Log in

View Full Version : vbox & dead lock jmps...

haec_est
July 20th, 2002, 19:33
hi there,

i have a problem (erhm... many problems) with a vboxed proggy, Adobe GoLive 6, found
OEP and dumped, easy...

OEP : 0x0088b07a

iat start : 0x0090a000
iat len : 00002A28

but iat has something strange, there are a lot of "dead lock" jmps,
let me to do an example:

inside iat...

:dd 90a150 l 30
001B:0090A150 003633F0 00000000 0089A604 0089A4FC .36.............
001B:0090A160 0089A502 0089A514 0089A50E 0089A226 ............&...
001B:0090A170 0089A22C 0089A232 0089A238 0089A23E ,...2...8...>...

at 001B:0090A158 start all strange things

001B:0090A158 0089A604 ...

at address 89A604 we get :

:u 89a604 l 12
0008:0089a604 ff2558a19000 jmp [0090a158]
0008:0089a60a ff25aca29000 jmp [0090a2ac]
...

but [0090a158] = 0089A604 so it is same of 'jmp eip'...

The vbox version is 4.6.2 but i never see this shit in other vboxed programs; may be
a trick to defeat automatic iat rebuilding ??? so when u trace over the call the tracer lock,
no way other than terminate process ... useless since one can just skip all that shit !!!

...what i did was just to skip all that imports, but the dumped exe won't run, peraphs
has something to do whit the export table rebuilding... because GoLive import itself
as module ! and many other dll import it too...

i don't know !!!

any ideas ?


thanks,
NederMan
July 21st, 2002, 22:11
Wow! I've been sitting here all weekend looking at GoLive 6 trying to make heads or tails. Did a search and it looks like you've had the same issues.

(Anyone know why TRW2000 v1.22 causes a GPF in Windows ME when entering 'bpx kernel32!getprocaddress'?)

I also found OEP to be 88B07A, length 2A24. My dump failed, too. Tho, I'm doubfull about it using vBox 4.6.2. I'm not knowledgable enough about the files, but my vboxa.dll is 4.5.0.0 while the others in c:\progra~1\common\ claim to be 4.6.1.32. ('Course this could be what is commonly called 4.6.2... dunno.)

Funny thing is, I've tried bpx'ing on GetProcAddress, then 'p ret'ing 'til I see a CALL EDI (like +tsehp's vbox 4.5 essay described) and I can find this only on every other run.

Weird.

I'd like to hear if you or anyone else have learned anything new since your post. I'm stumped.

-NederMan
ramon
July 22nd, 2002, 01:40
Hello haec_est

I already done this one, with easy

the trick used by me was something very wierd

DLL injection, then the DLL made the funny part of replace
IAT redirection

I was unable to create a good IAT table with RV, but maybe it's possible... but with the DLL trick was very easy, because you can call the vbox function (API emulation - I thing it's the name) that redirect the program to the really API function. Just Stack manipulation

I notice that some IAT entries was dummies, but you can bypass
it in your DLL code

Just try it, for more info you can read tutorials for vbox
You should use ApiHooks from Elicz's for DLL injection

Good luck
Ramon
NederMan
July 23rd, 2002, 06:25
...though it was me that brought it up.

An answer to to myself about TRW2000 v1.22 causing a GPF on WinME doing a bpx on GetProcAddress. (I'm only publicly answering this 'cause I've seen others ask the same question.)

A: I don't know. However, v1.23 did the trick. No bsod's.

FYI.

-NederMan
ramon
July 23rd, 2002, 22:04
Can't help about TRW2000, I only used it one time, but got no problems.

About G*LIVE my first approach was based on +tsehp's vbox 4.5 essay, and most of the tricks works, incluiding the bpx GetProcAddress, for this target (G*LIVE 6 Trial) i need about 18 F12 to get the CALL EDI

Dumping throw no problems, for me at least!

The problem on this target is the IAT redirection. You can try RV or ImpREC but for both tools you got to many unresolved APIs

So you may consider to fallow my DLL trick:

ALGORITHM:

STEP 1:
Start VisualC++ and Build a simple console application with ApiHooks libs to be capable to create a remotethread and force some process to load specified DLL. This is called DLL Injection.

