Log in

View Full Version : Cannot proceed - Packed EXE?

live_dont_exist
November 10th, 2011, 00:54
Hi All,
I was trying to reverse an executable giving to me by someone for my own learning purposes. I am currently stuck. Here is the problem and what I have done:

--- Olly detects an entry point
--- It JMP's to a location after some 4 instructions, at that location there is another JMP
--- After this it just goes into an endless loop of 4 instructions inside which control remains; I don't think that loop ever exits

How does one debug this?

My first instinct was to think it was packed and I tried using PEiD to detect a packer. PEID failed though saying it could not read process memory. After Googling I found a few people had recommended RDG Packer detector. I tried that and it gave me 2 results for its 2 modes - WL - Cryptor 1.0 and Obsidium 1.2.

I also used the HideDebugger plugin and checked all its options to hide the debugger from the process, but that doesn't make sense as there do not seem to be any calls to these functions. Unless there is something before Entry Point.

On googling Obsidium, I found this was a license protector software so there may be a chance it was used here. But now, how do I proceed? Is writing an unpacking routine for Obsidium the only way forward? In this case I am stuck as I have no clue [not skilled enough] on how to even start thinking.

Is this EXE packed for sure? How does 1 think in this situation?

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DANGER ---- MALWARE

I have attached a few screenshots to show you what exactly I have done so far. It also contains the exact malware sample if you need it.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Thanks
Arvind
OHPen
November 10th, 2011, 11:02
Hey,

try to unpack it. I doubt that you will find an unpacking tool for it. If it is Obsidium take a look at the unpacking tutorial on tuts4you. iirc you will find something on obsidium there

Good luck

Regards,
OHPen.
live_dont_exist
November 11th, 2011, 10:09
Thanks OHPen. The problem though is I am not sure whether its Obsidium or not. I actually looked at a couple of tutorials (not in detail though) and it didn't look like the pattern that Obsidium follows was similar to what was there in this file.

The bigger problem is - If its not a known packer then what do you do? I can try and step through code but those efforts just end in me going into this recursive loop which looks like a while(1) .. How do you even proceed? That's what is happening in this case.

You can try it out if you have time; you go into the recursive loop after just 2 jumps.

Does this mean that something is happening before the Entry Point? But where... I could not find a TLS callback either [Opened in IDA - look at list of entry points].

Any thoughts?

Thanks
Arvind
OHPen
November 11th, 2011, 11:20
Currently I'm not equipped to deal with malware, as I'm not running stuff in vmware plus i don't have time to do so, because of my own project, sorry. BUT maybe i can give you a few points to start with.

If you are new to unpacking in general that i agree with you it is quite good to know your enemy. Find tutorials dealing with similar version is usually a good point to start with. It should be easy for you to identify whether you are dealing with obsidium or not. most of the newbiez have problems identifing a special version of a protector because it slightly differes from those version the guys are talking about in their tutorials. So here are some route to follow:

- have a look at the sections ( for example execryptor always have cryptic strings as names ). They are different for every version, but you will recognize them when you see it.
- count the number of sections ( not working for all protectors, but sometimes this is a characteristic to differenciate between different protectors )
- open hex editor, take a look at the MZ header, PE header. Some modify those headers other not.
- look at the ep and compare the footprint of the wrapper. you can do various things to identify a packer/protector. count the number of calls before the encryption of the first layer, trace inside the calls have a look at their structure. often the main footprint of the ep is different but "helper"-functions which are called identical.
- have a look at the order of antidebug measures. this can be a signature of a protector

i could continue that list till tomorrow, so you see it is more or less a matter of creativity. grab the original obsidium, trace it and see it is similiar

You don't find any similarities, that it is probably something different, maybe even some custom stuff, when you are dealing with malware.


If that is the case than grab a upx tutorial and try to replicate that on your target. Find the OEP, dump and try to use imprec to reconstruct the imports. Sometimes it is that easy, sometimes not but it is worth to give it a try, heh.

Have fun!

OHPen.
-Alex-
November 11th, 2011, 11:37
Are you sure, this file is the only file, and an original? trace till the endless loop, and replace the JMP with JNZ, and you can continue to investigate.
live_dont_exist
November 11th, 2011, 12:42
Thanks for that advice OHPen. I'll keep that in mind when looking at reversing in general.

I'll do that and post back Alex, Thanks. Well, I'm not certain its the only file; I got it from someone via Email. Do you see anything in it, which makes you think that may be the case?

