Log in

View Full Version : Help unpacking old malware - Malware attached

JimmerRobber
February 14th, 2013, 19:14
I'm been trying for a while to unpack an older piece of malware. I've been reversing key gens and crackmes for a while and I've never really had to manually unpack anything. I've tried a few automatic unpackers but didn't have any luck so I thought I would try to learn how to manually unpack something. I've tried using ollydump->Find OEP by section (trace into) and (trace over), dump the process and then using Import REContructor. After I tried this and looked at it in PEView, the text section doesn't have anything in it still. Also when I tried to open the dumped executable in IDA it has trouble running from the new EP. I've also tried using the "find POPAD" method to reveal the OEP address. I've also opened it in IDA, step into what I thought was the unpacking function, but when it seemed to unpack some code the imports that IDA saw still didn't show up any where in the code. I've been working on this for a while so any help is appreciated. I'm not necessarily looking to have someone to unpack the malware for me (but I would download it and look at it :> I'd like some guidance to help me get over the hump. I've been trying different approaches that I've found during my research but can't seem to get any where.

The password for the zip file is "infected" and I changed the extension to .xex

Thanks in advance and any help is greatly appreciated.
Kayaker
February 15th, 2013, 02:20
Hi

This is not "packed" in the classical sense. It has obfuscation in the form of garbage instructions designed to confuse, encrypted sections, and perhaps other tricks further along. Forget the automagic solutions at this point, your best bet would be to just single step everything and try to understand what it's doing (use of LoadLibrary/GetProcAddress, VirtualAlloc, import addresses stored on the stack, obfuscation/encryption tricks, etc.)

As a suggestion, you might want to try for this one the x86 Emulator plugin for IDA

http://www.idabook.com/x86emu/

What that will allow you to do is step through the initial decryption routine for example, in emulation mode, and will update the IDA disassembly with the decrypted changes. Makes it handy for later analysis.

For example, you should be able to recognize a decryption routine that begins about here:

:00401011 mov eax, offset StartDecrypt ; 041FE54

and the decryption loop proper from 401077 -> 40169B

If you step through that a time or two you should be able to find and name the variables used for the loop counter, the size to be decrypted, the encrypted dword(s), and the decrypted result which will replace it.

You should also be able to spot the garbage code that accomplishes nothing (i.e. registers used but soon overwritten for naught, variables that are never used, etc.), and soon be able to ignore that. For a fun challenge you might even want to try to pull out the real decryption algorithm from all that and create an IDC script to automate the decryption. That way you make your own 'automagic' solution.


Anyway, you probably already saw that after this first decryption there is a call into the decrypted code and is the start of the next layer where the imports are resolved:

4016D9 call [ebp+var_14] ; 42026C

With x86emu, once you get bored of stepping through the decryption loop, you can use Run To Cursor to 4016D9 and the IDB will now have the decrypted code stored.


I think the point I'm trying to make is that there is no "easy" solution to this, you won't get a perfect disassembly (nor "unpacked" PE) with all imports defined without a variety of tricks, and even then...

One of the first imports to be resolved is VirtualAlloc, I didn't go that far but I wouldn't be surprised if it decrypted and ran code from memory. That you will have to dump as a bin file and work with it as best you can.

You can also note down interesting imports as they are resolved with a break on GetProcAddress and set further breaks on them for when they are used, i.e. VirtualAlloc/Protect, lstrcmp, etc. and that will give some idea of what the malware does with them. In fact, x86emu will log the imports for you as they are resolved.

Hope this gives you some new ideas at least.

Kayaker
esther
February 15th, 2013, 07:12
As for using Import REContructor,you need to be on the OEP.Import REContructor only will able to get the imports on the correct OEP
If you really want to learn unpacking,lena151's tutorials are really a good start.
blabberer
February 17th, 2013, 11:11
well the first layer as posted already isnt a packer per se more of a obfuscation crap blah blah
the second layer seems to be upx though upx -d errs with some check sum error
ollydbg and ollydump does a neat job
to be on upx oep after popad
dumped raw
ida seem to load it after a few hiccups reloc is probably corrupt still
a dialer it seems

Code:


004019C8  Hardware breakpoint 1 at Malware.004019C8

          Analysing Malware

            3 heuristical procedures

            24 calls to known functions

            2 loops

004019C2  CALL to memcpy from Malware.0040136C

            dest = 10000000

            src = Malware.00403044

            n = 1120 (4384.)

004019C2  Breakpoint at Malware.004019C2

004019C2  CALL to memcpy from Malware.00401466

            dest = 10036000

            src = Malware.00403444

            n = 14400 (82944.)

004019C2  Breakpoint at Malware.004019C2

004019C2  CALL to memcpy from Malware.00401466

            dest = 1004B000

            src = Malware.00417844

            n = 1000 (4096.)

