Log in

View Full Version : Exestealth 2.73 problem


thegeek
December 12th, 2003, 08:56
Hi, first of all I would just like to say that I am forever grateful to the creators and admins of this forum.

Now, to my problem. Lately I've been playing around with some unpacking, and I must confess that I am still very much inexperienced at this great art.
I would however like to learn, and thus I have been playing around with some really simple packers, like upx. Just recently I came across an app packed with Exestealth 2.73, i was initially at a complete loss of how to approach it.
After some research(google ) I managed to discover that the packer is more or less a complete rip of yodas crypter.
With this information I proceeded to attempt unpacking, aided with a great howto by CoDe_InSiDe.
It is however for v. 1.1 of yoda's crypter, and I suspect that exestealth is based on 1.2.
In the howto the following code is mentioned:

Code:
xor al, al - al = 00
lea edi, [ebp+00401C84] - Point edi to the beginning of the Decryption Routine.
mov ecx, 0000063E - Move 0000063E in ecx
stosb - And remove...
loop 0040D69E - 1598 (63E) Bytes (He could also use "repz stosb" .
lea edi, [ebp+004022DE] - Point edi to the end of the Decryption Routine.
mov ecx, 000002E8 - Move 000002E8 in ecx
stosb - And remove...
loop 0040D6AC - 744 (2E8) Bytes (He could also use "repz stosb" .
popad - Pop all Registers back.
mov eax, FFFFFFFF - Move FFFFFFFF (It'll be the OEP) in eax.
push eax - Push eax onto the Stack.
jmp 0040D6B9 - Jump to 0040D6B9 (Skip the Junk Byte .
Junk Byte (87)
ret - And go to the OEP.

I have successfully located this code, and hopefully bypassed all the checks that are located earlier in the code.
However
In my target, the code in question is different:
Code:
0048C7C7 32C0 XOR AL,AL
0048C7C9 8DBD B6274000 LEA EDI,DWORD PTR SS:[EBP+4027B6]
0048C7CF B9 35070000 MOV ECX,735
0048C7D4 AA STOS BYTE PTR ES:[EDI]
0048C7D5 ^E2 FD LOOPD SHORT winupdat.0048C7D4
0048C7D7 8DBD 482F4000 LEA EDI,DWORD PTR SS:[EBP+402F48]
0048C7DD B9 90050000 MOV ECX,590
0048C7E2 AA STOS BYTE PTR ES:[EDI]
0048C7E3 ^E2 FD LOOPD SHORT winupdat.0048C7E2
0048C7E5 61 POPAD
0048C7E6 50 PUSH EAX
0048C7E7 33C0 XOR EAX,EAX
0048C7E9 64:FF30 PUSH DWORD PTR FS:[EAX]
0048C7EC 64:8920 MOV DWORD PTR FS:[EAX],ESP
0048C7EF EB 01 JMP SHORT winupdat.0048C7F2
0048C7F1 8700 XCHG DWORD PTR DS:[EAX],EAX


As you can see there is no ret, and the code is a bit different.
I have tried inserting a ret, but the mem adress is clearly just filled with junk.
What have I done wrong, is this just some attempt to divert me?
I can monitor the memory area where I know the file will be unpacked, and then break there, but the code that writes it is seemingly unconnected to this part of the app.

Please, help a noob

The howto I have been following is : MUP_Yoda's_Crypter_v1.1.zip
A simple search on google will immediatly locate a location to download it

naides
December 12th, 2003, 10:42
Code:
0048C7C7 32C0 XOR AL,AL
0048C7C9 8DBD B6274000 LEA EDI,DWORD PTR SS:[EBP+4027B6]
0048C7CF B9 35070000 MOV ECX,735
0048C7D4 AA STOS BYTE PTR ES:[EDI]
0048C7D5 ^E2 FD LOOPD SHORT winupdat.0048C7D4
0048C7D7 8DBD 482F4000 LEA EDI,DWORD PTR SS:[EBP+402F48]
0048C7DD B9 90050000 MOV ECX,590
0048C7E2 AA STOS BYTE PTR ES:[EDI]
0048C7E3 ^E2 FD LOOPD SHORT winupdat.0048C7E2
0048C7E5 61 POPAD
0048C7E6 50 PUSH EAX
0048C7E7 33C0 XOR EAX,EAX ; EAX is now 00
0048C7E9 64:FF30 PUSH DWORD PTR FS:[EAX] ; Sets a typical SEH frame
0048C7EC 64:8920 MOV DWORD PTR FS:[EAX],ESP ;
0048C7EF EB 01 JMP SHORT winupdat.0048C7F2; Jump to the middle of next isntruction.
0048C7F1 8700 XCHG DWORD PTR DS:[EAX],EAX ; now the code reading frame is different.




I think the unconditional JMPS at 48C7EF is the beginging of obfuscated code: The next instruction starts with the 00 byte after 87, while in Yoda's code, it was C3 (ret).
I also suspect, but cannot tell for sure from the Info you provide, that the protector sets up a SEH, further down this code raises an exception, and the SEHandler continues the Execution of the code at the OEP.

thegeek
December 12th, 2003, 11:28
ah, thank you, that might be of some help

lownoise
December 12th, 2003, 15:40
It's indeed what naides said. It's setting up a SEH frame and when the code raises the exception it will continue at the OEP.
This packer is a nice example to learn the basic of unpacking a file. the code is good to follow. If you success in unpacking the file maybe a nice protect is to code a unpacker for it. I know there's a nice unpacker available for it (with masm sourcecode) where you can learn from.
Good luck

yaa
December 13th, 2003, 19:49
I've found an unpacker for ExeStealth 2.73 (by Smoke) but no source code is provider

yaa

lownoise
December 14th, 2003, 08:20
Google is you best friend
search and you'll find the unpacker with masm sourcecode

yaa
December 14th, 2003, 08:59
Google is always my friend ... it was my friend also yesterday when I search and did not find anything (apart Smoke's source-less unpacker). Today I have found an unpacker for ExeStealth with source code but it is for the 2.82 version.

yaa