Arvind
-Alex-
November 11th, 2011, 13:06
Well, without patching the endless loop, u will get a stack overflow, so i assume, there is atleast one more file, which fixes the JMP to JNZ, and by the way, this file is in Delphi, no protection like Obsidium. ProtectionID would say u the same, is the best Packer/Protector/Compiler detector. So fixing the JMP to JNZ was obvious, as every Delphi file always pushes 0's to the stack, to make place for local variables, ECX is used as counter, thats why it makes dec ecx.
live_dont_exist
November 11th, 2011, 13:10
Oh yes.. that is exactly what happened . I will check out ProtectionID along with PEID and RDG Packer detector now.

I'll fix the JMP and post back.

Arvind

EDIT: Fantastic. I think that worked, as I now am inside a traditional start program loop of 'GetModuleHandle' 'GetCommandLineA' etc etc. Thanks so much for your help
blabberer
November 11th, 2011, 13:28
like alex posted patch the jmp to jnz

why not original or why need companion because the jmp cant be patched automatically for the exe to run

without patch it will crash with stack overflow exception after pushing a lot of 000 to stack

lot of online analysers say the file is hupigon a backdoor

why that patch

coz you can observe similar push 0 dec ecx jnz at several other places


it seems this wants to talk to some china site

it is copying the 07 file to windir as svchost.exe

Code:


00B43406  ............4.4. ................`............99579.

00B43446  .Http://ChinaCpo.3322.Org/ReadMe.txt....$(WinDir)\svchost.exe..5

00B43486  0..Զ....0..0..0..1..1..1..1..Windows Management Help.

00B434C6  .WinHelp32..ṩϵͳϢ..0..1080..guest..huigezi..0..8080

00B43506  ..1..0<...........99579...&.........Windows Management Hel

00B43546  p.&.........$(WinDir)\svchost.exe............50..|5.|5.D.

00B43586  ...............T5.....x5.....5.............5.D.......

00B435C6  ......Զ.............0............0...5.5.d.

00B43606  ...............T5.....x5.....5.............5.....5...

00B43646  ..l6.....|6.....Œ6.d............0............1.......

00B43686  .....1............1......5..................T5.....x5

00B436C6  .....5.............5.....5.....l6.....|6.....Œ6.....œ6

00B43706  .....7.....05.....*7.....7.....7.....7.....7.....8

00B43746  .....$8.....48.....H8.....X8..............................

00B43786  ........1.............WinHelp32...".........ṩϵͳ

00B437C6  Ϣ...........0............1080.............guest....

00B43806  ........huigezi..........0............8080...........

00B43846  ..1............0...\8.\8....$(WinDir)...t8.t8.”...WinD.

00B43886  ............%WinDir%....*8.*8.h...C:\WINDOWS..8.8.P...C:

00B438C6  \WINDO..............\svchost.exe4..............\svchost.exe.

00B43906  ..'.........C:\WINDOWS\svchost.exe...........svchost.exe.J.

00B43946  .....:...C:\Documents and Settings\admi\Desktop\endlessjumps\07

00B43986  .exe...........07.exe..J......:...C:\Documents and Settings\

00B439C6  admi\Desktop\endlessjumps\07.exe..9.9................C:

00B43A06  \WINDOWS\.J......:...C:\Documents and Settings\admi\Desktop\end

00B43A46  lessjumps\07.exe............exe....J......:...C:\Documents a

00B43A86  nd Settings\admi\Desktop\endlessjumps\07.exe..stat.dat....&.....

00B43AC6  .....C:\WINDOWS\bootstat.dat



there are several paths that this file can take

try renaming it as IexPL??? look for that string in disassembly it will behave differently

try renaming it as svchost.exe and put it in c:\windows\ it will behave differnetly

try enabling winhlp service before this starts it will behave differnetly

will winExec the file

it also seems to have screen capture facility (kruwosoft string and google ) and it loads wdmaud and creates a thread


Code:




0012FF64   00B43A78  |ExistingFileName = "C:\Documents and Settings\admi\Desktop\endlessjumps\07.exe"

0012FF68   00B43914  |NewFileName = "C:\WINDOWS\svchost.exe"

0012FF6C   00000000  \FailIfExists = FALSE


seems the site is alive

Code:




C:\>wget Http://ChinaCpo.3322.Org/ReadMe.txt

SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc

syswgetrc = c:\program files\gnuwin32/etc/wgetrc

--2011-11-11 23:56:40--  http://chinacpo.3322.org/ReadMe.txt

Resolving chinacpo.3322.org... 60.1.23.36

Connecting to chinacpo.3322.org|60.1.23.36|:80... connected.

HTTP request sent, awaiting response.



whois of 3322.org 



Whois Record For 3322.org

 





Reverse Whois:

"Yaako Ltd." owns about30 other domains





Domain ID81041153-LROR

Domain Name:3322.ORG

Created On:11-Dec-2001 18:35:40 UTC

Last Updated On:11-Oct-2011 09:52:46 UTC

Expiration Date:11-Dec-2011 18:35:40 UTC

Sponsoring Registrar:OnlineNIC Inc. (R64-LROR)

Status:OK

Registrant ID:ONLC-3042777-4

Registrant Name:Bentium Ltd.