004019C2  Breakpoint at Malware.004019C2

76B20000  Module C:\WINDOWS\system32\ATL.DLL

76D60000  Module C:\WINDOWS\system32\iphlpapi.dll

71AB0000  Module C:\WINDOWS\system32\WS2_32.dll

71AA0000  Module C:\WINDOWS\system32\WS2HELP.dll

774E0000  Module C:\WINDOWS\system32\ole32.dll

77120000  Module C:\WINDOWS\system32\OLEAUT32.dll

7C9C0000  Module C:\WINDOWS\system32\SHELL32.dll

77F60000  Module C:\WINDOWS\system32\SHLWAPI.dll

773D0000  Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

76EB0000  Module C:\WINDOWS\system32\TAPI32.dll

76E80000  Module C:\WINDOWS\system32\rtutils.dll

76B40000  Module C:\WINDOWS\system32\WINMM.dll

7E1E0000  Module C:\WINDOWS\system32\urlmon.dll

77C00000  Module C:\WINDOWS\system32\VERSION.dll

771B0000  Module C:\WINDOWS\system32\WININET.dll

77A80000  Module C:\WINDOWS\system32\CRYPT32.dll

004019A2  Hardware breakpoint 2 at Malware.004019A2

10025D27  Hardware breakpoint 3 at 10025D27

          OllyDump -- Start "JMP [Thunk]"(0x25FF) and "CALL [Thunk]"(0x15FF) search



          OllyDump -- Import Table

10027000  DLL:ADVAPI32.dll  FirstThunkRVA:27000

            DLL Name      Address   Ordinal   API Name

10027000    ADVAPI32.dll  77DDECD5   01D4     RegDeleteValueA

10027004    ADVAPI32.dll  77DD6C17   01CB     RegCloseKey

10027008    ADVAPI32.dll  77DDE9E4   01CF     RegCreateKeyExA

1002700C    ADVAPI32.dll  77DD797B   01AB     OpenProcessToken

10027010    ADVAPI32.dll  77DD7842   01E5     RegOpenKeyExA

10027014    ADVAPI32.dll  77DD7AAB   01EF     RegQueryValueExA

10027018    ADVAPI32.dll  77DDEAD7   01FC     RegSetValueExA

1002701C    ADVAPI32.dll  77DE4280   01D2     RegDeleteKeyA

10027020    ADVAPI32.dll  77DE5196   01D9     RegEnumKeyExA

10027024    ADVAPI32.dll  77DE4312   01EA     RegQueryInfoKeyA

10027028    ADVAPI32.dll  77DDEFFC   001E     AdjustTokenPrivileges

1002702C    ADVAPI32.dll  77DFC208   014E     LookupPrivilegeValueA

10027034  DLL:ATL.DLL  FirstThunkRVA:27034

            DLL Name      Address   Ordinal   API Name

10027034    ATL.DLL       76B2376F   002F     AtlAxGetControl

10027038    ATL.DLL       76B299D0   002A     AtlAxWinInit

10027040  DLL:COMCTL32.dll  FirstThunkRVA:27040

            DLL Name      Address   Ordinal   API Name

10027040    COMCTL32.dll  5D0965CF   0011     InitCommonControls

10027048  DLL:GDI32.dll  FirstThunkRVA:27048

            DLL Name      Address   Ordinal   API Name

10027048    GDI32.dll     77F3BC60   003A     CreateFontA

1002704C    GDI32.dll     77F1D3EA   00DE     ExtTextOutA

10027050    GDI32.dll     77F15E29   0217     SetBkColor

10027054    GDI32.dll     77F15D77   023E     SetTextColor

10027058    GDI32.dll     77F16BFA   0090     DeleteObject

1002705C    GDI32.dll     77F161A5   0051     CreateSolidBrush

10027064  DLL:kernel32.dll  FirstThunkRVA:27064

            DLL Name      Address   Ordinal   API Name

10027064    kernel32.dll  7C810C1E   030A     SetFilePointer

10027068    kernel32.dll  7C80A045   024A     LoadResource

1002706C    kernel32.dll  7C80BCF9   0342     SizeofResource

10027070    kernel32.dll  7C80CD27   0258     LockResource

10027074    kernel32.dll  7C80BF19   00E0     FindResourceA

10027078    kernel32.dll  7C813869   00D1     FindFirstFileA

1002707C    kernel32.dll  7C834EC9   00DA     FindNextFileA

10027080    kernel32.dll  7C865B1F   0070     CreateToolhelp32Snapshot

10027084    kernel32.dll  7C864DF5   0288     Process32First

10027088    kernel32.dll  7C864F68   028A     Process32Next

1002708C    kernel32.dll  7C8099B0   013D     GetCurrentProcessId

10027090    kernel32.dll  7C8104BC   0068     CreateRemoteThread

10027094    kernel32.dll  7C8021D0   02AA     ReadProcessMemory

10027098    kernel32.dll  7C802213   0399     WriteProcessMemory

1002709C    kernel32.dll  7C802530   037F     WaitForSingleObject

100270A0    kernel32.dll  7C82141D   0154     GetExitCodeThread

100270A4    kernel32.dll  7C809B74   0372     VirtualFree

100270A8    kernel32.dll  7C809AE1   036F     VirtualAlloc

100270AC    kernel32.dll  7C835EA7   0261     MoveFileA

100270B0    kernel32.dll  7C835DE2   01CC     GetTempPathA

100270B4    kernel32.dll  7C861807   01CA     GetTempFileNameA

100270B8    kernel32.dll  7C812B6E   01DF     GetVersionExA

100270BC    kernel32.dll  7C80BB31   03AE     lstrcmpi

100270C0    kernel32.dll  7C8309D1   0278     OpenProcess

100270C4    kernel32.dll  7C830BAB   01F0     GlobalDeleteAtom

100270C8    kernel32.dll  7C8360DB   01F1     GlobalFindAtomA

100270CC    kernel32.dll  7C8360C1   01EC     GlobalAddAtomA

100270D0    kernel32.dll  7C85AC7C   027F     OutputDebugStringA

100270D4    kernel32.dll  7C80FDBD   01EE     GlobalAlloc

100270D8    kernel32.dll  7C80FCBF   01F5     GlobalFree

100270DC    kernel32.dll  7C8325D4   0254     LocalSize

100270E0    kernel32.dll  7C809A1D   024B     LocalAlloc

100270E4    kernel32.dll  7C830917   0252     LocalReAlloc

100270E8    kernel32.dll  7C81CAFA   00B7     ExitProcess

100270EC    kernel32.dll  7C901000   0097     EnterCriticalSection

100270F0    kernel32.dll  7C9010E0   0244     LeaveCriticalSection

100270F4    kernel32.dll  7C91135A   0080     DeleteCriticalSection

