if this is what you were hoping illustrate or perhaps I've missed the point?

What I still remain unclear about is how you can detemine the correct base addresses for a file which you don't have a virgin copy of as a reference, nor am I able to produce one using upx -d on account of the file being "scrambled" in some way.

Thanks for taking the time to help thus far.

5aLIVE

LLXX
October 3rd, 2007, 23:03
The PE loader ignores BaseOfCode and BaseOfData, and you should too.

Try setting them both to FFFFFFFF and see that it still runs.

Those two fields are only used during the linking process in COFF files, if I remember correctly.

Now let's get back to your original topic...

blabberer
October 4th, 2007, 09:40
Quote:

The PE loader ignores BaseOfCode and BaseOfData, and you should too.


you should not may be the pe loader ignores it or may be it doesnt care about where it is
but ollydbg depends on a few correct values there for its internal usage (or for that matter anything which doesnt use a brain but a bit of heuristics to work require approximately correct values there )

@ 5alive
you can change your base of code in ollydump itself as well as base of data before dumping

as demonstrated the exe will run without it being right or with any random values like my 2000

but load the thingy in ollydbg
you will see an entry point out of code section (and obviously no analysis as well)
you change the section flag to e00000e0 the msg box would still be there ??
wtf
if you notice you will see size of code is 0x5000 which is lesser than the entry point viz 739d
change it to 0x10000 and the entry point nag will get out

and the analysis will start working but if you notice the analysis will start its working from
> 0x10002000 this is where the base of code comes into action whether peloader cares about it or not

you change it to 0x1000 arbitrarily and save it
now you will have a full analysis from 1001000

the import table strings will get their proper names with 0x1000 as base of code while with 0x2000 the import table strings will be looking like gibberish

as to how to find where or what you need there its a bit of deduction

when you are on oep in this notepad scrollup and you will see the memory section starts from 0x1001000
if you look at memory map you will see the peheader ends at 0x1000 so that is where it should match
is an educated guess (as always this is not a firm rule etched in stone that could last an era)
as to base of data again it depends you have to deduce looking at it (this field will come into action where ollydbg will map the dump in its dump window (note pad has /link merge erw .text compiler switch so its data section is within code section)

hope that helps

LLXX
October 5th, 2007, 01:11
Right-click what you think the code section is and select Analyze, or hit Ctrl+A.

blabberer
October 5th, 2007, 12:29
Quote:

Right-click what you think the code section is and select Analyze, or hit Ctrl+A.


well you still are not getting the point i mean to say ctrl+a WILL not have any effect ollydbg will refuse to analyze anything if the eip it is standing on is not code section inherently

it needs to know beforehand (it performs a check) whether it is analysing a code section or not and if it is not it wont analyze
if you open up the AnalyzeThis plugin by JoeStewert you will notice he is doing a force analysis of non code section with certain limitations

ollydbg will not analyze heap , Rtl_user_parameters Page0x200000 (contins startup code by ntdll LoaderInIt) , KUSER_SHARED_PAGE(contains Sysenter) and neither any virtual alloced pages even if they are executing and contain codes

your one liner looks like one size fits for all solution which isnt the case

LLXX
October 5th, 2007, 23:49
In that case I'd consider it a bug, but nothing a little patching can't fix
Code:
0045DB3F 8B4E0C mov ecx,[esi][000C]
0045DB42 3B4E28 cmp ecx,[esi][0028] ; is above?
0045DB45 770B ja 0045DB52 ; *** jump to message etc ***
0045DB47 8B460C mov eax,[esi][000C]
0045DB4A 034610 add eax,[esi][0010]
0045DB4D 3B4628 cmp eax,[esi][0028] ; is above?
0045DB50 7734 ja 0045DB86 ; *** jump around it
0045DB52 8D5648 lea edx,[esi][0048]
0045DB55 52 push edx
0045DB56 6A08 push 08
0045DB58 68C3C04B00 push 004BC0C3 ;"Module '%s' has entry point" blah blah blah
0045DB5D 8D8D78FDFFFF lea ecx,[ebp][-00000288]
0045DB63 51 push ecx
0045DB64 E8C3900400 call 004A6C2C ; display the message
OllyDbg 1.0.10.0, this fragment of code will only kill the messagebox and nothing else, you'll also need to patch the AppendMenu routine (search for "&Analyse" and the analyser routine itself (menucommand 142 (8E) in the message processing loop).

