PacketKim
September 10th, 2009, 09:44
The code shown above is not part of UPX body, but part of the application itself. I'm running the exe using the packed format (I made an OllyScript that unpacks it and breaks on OEP correctly). There is no problem on unpacking it.
That procedure receives 2 arguments and of them being the number I'm passing myself 0XDDCCBBAA (look at the stack).
When I configure Ollydbg to ignore all exceptions and execute the first instruction (aka: SAR instruction) the code below is executed and the only thing it does is to close the thread I'm working in, by calling ExitThread.
Code:
7C90E480 MOV EBX,DWORD PTR SS:[ESP]
7C90E483 PUSH ECX
7C90E484 PUSH EBX
7C90E485 CALL 7C92A970 ; ntdll -> calls ExitThread()
7C90E48A OR AL,AL
7C90E48C JE SHORT 7C90E49A ; ntdll.7C90E49A
7C90E48E POP EBX
7C90E48F POP ECX
7C90E490 PUSH 0
7C90E492 PUSH ECX
7C90E493 CALL 7C90D05E ; ntdll.ZwContinue
7C90E498 JMP SHORT 7C90E4A5 ; ntdll.7C90E4A5
7C90E49A POP EBX
7C90E49B POP ECX
7C90E49C PUSH 0
7C90E49E PUSH ECX
7C90E49F PUSH EBX
7C90E4A0 CALL 7C90D9AE ; ntdll.ZwRaiseException
7C90E4A5 ADD ESP,-14
7C90E4A8 MOV DWORD PTR SS:[ESP],EAX
7C90E4AB MOV DWORD PTR SS:[ESP+4],1
7C90E4B3 MOV DWORD PTR SS:[ESP+8],EBX
7C90E4B7 MOV DWORD PTR SS:[ESP+10],0
7C90E4BF PUSH ESP
7C90E4C0 CALL 7C90E528 ; ntdll.RtlRaiseException
7C90E4C5 RETN 8
I'm pretty sure that procedure is a keygen routine because after it is executed it passes the returned value to the function that shows the finnal generated key. I never dealt with obfuscated code before, so I'm not sure about if this sympton is normal in some codes like this. For example, isn't possible that the number which represents the memory location [C547A19E] is part of the keygen calculation routine?