100270F8    kernel32.dll  7C809F81   0219     InitializeCriticalSection

100270FC    kernel32.dll  7C8099BF   024F     LocalFree

10027100    kernel32.dll  7C80A164   0383     WideCharToMultiByte

10027104    kernel32.dll  7C809E91   0228     IsBadReadPtr

10027108    kernel32.dll  7C8286D6   0040     CopyFileA

1002710C    kernel32.dll  7C831EC5   0082     DeleteFileA

10027110    kernel32.dll  7C80E9CF   005D     CreateMutexA

10027114    kernel32.dll  7C8024B7   02B4     ReleaseMutex

10027118    kernel32.dll  7C821794   0048     CreateDirectoryA

1002711C    kernel32.dll  7C814F7A   01BA     GetSystemDirectoryA

10027120    kernel32.dll  7C82134B   01E9     GetWindowsDirectoryA

10027124    kernel32.dll  7C90FE01   0169     GetLastError

10027128    kernel32.dll  7C80B55F   0175     GetModuleFileNameA

1002712C    kernel32.dll  7C8106C7   006D     CreateThread

10027130    kernel32.dll  7C80236B   0063     CreateProcessA

10027134    kernel32.dll  7C801A28   0050     CreateFileA

10027138    kernel32.dll  7C810B07   015C     GetFileSize

1002713C    kernel32.dll  7C801812   02A7     ReadFile

10027140    kernel32.dll  7C80BE91   03B1     lstrcpy

10027144    kernel32.dll  7C834D59   03A8     lstrcat

10027148    kernel32.dll  7C8101A1   03B4     lstrcpyn

1002714C    kernel32.dll  7C80BE46   03B7     lstrlen

10027150    kernel32.dll  7C802446   0343     Sleep

10027154    kernel32.dll  7C809C88   0268     MultiByteToWideChar

10027158    kernel32.dll  7C8097F6   0221     InterlockedIncrement

1002715C    kernel32.dll  7C80980A   021D     InterlockedDecrement

10027160    kernel32.dll  7C90FE10   02C2     RestoreLastError

10027164    kernel32.dll  7C801AD4   0375     VirtualProtect

10027168    kernel32.dll  7C80DE85   013C     GetCurrentProcess

1002716C    kernel32.dll  7C80AC6E   00F1     FreeLibrary

10027170    kernel32.dll  7C80AE30   0199     GetProcAddress

10027174    kernel32.dll  7C801D7B   0245     LoadLibraryA

10027178    kernel32.dll  7C80B731   0177     GetModuleHandleA

1002717C    kernel32.dll  7C830D64   03AB     lstrcmp

10027180    kernel32.dll  7C80932E   01D5     GetTickCount

10027184    kernel32.dll  7C809BD7   0032     CloseHandle

10027188    kernel32.dll  7C81CB23   034C     TerminateThread

1002718C    kernel32.dll  7C810E17   0390     WriteFile

10027190    kernel32.dll  7C801E1A   034B     TerminateProcess

10027198  DLL:MSVCRT.dll  FirstThunkRVA:27198

            DLL Name      Address   Ordinal   API Name

10027198    MSVCRT.dll    77C623D8   00B7     _adjust_fdiv

1002719C    MSVCRT.dll    77C2C407   02D9     malloc

100271A0    MSVCRT.dll    77C39D67   013C     _initterm

100271A4    MSVCRT.dll    77C34DF8   01B5     _onexit

100271A8    MSVCRT.dll    77C34E51   006C     __dllonexit

100271AC    MSVCRT.dll    77C2C0C3   0288     calloc

100271B0    MSVCRT.dll    77C4FA30   0119     _ftol

100271B4    MSVCRT.dll    77C4D1C0   02E5     pow

100271B8    MSVCRT.dll    77C47660   02FF     strchr

100271BC    MSVCRT.dll    77C47BE0   030B     strrchr

100271C0    MSVCRT.dll    77C41B72   02FD     sscanf

100271C4    MSVCRT.dll    77C4139C   02AA     fseek

100271C8    MSVCRT.dll    77C41574   02AC     ftell

100271CC    MSVCRT.dll    77C40BB1   029A     fgets

100271D0    MSVCRT.dll    77C46320   01FB     _strlwr

100271D4    MSVCRT.dll    77C3F010   029F     fopen

100271D8    MSVCRT.dll    77C411FB   02A5     fread

100271DC    MSVCRT.dll    77C40AB1   0294     fclose

100271E0    MSVCRT.dll    77C4173B   02AE     fwrite

100271E4    MSVCRT.dll    77C36D02   02B2     getenv

100271E8    MSVCRT.dll    77C1CF90   0284     atof

100271EC    MSVCRT.dll    77C315E8   017D     _mbclen

100271F0    MSVCRT.dll    77C31E1D   0193     _mbsnbcmp

100271F4    MSVCRT.dll    77C30C6B   0150     _ismbcdigit

100271F8    MSVCRT.dll    77C3FE49   0324     vsprintf

100271FC    MSVCRT.dll    77C32903   01A5     _mbsrchr

10027200    MSVCRT.dll    77C32BB0   01AA     _mbsstr

10027204    MSVCRT.dll    77C21868   0010     ??1type_info@@UAE@XZ

10027208    MSVCRT.dll    77C31C3E   018F     _mbsinc

1002720C    MSVCRT.dll    77C317FF   0186     _mbschr

10027210    MSVCRT.dll    77C472B0   02E0     memmove

10027214    MSVCRT.dll    77C2C21B   02A6     free

10027218    MSVCRT.dll    77C2C437   02EF     realloc

1002721C    MSVCRT.dll    77C1BE7B   0286     atol

10027220    MSVCRT.dll    77C47A50   0308     strncmp

10027224    MSVCRT.dll    77C31881   0187     _mbscmp

10027228    MSVCRT.dll    77C47A90   0309     strncpy

1002722C    MSVCRT.dll    77C4AECF   0318     time

10027230    MSVCRT.dll    77C371BC   02FC     srand

10027234    MSVCRT.dll    77C371D3   02EE     rand

10027238    MSVCRT.dll    77C3F931   02FA     sprintf

1002723C    MSVCRT.dll    77C31CBA   0191     _mbslwr

10027240    MSVCRT.dll    77C1BF18   0285     atoi

10027244    MSVCRT.dll    77C36BD0   027D     abs

10027248    MSVCRT.dll    77C478A0   0306     strlen

1002724C    MSVCRT.dll    77C3FA76   01E3     _snprintf

10027250    MSVCRT.dll    77C35F0D   01C2     _purecall

10027254    MSVCRT.dll    77C46EB0   02DE     memcmp

10027258    MSVCRT.dll    77C47730   0300     strcmp