Registrant Organization:Yaako Ltd.

Registrant Street1:1406, Yinyuan Building   119, West Guanhe Road

Registrant Street2:1406, Yinyuan Building   119, West Guanhe Road

Registrant Street3:

Registrant City:Changzhou

Registrant State/Province:JS

Registrant Postal Code:213002

Registrant Country:CN

Registrant Phone:+86.51988056600

Registrant Phone Ext.:

Registrant FAX:+86.2161947030

Registrant FAX Ext.:

Registrant Email:

Admin ID:ONLC-3042777-1



tracert times out



Tracing route to ChinaCpo.3322.Org [60.1.23.36]

over a maximum of 30 hops:



  1   220 ms   224 ms   175 ms  220.224.141.129

  2   219 ms   229 ms   214 ms  115.255.239.69

  3   189 ms   187 ms   180 ms  124.124.251.241

  4   262 ms   232 ms   230 ms  115.255.252.225

  5   285 ms   283 ms   270 ms  62.216.147.249

  6   336 ms   354 ms   344 ms  so-7-0-0.0.ejr03.sin001.flagtel.com [62.216.128.

73]

  7   364 ms   365 ms   326 ms  so-0-2-0.0.pjr02.hkg005.flagtel.com [85.95.26.12

5]

  8   314 ms   322 ms   351 ms  so-0-0-0.0.pjr02.wad001.flagtel.com [85.95.26.90

]

  9   397 ms   310 ms   316 ms  xe-1-2-0.0.eji01.tok007.flagtel.com [85.95.26.11

8]

 10   332 ms   336 ms   379 ms  ge-1-1-4.r20.tokyjp03.jp.bb.gin.ntt.net [61.213.

160.221]

 11   305 ms   330 ms   341 ms  xe-0-1-0.r25.tokyjp01.jp.bb.gin.ntt.net [129.250

.3.128]

 12   516 ms   422 ms   381 ms  ae-7.r23.tokyjp01.jp.bb.gin.ntt.net [129.250.3.1

64]

 13   567 ms   583 ms   568 ms  219.158.33.253

 14   570 ms   589 ms   571 ms  219.158.4.141

 15   531 ms   502 ms   505 ms  219.158.18.230

 16   523 ms   545 ms   534 ms  pppa182.sj.he.cn [202.99.160.182]

 17   754 ms   705 ms   691 ms  61.182.172.18

 18   527 ms   550 ms   514 ms  221.192.15.238

 19     *        *        *     Request timed out.

 20     *        *        *     Request timed out.

 21     *        *        *     Request timed out.

 22     *        *        *     Request timed out.

 23     *        *        *     Request timed out.

 24     *        *        *     Request timed out.

 25     *        *        *     Request timed out.

 26     *        *        *     Request timed out.

 27     *        *        *     Request timed out.

 28     *        *        *     Request timed out.

 29     *        *        *     Request timed out.

 30     *        *        *     Request timed out.



Trace complete.



C:\>


Code:


copies files

hides it



0012FF58   00B43914  |FileName = "C:\WINDOWS\svchost.exe"

0012FF5C   00000007  \FileAttributes = READONLY|HIDDEN|SYSTEM



open scm then opens service



0012FF3C   00153648  |Arg1 = 00153648

0012FF40   00B437A0  |Arg2 = 00B437A0 ASCII "WinHelp32"

0012FF44   000F01FF  \Arg3 = 000F01FF



0012FEF8   00153648  |hManager = 00153648

0012FEFC   00B437A0  |ServiceName = "WinHelp32"

0012FF00   00B43530  |DisplayName = "Windows Management Help"

0012FF04   000F01FF  |DesiredAccess = SERVICE_ALL_ACCESS

0012FF08   00000110  |ServiceType = SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS

0012FF0C   00000002  |StartType = SERVICE_AUTO_START

0012FF10   00000000  |ErrorControl = SERVICE_ERROR_IGNORE

0012FF14   00B43914  |BinaryPathName = "C:\WINDOWS\svchost.exe"

0012FF18   00000000  |LoadOrderGroup = NULL

0012FF1C   00000000  |pTagId = NULL

0012FF20   00000000  |pDependencies = NULL

0012FF24   00000000  |ServiceStartName = NULL

0012FF28   00000000  \Password = NULL
live_dont_exist
November 11th, 2011, 23:16
Thanks blabberer. I will go deeper into this and post back if I have further problems.

Arvind