Log in

View Full Version : Problem with obfuscated code


PacketKim
September 9th, 2009, 18:17
Hi, I'm debugging an application that contains this obfuscated procedure (see image) and the first instruction is already causing a Memory Access violation

This app is packed with UPX and I'm running it on OllyDbg on it's packed format.

My questions are:

1-Is a Memory Access Violation a normal sympton of a obfuscated code during debugging?
2-How can it be able to run without problems out of a debugger?

evlncrn8
September 10th, 2009, 03:10
well theres a few possibilities

1. its unpacked badly somehow, perhaps using a tls trick
2. its designed to crash (and be caught by an seh)
3. both of the above

ronnie291983
September 10th, 2009, 04:29
or maybe

u have missed a antidebug check and were thrown to this location for halting the program. Some of exe's now use this kind of techniques rather than ExitProcess for graceful exit Which makes RE more difficult

disavowed
September 10th, 2009, 08:15
That's definitely not UPX's unpacking stub

As for the crash there, one of two things probably happened:
1. The program set up an SEH handler or VEH handler, purposely threw the exception above, and now will use the handler to handle the exception. You can get around this by configuring OllyDbg to ignore all exceptions.
2. There was code earlier in the program that detected your debugger and then redirected you to the code above, in which case you'd have to circumvent that check/redirection.

PacketKim
September 10th, 2009, 09:44
The code shown above is not part of UPX body, but part of the application itself. I'm running the exe using the packed format (I made an OllyScript that unpacks it and breaks on OEP correctly). There is no problem on unpacking it.
That procedure receives 2 arguments and of them being the number I'm passing myself 0XDDCCBBAA (look at the stack).
When I configure Ollydbg to ignore all exceptions and execute the first instruction (aka: SAR instruction) the code below is executed and the only thing it does is to close the thread I'm working in, by calling ExitThread.
Code:

7C90E480 MOV EBX,DWORD PTR SS:[ESP]
7C90E483 PUSH ECX
7C90E484 PUSH EBX
7C90E485 CALL 7C92A970 ; ntdll -> calls ExitThread()
7C90E48A OR AL,AL
7C90E48C JE SHORT 7C90E49A ; ntdll.7C90E49A
7C90E48E POP EBX
7C90E48F POP ECX
7C90E490 PUSH 0
7C90E492 PUSH ECX
7C90E493 CALL 7C90D05E ; ntdll.ZwContinue
7C90E498 JMP SHORT 7C90E4A5 ; ntdll.7C90E4A5
7C90E49A POP EBX
7C90E49B POP ECX
7C90E49C PUSH 0
7C90E49E PUSH ECX
7C90E49F PUSH EBX
7C90E4A0 CALL 7C90D9AE ; ntdll.ZwRaiseException
7C90E4A5 ADD ESP,-14
7C90E4A8 MOV DWORD PTR SS:[ESP],EAX
7C90E4AB MOV DWORD PTR SS:[ESP+4],1
7C90E4B3 MOV DWORD PTR SS:[ESP+8],EBX
7C90E4B7 MOV DWORD PTR SS:[ESP+10],0
7C90E4BF PUSH ESP
7C90E4C0 CALL 7C90E528 ; ntdll.RtlRaiseException
7C90E4C5 RETN 8


I'm pretty sure that procedure is a keygen routine because after it is executed it passes the returned value to the function that shows the finnal generated key. I never dealt with obfuscated code before, so I'm not sure about if this sympton is normal in some codes like this. For example, isn't possible that the number which represents the memory location [C547A19E] is part of the keygen calculation routine?

squidge
September 10th, 2009, 15:23
That smells of invalid code. Are you sure C547A19E is even a valid address? ALT+M to find out, but it appears Ollydbg has already decided on the answer with the "???" response. The other addresses look suspect too. Are you sure it unpacked ok?

PacketKim
September 10th, 2009, 17:35
Quote:
[Originally Posted by squidge;82917]That smells of invalid code. Are you sure C547A19E is even a valid address? ALT+M to find out, but it appears Ollydbg has already decided on the answer with the "???" response. The other addresses look suspect too. Are you sure it unpacked ok?


I'm sure this number (C547A19E) is an invalid address (I never said it was valid!) and, yes, UPX is unpacked ok. The function I'm showing in the image is the only obfuscated function I met when debugging this application since its OEP. This function must be protected with something else because it's the crucial part of this application. The question is, why I can not run it inside the debugger?

FrankRizzo
September 10th, 2009, 20:36
The obvious next question for me is: "Does this unpacked version run fine OUTSIDE the debugger?" If yes, then I'd bet it's screwing with you. It detected the debugger, and threw you into some shit trying to see if you realize it.

Ohh.. Another thought. Clear your breakpoints, and run it inside the debugger. If it runs OK there it's probably NOT a debugger check. If it crashes, well, there's your answer.

I'm assuming that debugging in IDA is out of the question? If not, try that.

Kayaker
September 10th, 2009, 21:35
As above. Everything that was said above, plus, I don't think it's 'obfuscated' code per se, in that instructions resolve to valid code as they are executed - even though they don't look valid statically, but rather a code routine that is still encrypted.

As mentioned you probably got tripped up by an SEH or other debugger/tracing detection and, if the case holds, the routine never got decrypted, and woe to you if it crashes bad cracker.

You might check around that GetTickCount call sitting on the stack as a start