1002725C    MSVCRT.dll    77C35C94   00EE     _except_handler3

10027260    MSVCRT.dll    77C46030   0189     _mbscpy

10027264    MSVCRT.dll    77C46040   0185     _mbscat

10027268    MSVCRT.dll    77C46F70   02DF     memcpy

1002726C    MSVCRT.dll    77C47C60   030D     strstr

10027270    MSVCRT.dll    77C29CC5   0011     ??2@YAPAXI@Z

10027274    MSVCRT.dll    77C47FCC   032E     wcslen

10027278    MSVCRT.dll    77C29CDD   0012     ??3@YAXPAX@Z

1002727C    MSVCRT.dll    77C226F6   0049     _CxxThrowException

10027280    MSVCRT.dll    77C3EC4B   0102     _fileno

10027284    MSVCRT.dll    77C2D8E2   0100     _filelength

10027288    MSVCRT.dll    77C1C222   0174     _ltoa

1002728C    MSVCRT.dll    77C46665   0205     _strupr

10027290    MSVCRT.dll    77C4624E   01F5     _strcmpi

10027294    MSVCRT.dll    77C1C1F3   0161     _itoa

10027298    MSVCRT.dll    77C475F0   02E1     memset

100272A0  DLL:OLEAUT32.dll  FirstThunkRVA:272A0

            DLL Name      Address   Ordinal   API Name

100272A0    OLEAUT32.dll  77124880   0006     SysFreeString

100272A4    OLEAUT32.dll  771248F0   0009     VariantClear

100272A8    OLEAUT32.dll  77124BA2   0002     SysAllocString

100272AC    OLEAUT32.dll  77124C35   0096     SysAllocStringByteLen

100272B0    OLEAUT32.dll  77124C1B   0007     SysStringLen

100272B4    OLEAUT32.dll  77124950   0008     VariantInit

100272B8    OLEAUT32.dll  77124CFD   000A     VariantCopy

100272BC    OLEAUT32.dll  77126BBB   000C     VariantChangeType

100272C0    OLEAUT32.dll  77124B39   0004     SysAllocStringLen

100272C8  DLL:SHELL32.dll  FirstThunkRVA:272C8

            DLL Name      Address   Ordinal   API Name

100272C8    SHELL32.dll   7CA24909   0113     SHChangeNotify

100272CC    SHELL32.dll   7CA221D6   016D     Shell_NotifyIcon

100272D0    SHELL32.dll   7CA41150   0167     ShellExecuteA

100272D8  DLL:SHLWAPI.dll  FirstThunkRVA:272D8

            DLL Name      Address   Ordinal   API Name

100272D8    SHLWAPI.dll   77FA4980   033B     StrTrimA

100272E0  DLL:TAPI32.dll  FirstThunkRVA:272E0

            DLL Name      Address   Ordinal   API Name

100272E0    TAPI32.dll    76EBFF3D   008C     lineInitialize

100272E4    TAPI32.dll    76EBA378   0095     lineNegotiateAPIVersion

100272E8    TAPI32.dll    76EBA600   0098     lineOpenA

100272EC    TAPI32.dll    76EB9765   0078     lineGetNewCalls

100272F0    TAPI32.dll    76EB874C   005F     lineGetCallInfoA

100272F4    TAPI32.dll    76EC013F   00D1     lineShutdown

100272FC  DLL:USER32.dll  FirstThunkRVA:272FC

            DLL Name      Address   Ordinal   API Name

100272FC    USER32.dll    7E4242ED   0258     SetForegroundWindow

10027300    USER32.dll    7E42AF56   0293     ShowWindow

10027304    USER32.dll    7E42D1D2   010F     GetDesktopWindow

10027308    USER32.dll    7E42E4A9   0061     CreateWindowExA

1002730C    USER32.dll    7E418A80   017C     GetWindowThreadProcessId

10027310    USER32.dll    7E42AAFD   0200     PostMessageA

10027314    USER32.dll    7E431211   028B     SetWindowsHookExA

10027318    USER32.dll    7E46670B   0276     SetSystemCursor

1002731C    USER32.dll    7E42DC14   004A     CopyImage

10027320    USER32.dll    7E41DE72   0049     CopyIcon

10027324    USER32.dll    7E42D33E   01B8     LoadCursorA

10027328    USER32.dll    7E42F25B   0164     GetTopWindow

1002732C    USER32.dll    7E455F7F   0045     CloseWindow

10027330    USER32.dll    7E419689   01EB     MsgWaitForMultipleObjects

10027334    USER32.dll    7E43C972   0254     SetDlgItemTextA

10027338    USER32.dll    7E46B05E   0114     GetDlgItemTextA

1002733C    USER32.dll    7E429313   01AC     IsWindow

10027340    USER32.dll    7E42C7F9   0267     SetParent

10027344    USER32.dll    7E418F9C   015E     GetSystemMetrics

10027348    USER32.dll    7E42436E   0112     GetDlgItem

1002734C    USER32.dll    7E4290B4   0175     GetWindowRect

10027350    USER32.dll    7E42E8F6   01BC     LoadIconA

10027354    USER32.dll    7E42F3C2   023C     SendMessageA

10027358    USER32.dll    7E43B144   009F     DialogBoxParamA

1002735C    USER32.dll    7E424A4E   00C7     EndDialog

10027360    USER32.dll    7E41945D   016F     GetWindowLongA

10027364    USER32.dll    7E42C29D   0281     SetWindowLongA

10027368    USER32.dll    7E42B29E   01EA     MoveWindow

1002736C    USER32.dll    7E42A340   01FE     PeekMessageA

10027370    USER32.dll    7E418BF6   02AB     TranslateMessage

10027374    USER32.dll    7E429849   00C5     EnableWindow

10027378    USER32.dll    7E42F56B   0287     SetWindowTextA

1002737C    USER32.dll    7E43E940   00B6     DrawFrameControl

10027380    USER32.dll    7E43216B   0178     GetWindowTextA

10027384    USER32.dll    7E43C702   00BD     DrawTextA

10027388    USER32.dll    7E42908E   0100     GetClientRect

1002738C    USER32.dll    7E429C2F   00E3     FillRect

10027390    USER32.dll    7E428717   0027     CharLowerA

10027394    USER32.dll    7E4196B8   00A2     DispatchMessageA

10027398    USER32.dll    7E41AE3F   0036     CharUpperBuffA

1002739C    USER32.dll    7E42B222   015D     GetSystemMenu

100273A0    USER32.dll    7E42D2C4   00C3     EnableMenuItem

100273A4    USER32.dll    7E44F69C   00B9     DrawMenuBar