STEP 2:
Build a DLL that during DLL_PROCESS_ATTACH in DllMain
scan all .idata section (not sure what is the section, you could find easy)
of target process, in this case G*OLIVE app, then:

Push on stack RVA DWORD that points to vbox API emulator, ex:

IAT sample: viewing in SICE by typing DD (data window as DWORDs)

VBOXAPIS is the address of vbox API emulator

...:00BAAA80: VBOXAPIS 77E36547 VBOXAPIS VBOXAPIS 77B36141
...:00BAAA90: 77E36542 VBOXAPIS VBOXAPIS VBOXAPIS .... etc

Note that you cannot call VBOXAPIS function for APIs that are not redirected
as you see above there are some APIs that vbox don't redirect because performance and by default are resolved

Assuming 00BAAA80 as start of IAT

for ( DWORD Ptr = 00BAAA80; Ptr < 00BAAA80 + sizeof(.iData Section); Ptr+= sizeof(DWORD) )
{
if ( *Ptr == VBOXAPIS )
{
__asm
{
push Ptr
call VBOXAPIS
mov ebx, Ptr
mov [ebx], eax // EAX now contains real API address, replace bad IAT entry
}
}
}

Before the above *FOR* you should write assembler code to force VBOXAPIS function to return and not JMP EAX
it's very easy, just use some part of code not used and make a jump there, then type LEAVE and RET, use WriteProcessMemory for that. If you have troubles whith that I can post the code, but I need to search for
that on my computer(s)

The last part of DLL code is :

MessageBox(0, "IAT FIX completed. Now use Import REConstructor v1.3 to create new IAT table and paste it over target.", 0, 0);



Good luck
Ramon
NederMan
July 24th, 2002, 18:18
Ramon, thanks for the pointers. I'll try 'em out! I've been basing my attempts on what 4.3-4.5 tut's were available. Glad to hear I wasn't far off!

Regarding my earlier critique of whether this is protected by vbox 4.6.2 or 4.6.1.32, I was wrong: Clicking the vbox logo on the Try/Buy screen shows the version to be 4.6.2.

Which leads me to wonder: Has anyone fully investigated/documented 4.6.2's workings? Clearly it works a bit differently than 4.5.

-NederMan
haec_est
July 29th, 2002, 17:20
thanks ramon for interesting into this stuff,

i've tried to rebuild the iat like in tseph tutorial, (patching from sice) and than
locking the app with a "jmp eip" and rebuilt iat with revirgin (not too different
from what u suggest)...

start iat mangled entrys :
Code:


0010:0090A410 77E9AB59  77E8668C  77EA1270  77E930B0      Y..w.f.wp..w.0.w

0010:0090A420 024D0000  77E9098B  77E871E2  77E863F6      ..M....w.q.w.c.w

0010:0090A430 77E8745B  77E8FD48  77E8A84A  77E964A5      [t.wH..wJ..w.d.w 

...



at 0x024d0000 



0008:024d0000  e8c7e5b304          call      0700e5cc

0008:024d0005  1a21                sbb       ah,[ecx]



so look at 0x0700e5cc (VBOXAPIS) :



0008:0700e5cc  55                  push      ebp

0008:0700e5cd  8bec                mov       ebp,esp

0008:0700e5cf  83ec10              sub       esp,10

0008:0700e5d2  53                  push      ebx

0008:0700e5d3  8945fc              mov       [ebp-04],eax

0008:0700e5d6  895df8              mov       [ebp-08],ebx

0008:0700e5d9  894df4              mov       [ebp-0c],ecx

0008:0700e5dc  8955f0              mov       [ebp-10],edx

0008:0700e5df  8d45f0              lea       eax,[ebp-10]

0008:0700e5e2  50                  push      eax

0008:0700e5e3  8d45f4              lea       eax,[ebp-0c]

0008:0700e5e6  50                  push      eax

0008:0700e5e7  8d45f8              lea       eax,[ebp-08]

0008:0700e5ea  50                  push      eax

0008:0700e5eb  8d45fc              lea       eax,[ebp-04]

0008:0700e5ee  50                  push      eax

0008:0700e5ef  e812000000          call      0700e606

0008:0700e5f4  83c410              add       esp,10

0008:0700e5f7  8b45fc              mov       eax,[ebp-04]

0008:0700e5fa  8b5df8              mov       ebx,[ebp-08]

0008:0700e5fd  8b4df4              mov       ecx,[ebp-0c]

0008:0700e600  8b55f0              mov       edx,[ebp-10]

0008:0700e603  5b                  pop       ebx

0008:0700e604  c9                  leave

0008:0700e605  c3                  ret

at 0x700e5f4 eax contain correct api address, and with a simple "what eax"
we get the api resolved :

The value 77E9BF24 is (a) KERNEL32!GetTempPathA


so i patched that call to resolve all entrys (thanks tseph...)
Code:


001b:0700e57a  8b4504              mov       eax,[ebp+04]

001b:0700e57d  90                  nop

001b:0700e57e  8903                mov       [ebx],eax

001b:0700e580  83c304              add       ebx,04

001b:0700e583  8b03                mov       eax,[ebx]

001b:0700e585  90                  nop

001b:0700e586  663d0000            cmp       ax,0000

001b:0700e58a  7524                jnz       0700e5b0

001b:0700e58c  81fb28ca9000        cmp       ebx,0090ca28

001b:0700e592  742c                jz        0700e5c0

001b:0700e594  3d00000000          cmp       eax,00000000

001b:0700e599  7415                jz        0700e5b0

001b:0700e59b  90                  nop

001b:0700e59c  0505000000          add       eax,00000005

001b:0700e5a1  894504              mov       [ebp+04],eax

001b:0700e5a4  eb2c                jmp       0700e5d2

001b:0700e5a6  90                  nop

...