5aLIVE
October 6th, 2007, 06:52
Quote:
[Originally Posted by blabberer;69116]
but load the thingy in ollydbg
you will see an entry point out of code section (and obviously no analysis as well)
you change the section flag to e00000e0 the msg box would still be there ??
wtf

I'd need to double check that.

Quote:
[Originally Posted by blabberer;69116]
the import table strings will get their proper names with 0x1000 as base of code while with 0x2000 the import table strings will be looking like gibberish

I changed the base of code to 1000h as you suggest and sure enough I get the ep out of code warning message, clicking on ok and the analysis also begins. I also looked at another Delphi app and noticed that 1000h seems to be a be typical code base address. I can now used the MapConv plugin to correctly place labels on the code listing.

Comments however don't appear to be added, presumably this has something to do with the data base address needing adjusted too.

Quote:
[Originally Posted by blabberer;69116]
as to base of data again it depends you have to deduce looking at it (this field will come into action where ollydbg will map the dump in its dump window (note pad has /link merge erw .text compiler switch so its data section is within code section)

I didn't realise the dump window starts at the base of data address until you mentioned it. Again I'll look at other virgin Delphi binaries to look for a "pattern". I'll post back to report if this fixes the comments.

UPDATE 2: I changed the base of data address to F2000h, Olly continues to dump data at the old address of 1C9000h for some reason. (I deleted the .udd file beforehand).

UPDATE 2: Somethings not right, most likely to be down to the virtual sizes of the data and code sections being the wrong values in the PE header. A little more investigation is needed to fix this. I'll review the PE format spec too when I can get a spare moment.

Quote:
[Originally Posted by blabberer;69116]
hope that helps

It certainly does thankyou. I'm surprised that this question hasn't been raised before.

SiGiNT
October 9th, 2007, 15:26
Quote:
[Originally Posted by 5aLIVE;69031]When loading the app Olly also warns that the code section is either compressed/encrypted/or contains a large amount of embedded data. It warns that results of code analysis code be unreliable or wrong. I select no as I don't want to continue analysis.

I also get a suspicious breakpoint warning about placing breakpoints on data which further confirms that code is in the data section.


I've been semi-following this thread for a while now and admittedly have not fully read all of the suggestions and advice, but I keep coming back to this - this is what I normally would expect to see if I "unpacked an app" and it was not fully unpacked - or if it was double packed - this used to plague me with old versions of arma.

Here's a really SWAG that will allow you to put another checkmark next to my name in the nutcase file - is it possible that you are working with a packer that spawns a process on disk - similar to ExeShield, and you've managed to incorporate elements of both the father and child in your dump, when run it sees the dump as the spawned process and deletes it on exit? - could explain a lot of anomalies.

Ok now you can flame me for not fully reading the thread

SiGiNT

SiGiNT
October 15th, 2007, 15:27
GEESH! I'm going to get a rep as a thread killer!!!

S

5aLIVE
October 15th, 2007, 16:44
@sigint33, sorry I haven't been on here in a while. No the app has only been packed once as I am able to view an intelligible disasembly in IDA. I appreciate your thoughts and input but I don't think its as complex as that. Having said that, I couldn't find the trigger that deletes the file, admittedely I got a little side tracked trying to work out why I couldn't apply a .MAP file. I'll try to post more of my findings when I get a chance.

Regards,
5aLIVE

SiGiNT
October 15th, 2007, 18:35
Just for kicks and giggles, run the packed app - either alone or in olly, open another instance of olly and look for something odd like a file being executed from your docs and settings directory, if I'm wrong there then I think your problem may be that the app is only partially unpacked - older versions of arma would execute partially unpacked - you would go thru the unpacking process dump and rebuild - the file size would double and it ran fine, but when analyzed is was still partially packed. The rebooting, I'm assuming your machine abruptly shuts off - could be from a severe kernel violation, ala "stripper".

SiGiNT