100273A8    USER32.dll    7E418C2E   027B     SetTimer

100273AC    USER32.dll    7E418C42   01B3     KillTimer

100273B0    USER32.dll    7E429823   0118     GetForegroundWindow

100273B4    USER32.dll    7E4507EA   01DD     MessageBoxA

100273B8    USER32.dll    7E428845   0028     CharLowerBuffA

100273BC    USER32.dll    7E4299F3   0284     SetWindowPos

100273C0    USER32.dll    7E42772B   013B     GetMessageA

100273C4    USER32.dll    7E42B3C6   001B     CallNextHookEx

100273C8    USER32.dll    7E42F45F   00FD     GetClassNameA

100273CC    USER32.dll    7E42A5AE   00DF     EnumWindows

100273D0    USER32.dll    7E42D5F3   02AF     UnhookWindowsHookEx

100273D4    USER32.dll    7E4282E1   00E4     FindWindowA

100273DC  DLL:WININET.dll  FirstThunkRVA:273DC

            DLL Name      Address   Ordinal   API Name

100273DC    WININET.dll   771D5C4E   00F6     InternetGetConnectedState

100273E0    WININET.dll   771D1AF9   00B5     GetUrlCacheEntryInfoA

100273E4    WININET.dll   771C33BE   00DA     InternetCanonicalizeUrlA

100273EC  DLL:iphlpapi.dll  FirstThunkRVA:273EC

            DLL Name      Address   Ordinal   API Name

100273EC    iphlpapi.dll  76D663EF   0029     GetIfEntry

100273F0    iphlpapi.dll  76D66051   001C     GetAdaptersInfo

100273F8  DLLle32.dll  FirstThunkRVA:273F8

            DLL Name      Address   Ordinal   API Name

100273F8    ole32.dll     77556EC6   0047     CoMarshalInterThreadInterfaceInStream

100273FC    ole32.dll     774FEE46   006A     CoUninitialize

10027400    ole32.dll     7750057E   0012     CoCreateInstance

10027404    ole32.dll     77517E90   0051     CoRegisterClassObject

10027408    ole32.dll     7752A2F3   005D     CoRevokeClassObject

1002740C    ole32.dll     77502A53   003C     CoInitialize

10027410    ole32.dll     77556DD6   002F     CoGetInterfaceAndReleaseStream

10027418  DLL:urlmon.dll  FirstThunkRVA:27418

            DLL Name      Address   Ordinal   API Name

10027418    urlmon.dll    7E1ED381   0081     CreateURLMoniker

1002741C    urlmon.dll    7E23BED5   00B0     URLOpenBlockingStreamA

          OllyDump -- Calculating New File Size...

          New Import Section Size:1400  New File Size:44E00

          OllyDump -- Making New Import Table...

          OllyDump -- Dump and Rebuild Finish!!



End of session
Kayaker
February 17th, 2013, 16:15

Good old Olly logging  The dll you attached is actually created by a completely distinct EXE file (attached, "infected&quot which overwrites the original PE memory space during that first decrypted layer.  

At .data:42279D of the original decrypted code, it calls the EP of the memory PE file you see logged at 4019C8. Your traps to memcpy are directly from that memory PE file, after it further decrypts an embedded dll into memory, i.e. the one at 40136C:

<div style="margin:20px; margin-top:5px"><div class="smallfont" style="margin-bottom:2px">Code:</div><pre class="alt2" style="margin:0px; padding:6px; border:solid 1px; width:90%; height:80px; overflow:auto"><div dir="ltr" style="text-align:left;">
:00401350                 call    ds:VirtualAlloc
:00401356                 mov     [ebp+Dst], eax
:00401359                 mov     eax, [ebp+Src]
:0040135C                 mov     eax, [eax+IMAGE_DOS_HEADER.e_lfanew]
:0040135F                 mov     ecx, [ebp+PEHeader]
:00401362                 add     eax, [ecx+IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders]
:00401365                 push    eax             ; Size
:00401366                 push    [ebp+Src]       ; Src
:00401369                 push    [ebp+Dst]       ; Dst
:0040136C                 call    memcpy
</div></pre></div>

Also attached is an IDC file which will decrypt that first layer, resolve it as code and create a function out of it. You should see a new proc in the Functions window at 42026C.  Tracing this section will create the attached PE file.  I don't really see the UPX or any unpacker analogy here.

For general interest here is the IDC file, simply because it shows the silly decryption algorithm that first layer uses. Does anyone see any rational with that algo, or is just a bunch of random SHR/SHL/NOT sequences dreamed up during a drug-induced stupor by some skiddie?



#include &lt;idc.idc&gt;

// Decryption IDC for first encrypted section in malware
// http://www.woodmann.com/forum/showthread.php?15108-Help-unpacking-old-malware-Malware-attached

/* As per The IDA Pro Book:
IDA uses signed comparisons, which means that the right-shift operator (&gt;&gt
always performs an arithmetic shift (SAR instead of SHR)

If you require logical right shifts, you must implement them
yourself by masking off the top bit of the result, as shown here:

result = (x  1) &amp; OX7fffffff; // set most significant bit to zero
*/

// Therefore, we can make our own SHR replacement
static SHR(x, n)
{
   auto i;
    
   for (i=0; i&lt;n; i++)
   {
      x = x &gt;&gt; 1;
      x = x &amp; 0x7FFFFFFF;
   }
   return x; 
}

static decryptdword(dword)
{
    auto decdword;
    auto x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
    auto x16, x17, x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28;
    