001b:0700e5af  90                  nop

001b:0700e5b0  894504              mov       [ebp+04],eax

001b:0700e5b3  eb15                jmp       0700e5ca

001b:0700e5b5  90                  nop

...

001b:0700e5bf  90                  nop

001b:0700e5c0  ebfe                jmp       0700e5c0                (JUMP )

001b:0700e5c2  90                  nop

...

001b:0700e5c9  90                  nop

001b:0700e5ca  ebae                jmp       0700e57a

001b:0700e5cc  90                  nop

...

001b:0700e5d1  90                  nop

001b:0700e5d2  53                  push      ebx

001b:0700e5d3  8945fc              mov       [ebp-04],eax

...

001b:0700e603  5b                  pop       ebx

001b:0700e604  ebc4                jmp       0700e5ca



the bad notice was it still crash, and the tricky api can't be GetMessageA
nor PeekMessageA because G***ve don't import user32.dll at all...


still thinking about...


NederMan : to get oep u can also bpx GetVersion and trace back...
ramon
July 29th, 2002, 17:57
Hi haec_est

I see that you are on the good way

Try doing this, run original G***VE and try "WHAT eax" where you rebuided EXE call crach, this can always help, then manually resolve API!

Good luck
Ramon
hobferret
August 5th, 2002, 13:39
HiYa I am a newbie but have been looking at golive5 which has some similar tricks! The IAT in ver5 from 40c000 to 40c1fc do exactly the same a reverse jump- but - it's looking for golive!_ordXXX at these addresses. Every time it crashed!!

It had me confused for a time but then I realised it it was really looking for golive? I would have to rename my dump to the original name, having renamed the exe the proggie ran perfectly!

Hope this may be of use to some of you guys
haec_est
August 5th, 2002, 18:27
...renaming the file as the original filename was the first
attempt after rebuilding, but it don't work (thanks
anyway hobferret )

it seems a MFC class related problem, like as a method
of the classes exported from 'module manager.module'
is not resolved.

the problem born into the "call SCL_1266", this should
return a valid class (?) pointer but in the unpacked proggy
it return 0x00

Code:


.text:10003DA0 crash           proc near               ; DATA XREF: .rdata:1000B25Co

.text:10003DA0

.text:10003DA0                 push    esi

.text:10003DA1                 mov     esi, ecx

.text:10003DA3                 call    SCL_1250

.text:10003DA8                 push    eax

.text:10003DA9                 call    SCL_1266

.text:10003DAE                 mov     ecx, [esi+30h]

.text:10003DB1                 add     esp, 4

.text:10003DB4                 mov     eax, [ecx]

.text:10003DB6                 call    dword ptr [eax+314h] ; -> 10005CA0   (CRASH eax=0x000000)

.text:10003DBC                 mov     edx, [esi]

.text:10003DBE                 mov     ecx, esi

.text:10003DC0                 call    dword ptr [edx+2B0h] ; -> 10003920

.text:10003DC6                 mov     eax, [esi]

.text:10003DC8                 mov     ecx, esi

.text:10003DCA                 call    dword ptr [eax+2D0h] ; -> 10004CB0

.text:10003DD0                 mov     edx, [esi]

.text:10003DD2                 mov     ecx, esi

.text:10003DD4                 call    dword ptr [edx+2ACh] ; -> 10003E00

.text:10003DDA                 mov     eax, [esi+34h]

.text:10003DDD                 push    'MMDH'

.text:10003DE2                 push    eax

.text:10003DE3                 push    esi

.text:10003DE4                 call    SCL_1173

.text:10003DE9                 add     esp, 0Ch

.text:10003DEC                 call    SCL_1267

.text:10003DF1                 pop     esi

.text:10003DF2                 retn

.text:10003DF2

.text:10003DF2 crash           endp



so i tryed to run the vb*xed proggy and looked for
eax values at addr 10003DB6, 10003DC0... (the ones
noted aside the dead listing) than tryed to force the
eax value, (obviously taking care of rebasing) but
it still crash inside that call


i'll try to understand where the problem is generated ...