Exestealth 2.73 problem [Archive] - RCE Messageboard's Regroupment

View Full Version : Exestealth 2.73 problem

thegeek

December 12th, 2003, 08:56

Hi, first of all I would just like to say that I am forever grateful to the creators and admins of this forum.

Now, to my problem. Lately I've been playing around with some unpacking, and I must confess that I am still very much inexperienced at this great art.
I would however like to learn, and thus I have been playing around with some really simple packers, like upx. Just recently I came across an app packed with Exestealth 2.73, i was initially at a complete loss of how to approach it.
After some research(google

) I managed to discover that the packer is more or less a complete rip of yodas crypter.
With this information I proceeded to attempt unpacking, aided with a great howto by CoDe_InSiDe.
It is however for v. 1.1 of yoda's crypter, and I suspect that exestealth is based on 1.2.
In the howto the following code is mentioned:

Code:

xor al, al				- al = 00  

lea edi, [ebp+00401C84]			- Point edi to the beginning of the Decryption Routine.  

mov ecx, 0000063E			- Move 0000063E in ecx

stosb					- And remove... 

loop 0040D69E				- 1598 (63E) Bytes (He could also use "repz stosb" .  

lea edi, [ebp+004022DE]			- Point edi to the end of the Decryption Routine.  

mov ecx, 000002E8			- Move 000002E8 in ecx  

stosb					- And remove...  

loop 0040D6AC				- 744 (2E8) Bytes (He could also use "repz stosb" .  

popad					- Pop all Registers back. 

mov eax, FFFFFFFF			- Move FFFFFFFF (It'll be the OEP) in eax.  

push eax				- Push eax onto the Stack. 

jmp 0040D6B9				- Jump to 0040D6B9 (Skip the Junk Byte .

Junk Byte (87) 

ret					- And go to the OEP.

I have successfully located this code, and hopefully bypassed all the checks that are located earlier in the code.
However
In my target, the code in question is different:

Code:

0048C7C7   32C0             XOR AL,AL  

0048C7C9   8DBD B6274000    LEA EDI,DWORD PTR SS:[EBP+4027B6]  

0048C7CF   B9 35070000      MOV ECX,735  

0048C7D4   AA               STOS BYTE PTR ES:[EDI]  

0048C7D5  ^E2 FD            LOOPD SHORT winupdat.0048C7D4  

0048C7D7   8DBD 482F4000    LEA EDI,DWORD PTR SS:[EBP+402F48]  

0048C7DD   B9 90050000      MOV ECX,590  

0048C7E2   AA               STOS BYTE PTR ES:[EDI]  

0048C7E3  ^E2 FD            LOOPD SHORT winupdat.0048C7E2  

0048C7E5   61               POPAD  

0048C7E6   50               PUSH EAX  

0048C7E7   33C0             XOR EAX,EAX  

0048C7E9   64:FF30          PUSH DWORD PTR FS:[EAX]  

0048C7EC   64:8920          MOV DWORD PTR FS:[EAX],ESP  

0048C7EF   EB 01            JMP SHORT winupdat.0048C7F2  

0048C7F1   8700             XCHG DWORD PTR DS:[EAX],EAX

As you can see there is no ret, and the code is a bit different.
I have tried inserting a ret, but the mem adress is clearly just filled with junk.
What have I done wrong, is this just some attempt to divert me?
I can monitor the memory area where I know the file will be unpacked, and then break there, but the code that writes it is seemingly unconnected to this part of the app.

Please, help a noob

The howto I have been following is : MUP_Yoda's_Crypter_v1.1.zip
A simple search on google will immediatly locate a location to download it

naides

December 12th, 2003, 10:42

Code:

0048C7C7   32C0             XOR AL,AL  

0048C7C9   8DBD B6274000    LEA EDI,DWORD PTR SS:[EBP+4027B6]  

0048C7CF   B9 35070000      MOV ECX,735  

0048C7D4   AA               STOS BYTE PTR ES:[EDI]  

0048C7D5  ^E2 FD            LOOPD SHORT winupdat.0048C7D4  

0048C7D7   8DBD 482F4000    LEA EDI,DWORD PTR SS:[EBP+402F48]  

0048C7DD   B9 90050000      MOV ECX,590  

0048C7E2   AA               STOS BYTE PTR ES:[EDI]  

0048C7E3  ^E2 FD            LOOPD SHORT winupdat.0048C7E2  

0048C7E5   61               POPAD  

0048C7E6   50               PUSH EAX  

0048C7E7   33C0             XOR EAX,EAX  ; EAX is now  00

0048C7E9   64:FF30          PUSH DWORD PTR FS:[EAX]  ; Sets a typical SEH frame

0048C7EC   64:8920          MOV DWORD PTR FS:[EAX],ESP ;

0048C7EF   EB 01            JMP SHORT winupdat.0048C7F2;  Jump to the middle  of next isntruction.

0048C7F1   8700             XCHG DWORD PTR DS:[EAX],EAX ; now the code reading frame is different.

I think the unconditional JMPS at 48C7EF is the beginging of obfuscated code: The next instruction starts with the 00 byte after 87, while in Yoda's code, it was C3 (ret).
I also suspect, but cannot tell for sure from the Info you provide, that the protector sets up a SEH, further down this code raises an exception, and the SEHandler continues the Execution of the code at the OEP.

thegeek

December 12th, 2003, 11:28

ah, thank you, that might be of some help

lownoise

December 12th, 2003, 15:40

It's indeed what naides said. It's setting up a SEH frame and when the code raises the exception it will continue at the OEP.
This packer is a nice example to learn the basic of unpacking a file. the code is good to follow. If you success in unpacking the file maybe a nice protect is to code a unpacker for it. I know there's a nice unpacker available for it (with masm sourcecode) where you can learn from.
Good luck

yaa

December 13th, 2003, 19:49

I've found an unpacker for ExeStealth 2.73 (by Smoke) but no source code is provider

yaa

lownoise

December 14th, 2003, 08:20

Google is you best friend

search and you'll find the unpacker with masm sourcecode

yaa

December 14th, 2003, 08:59

Google is always my friend ... it was my friend also yesterday when I search and did not find anything (apart Smoke's source-less unpacker). Today I have found an unpacker for ExeStealth with source code but it is for the 2.82 version.

yaa