    // individual algorithm elements extracted from decryption loop,
    // with instruction addresses and result example from first time through loop
    
    x1 = SHR(dword, 0x1B) | (dword &lt;&lt; 0x05);    // 401106 - 401112  // 0xEC21860B
    x2 = SHR(x1, 0x15) | (x1 &lt;&lt; 0x0B);          // 401117 - 40111F  // 0x0C305F61
    x3 = (~ x2) + 1;                            // 40115E, 401178   // 0xF3CFA09F
    x4 = (x3 &lt;&lt; 0x1B) | SHR(x3, 5);             // 40118E - 401196  // 0xFF9E7D04    
    x5 = ~(x4 + 2);                             // 4011C2, 4011DA   // 0x006182F9
    x6 = SHR(x5, 0x13) | (x5 &lt;&lt; 0x0D);          // 4011F1 - 4011F9  // 0x305F200C
    x7 = SHR(x6, 0x19) | (x6 &lt;&lt; 0x07);          // 401210 - 401218  // 0x2F900618
    x8 = ~(x7) + 1;                             // 40122F, 401246   // 0xD06FF9E8
    x9 = SHR(x8, 0x1B) | (x8 &lt;&lt; 0x05);          // 40128C - 401294  // 0x0DFF3D1A
    x10 = (x9 &lt;&lt; 0x14) | SHR(x9, 0x0C);         // 4012AD - 4012B3  // 0xD1A0DFF3
    x11 = (x10 &lt;&lt; 0x1D) | SHR(x10, 0x03);       // 4012CC - 4012D2  // 0x7A341BFE
    x12 = (x11 &lt;&lt; 0x16) | SHR(x11, 0x0A);       // 401319 - 40131F  // 0xFF9E8D06
    x13 = SHR(x12, 0x1C) | (x12 &lt;&lt; 0x04);       // 401338 - 40133E  // 0xF9E8D06F
    x14 = ~((x13 + 1) + 3);                     // 401383, 4013ED, 401402   // 0x06172F8C
    x15 = (x14 &lt;&lt; 0x1C) | SHR(x14, 0x04);       // 401416 - 40141E  // 0xC06172F8
    x16 = ~(x15);                               // 40142F, 401434   // 0x3F9E8D07    
    x17 = (x16 &lt;&lt; 0x18) | SHR(x16, 0x08);       // 401448 - 401450  // 0x073F9E8D
    x18 = (x17 &lt;&lt; 0x1B) | SHR(x17, 0x05);       // 401464 - 40146C  // 0x6839FCF4
    x19 = ~((x18 + 1) + 1);                     // 401480, 4014BD, 4014D5   // 0x97C60309
    x20 = SHR(x19, 0x17) | (x19 &lt;&lt; 0x09);       // 4014EE - 4014F6  // 0x8C06132F
    x21 = SHR(x20, 0x14) | (x20 &lt;&lt; 0x0C);       // 401510 - 401518  // 0x6132F8C0
    x22 = SHR(x21, 0x1D) | (x21 &lt;&lt; 0x03);       // 401534 - 40153A  // 0x0997C603
    x23 = ~(x22 + 1);                           // 401554, 40156F   // 0xF66839FB
    x24 = (x23 &lt;&lt; 0x1F) | SHR(x23, 0x01);       // 40158B - 401590  // 0xFB341CFD
    x25 = ~(x24);                               // 4015A4, 4015AC   // 0x04CBE302
    x26 = SHR(x25, 0x16) | (x25 &lt;&lt; 0x0A);       // 4015C6 - 4015D0  // 0x2F8C0813
    x27 = ~(x26) + 1;                           // 4015E8, 401602   // 0xD073F7ED
    x28 = SHR(x27, 0x1E) | (x27 &lt;&lt; 0x02);       // 401650 - 401658  // 0x41CFDFB7    

    decdword = x28;
    
    return decdword;    
}

static main()
{
    auto startdecrypt, size, enddecrypt, ea, x, entrycall;    
    
    startdecrypt = 0x41FE54;
    size = 0x0A5A * 4;                          // dword size replacement
    enddecrypt = (startdecrypt + size);         // = 0x4227BC    
        
    ea = startdecrypt;
    
    Message(&quot;\nDecrypting... \n&quot;

    while (ea &lt; enddecrypt)
    {
        Message(&quot;%x \n&quot;, ea); 
        x = Dword(ea);                          // fetch the dword
        x = decryptdword(x);                    // decrypt it
        PatchDword(ea, x);                      // put it back           
        ea = ea + 4; 
   }
   
    // Analyze decrypted code and make function  

    Message(&quot;\nResolving code... \n&quot;

    entrycall = 0x42026c;   // where code calls to after decryption

    MakeUnknown (entrycall, (enddecrypt-entrycall), DOUNK_EXPAND);

    ea = entrycall;
    
    while(ea &lt; enddecrypt)
    {        
        MakeCode(ea);
        Message(&quot;ea %x \n&quot;, ea);
        ea = ItemEnd(ea);        
    }    

    MakeFunction(entrycall, enddecrypt);

    Message(&quot;...Done \n&quot;
}

reverser
February 17th, 2013, 16:54
Quote:
[Originally Posted by Kayaker;94272]Tracing this section will create the attached PE file. I don't really see the UPX or any unpacker analogy here.

This is because it's not the final stage yet. It again decrypts a payload DLL and calls an export ("sds". Here's the final DLL, I unpacked it with upx -d without issues and IDA loads it just fine.

2733
JimmerRobber
February 19th, 2013, 17:58
Thanks all for the help! I've been working (slowly) through this. I have a couple of questions that I hope you all could please help me out with. After doing some research about packing (LoadLibrary, GetProcAddress, etc) and reading Kayaker's post I tried to set the break point in IDA on getprocaddress but it's not listed in the import section. I now understand how that function is called by dereferencing through the PE data structures to find it's address within the Kernl32.dll file (mov eax,fs:[30h], mov eax,[eax+0ch], etc). I was able to set a breakpoint in Ollydbg -> search for -> names in all modules -> loadlibrary(), getprocaddress(), etc. Is there a way to accomplish this in IDA since loadlibrary() and getprocaddress() are not listed in the imports section? Once I figured out in IDA how getprocaddress was called I set a breakpoint on that address so I could see what function getprocaddress was returning an address for. I've been googling and can't seem to find out how to do that in IDA. I'm also looking through the unofficial IDA pro book that I have.

I'm able to step into the function_0042026C and have IDA create a function of it and the rest of the code that goes along with it. My question is, is this the section that is packed with UPX? Also how would one know that? I'm just wondering because every time I've run into UPX stuff the .UPX "tag" is present in the disassembly. I've tried to dump this section in IDA using the x86emu dump option to see if I could uncompress it using the UPX utility. I've stepped into that function in Ollydbg and dumped the process as well. But I haven't had success with either approach.

Looking at the Ollydbg logs that Blabberer posted I understand why a breakpoint would be set when memcpy is called but what is the significance with the first breakpoint at 004019C8? As of yet I haven't made my way through the end of the code starting at 0042026c. I imagine that there is more unpacking to do because at the point I'm at there is still nothing at that address. Also Blabberer posted "to be on upx oep after popad", I'm not sure how to get to that point. From the research I've done (on manually unpacking), the address that will be popped off the stack will be the OEP. So I've set a few break points on popad but can't get an address that gets me to what seems like the OEP.

Thanks again for all the help. I'm doing research to learn as I try to work my way through this. Any help is greatly appreciated.
blabberer
February 19th, 2013, 20:53
Code:


the binaries ep is at 401700



glancing at the disassembly and evaluating the expression with 

command line plugin you can simply deduce that ecx would be 401000 



00401732  |.  FFD1          CALL ECX                                 ;  ? 3f3727 + 0d8d9 = 401000



all other instructions are waste 



now you use ctrl+g goto 401000 

just seeing so much register flipping you can deduce that this might be a boring obfuscation



plainly look for exit from this crap



first ja goes to 40109b 

and ollydbg will show a small arrow on 401077



if you select it 

you can immediately see 

ECX=00401000 (Malware.00401000)

Jump from 0040169B



so only place to jump here is at 40169b



if you follow you will see if it is true you have to enter a call and then exit process



and another small arrow on 4016ae coming from 4010c7



scroll down and select each conditional jump and unconditional jump none of them goes beyond 4016ae 



so 4016ae is the exit 



that means we would enter the call 



004016D9  |.  FF55 EC       CALL DWORD PTR SS:[EBP-14]



yes set a hwbp and f9 

004016D9  |.  FF55 EC       CALL DWORD PTR SS:[EBP-14]               ;  Malware.0042026C



we see again the same bs pattern of registry flips



and if you scroll around you notice 402681 as an exit from several places

0042067A   /EB 05           JMP SHORT Malware.00420681

00420636   /EB 49           JMP SHORT Malware.00420681

00420584   /0F83 F7000000   JNB Malware.00420681



so we would probably enter the indirect call below  420681 here 

00420740    FF55 DC         CALL DWORD PTR SS:[EBP-24]



setting a bp and f9 we see it is load lib



00420740    FF55 DC         CALL DWORD PTR SS:[EBP-24]               ; kernel32.LoadLibraryA



scrolling down we see [ebp-ec] resolved to GetProcAddress



004207DE    FF95 14FFFFFF   CALL DWORD PTR SS:[EBP-EC]               ; kernel32.GetProcAddress



a nd scrolling down we see the first unresolved is at [ebp-f0]



00420E41    FF95 10FFFFFF   CALL DWORD PTR SS:[EBP-F0]



right click follow in dump memory address

0012FDD0       FFFFFFFF  



or alt+f1 and evaluate

Log data, item 0

 Message=[ebp - 0f0] = ffffffff



looking aroung the disassembly we see

00420D21    FF95 14FFFFFF   CALL DWORD PTR SS:[EBP-EC]               ; kernel32.GetProcAddress

00420D27    8985 10FFFFFF   MOV DWORD PTR SS:[EBP-F0],EAX





so some api is called here 



set a conditional loggin bp on kernel32!GetprocAddress with no pause and log args



shift+f4



you see all these apis are resolved



Log data

Address    Message

           [ebp - 0f0] = ffffffff

7C80AE30   CALL to GetProcAddress from Malware.004207DE

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "ExitProcess"

7C80AE30   CALL to GetProcAddress from Malware.00420899

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "VirtualAlloc"

7C80AE30   CALL to GetProcAddress from Malware.00420903

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "VirtualProtect"

7C80AE30   CALL to GetProcAddress from Malware.0042094E

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "VirtualFree"

7C80AE30   CALL to GetProcAddress from Malware.004209CA

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "lstrcmp"

7C80AE30   CALL to GetProcAddress from Malware.00420A5D

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "GetVersionExA"

7C80AE30   CALL to GetProcAddress from Malware.00420ABD

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "lstrlen"

7C80AE30   CALL to GetProcAddress from Malware.00420B23

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "lstrcatA"

7C80AE30   CALL to GetProcAddress from Malware.00420C2A

             hModule = 7E410000 (USER32)

             ProcNameOrOrdinal = "MessageBoxA"

00420D21   Breakpoint at Malware.00420D21

7C80AE30   CALL to GetProcAddress from Malware.00420D21

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "memcpy"





so memcpy is going to be called several times 



00420D27    8985 10FFFFFF   MOV DWORD PTR SS:[EBP-F0],EAX            ; MSVCRT.memcpy



if you want you can set a shift+f4 log bp on msvcrt!memcpy to log the args



skip all further memcpy and set a bp on the first conditional at 4210eb



if you had set a log you will see memcpy done 



Log data

Address    Message

77C46F70   CALL to memcpy from Malware.00420E41

             dest = 0012FCA8

             src = Malware.0041FE58

             n = A9 (169.)

77C46F70   CALL to memcpy from Malware.00420E7E

             dest = 0012FBA4

             src = Malware.0041FF01

             n = F3 (243.)

77C46F70   CALL to memcpy from Malware.00420EBB

             dest = 0012FA9C

             src = Malware.0041FFF4

             n = EB (235.)

77C46F70   CALL to memcpy from Malware.00420EF9

             dest = 0012F994

             src = Malware.004200DF

             n = B9 (185.)

77C46F70   CALL to memcpy from Malware.00420F21

             dest = 0012FCA4

             src = Malware.00420254

             n = 4

77C46F70   CALL to memcpy from Malware.00420F49

             dest = 0012FDA8

             src = Malware.00420258

             n = 4

77C46F70   CALL to memcpy from Malware.00420F71

             dest = 0012F98C

             src = Malware.0042025C

             n = 8

77C46F70   CALL to memcpy from Malware.00420F99

             dest = 0012FA94

             src = Malware.00420264



now the next calls are protected by exitprocess so we can sfely skip them if we exitprocess we messed up long long before not now

need to restart



the next unknown is at



004212B9    FF95 B0FAFFFF   CALL DWORD PTR SS:[EBP-550]



Log data

Address    Message

77C46F70   CALL to memcpy from Malware.00421175

             dest = 0012F928

             src = 0012F918

             n = 8

77C46F70   CALL to memcpy from Malware.004211DA

             dest = 0012F968

             src = 0012F920

             n = 8

7C80AE30   CALL to GetProcAddress from Malware.0042122B

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "log"

7C80AE30   CALL to GetProcAddress from Malware.00421281

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "ceil"

004212B9   Breakpoint at Malware.004212B9



so some decryption using log is done let it do we will trap when it exits



004212B9    FF95 B0FAFFFF   CALL DWORD PTR SS:[EBP-550]              ; MSVCRT.log





             n = 8

004210EB   Breakpoint at Malware.004210EB



so it is now checking the signature of a pe file

00421993    81F9 4D5A0000   CMP ECX,5A4D              MZ

00421999   /74 15           JE SHORT Malware.004219B0

0042199B   |68 04000100     PUSH 10004

004219A0   |FF95 78FFFFFF   CALL DWORD PTR SS:[EBP-88]        Exit

004219A6   |B8 04000100     MOV EAX,10004

004219AB   |E9 030E0000     JMP Malware.004227B3

004219B0   \8B95 20FAFFFF   MOV EDX,DWORD PTR SS:[EBP-5E0]

004219B6    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]

004219B9    0342 3C         ADD EAX,DWORD PTR DS:[EDX+3C]

004219BC    8985 18FAFFFF   MOV DWORD PTR SS:[EBP-5E8],EAX

004219C2    8B8D 18FAFFFF   MOV ECX,DWORD PTR SS:[EBP-5E8]

004219C8    8139 50450000   CMP DWORD PTR DS:[ECX],4550        < PE

004219CE    74 15           JE SHORT Malware.004219E5

004219D0    68 05000100     PUSH 10005

004219D5    FF95 78FFFFFF   CALL DWORD PTR SS:[EBP-88]



by now you should be clear the next unknown must most probably be at 



0042279D    FF95 CCF7FFFF   CALL DWORD PTR SS:[EBP-834]



Log data

Address    Message

77C46F70   CALL to memcpy from Malware.004217AF

             dest = Malware.004228F0

             src = 003A0000

             n = 1B000 (110592.)

004217B5   Breakpoint at Malware.004217B5

77C46F70   CALL to memcpy from Malware.00421A9B

             dest = Malware.00400000

             src = Malware.004228F0

             n = 10F0 (4336.)

00421AA1   Breakpoint at Malware.00421AA1

77C46F70   CALL to memcpy from Malware.00421B99

             dest = Malware.00401000

             src = Malware.004238F0

             n = 1000 (4096.)

77C46F70   CALL to memcpy from Malware.00421B99

             dest = Malware.00402000

             src = Malware.004248F0

             n = 1000 (4096.)

77C46F70   CALL to memcpy from Malware.00421B99

             dest = Malware.00403000

             src = Malware.004258F0

             n = 16000 (90112.)

77C46F70   CALL to memcpy from Malware.00421B99

             dest = Malware.00419000

             src = Malware.0043B8F0

             n = 1000 (4096.)

77C46F70   CALL to memcpy from Malware.00421B99

             dest = Malware.0041A000

             src = Malware.0043C8F0

             n = 1000 (4096.)

00421BA7   Breakpoint at Malware.00421BA7

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "__set_app_type"

0042272D   Breakpoint at Malware.0042272D

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "_except_handler3"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "__p__fmode"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "_controlfp"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "__p__commode"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "_adjust_fdiv"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "__setusermatherr"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "_initterm"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "__getmainargs"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "_acmdln"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "exit"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "_XcptFilter"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "_exit"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "memcpy"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "memset"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "realloc"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 77C10000 (MSVCRT)

             ProcNameOrOrdinal = "_stricmp"

00422751   Breakpoint at Malware.00422751

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "GetModuleHandleA"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "lstrlenA"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "VirtualAlloc"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "GetProcessHeap"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "HeapAlloc"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "IsBadReadPtr"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "LoadLibraryA"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "GetProcAddress"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "VirtualFree"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "VirtualProtect"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "GetLastError"

7C80AE30   CALL to GetProcAddress from Malware.00422727

             hModule = 7C800000 (kernel32)

             ProcNameOrOrdinal = "GetStartupInfoA"

00422761   Breakpoint at Malware.00422761





that is why bp at 4019c8 



0042279D    FF95 CCF7FFFF   CALL DWORD PTR SS:[EBP-834]              ; Malware.004019C8



which is a winmaincrtStartup of the newly written pe 



so winmain is at 



00401AF7                 |.  E8 A2F5FFFF   CALL Malware.0040109E



and you can easily see few otehr memcpy from 4019c2



and scrolling down you can identify that 

4019a2 is where you will diverge with an unknown entity



Stack SS:[0012F550]=1004A090

004019A2                 |.  FF55 D8       CALL DWORD PTR SS:[EBP-28]



Log data, item 0

 Message=[ebp - 028] = 1004a090

0012F550       1004A090  *



thsi is upx



1004A090                   807C24 08 01    CMP BYTE PTR SS:[ESP+8],1

1004A095                   0F85 E2010000   JNZ 1004A27D

1004A09B                   60              PUSHAD



lets see the header

ctrl+g 10000000



Log data, item 0

 Message=STRING [[1000003c] + 10000000 + 0f8] = UPX0



so scroll down to popad jmp oep



Log data, item 0

 Address=10025D27

 Message=Hardware breakpoint 3 at 10025D27



dump done 



but as reverser posted you still have a third layer