Log in

View Full Version : Delphi App PEiD Entropy : 7.21 (Packed)

shadowcrack
June 25th, 2005, 21:22
Hi Everyone

My target was previously protected using
ASProtect 1.2 / 1.2c-> Alexey Solodovnikov.

I managed to unpack it with the help of some great tuts and ollydbg.
i.e
- I found the OEP
- fixed the invalids using imprec
- fixed EP using lordPE

the program ran well.

But now I've realised, they have packed it with another packing program.
Because I loaded PEiD V0.93, and says "Nothing found *" in the main screen.
The RCDATA is still scrambled and compressed.

Also in PEiD the 'Extra Information' screen,
Entropy entry says 7.21 (Packed)
EPCheck: Not Packed
Fast Check : "Packed".

I read this url :
http://www.honeynet.org/scans/scan33/sols/7-Kostya_Kortchinsky/

and followed the instructions,
I stepped through code using ollydbg and looked at the trace window I couldn't find anything suspicious and
it didn't throw any exceptions.


What other things can I try?

p.s The target is most definitely written in Delphi.


thanks

Everyone
Woodmann
June 25th, 2005, 21:43
Howdy,

You say you have unpacked it and it ran well.
I dont understand. You are asking for information
that contradicts your post.
How does it work if it is still packed ??

Does it run or does it not run ????

-OBC-
Admiral
June 25th, 2005, 21:53
I think he's saying that it's double-packed and that he's only been able to remove the outer layer.
Woodmann
June 25th, 2005, 22:25
Errrrrrrrrrrrrrrrrrr....... OK, I guess.

If it is double packed, how did it "run well ?"

-OBC-
SiGiNT
June 26th, 2005, 00:17
I have had problems with PEid .93 - especially identifying asprotect - try using ver .0.92 and see what it says, or there are a couple others - none of which is as reliable as PEid, PE-Scan etc.

SiGiNT
shadowcrack
June 26th, 2005, 01:20
Thanks guys for quick response.
Yes, I meant doubled packed.

And the reason I said it "run well", after I unpacked the first layer it ran without problems. This told me that the first unpacking was a succeess, otherwise an exception error on execution would have occurred.

Sigint, I tried 0.92 and it's the same thing as what PEiD 0.93 said.


But I did try PE-SCAN, and it told me that the second packed layer, it's
Signature heuristic
For a Pep - upx 0.8-1.23 20%
For a Sec2 - telock 0.98 33.33%

Although, the percentage are quite low, I'm going to look into that as well, thanks for the tip.

Anyone else with other ideas of how I should approach this unknown packed program?
CoDe_InSiDe
June 26th, 2005, 05:13
Just trace from the Entry Point and look at what it's doing
If it executes "Protector/Packer" like code, then well, it's Protected/Packed

Regards,

CoDe_InSiDe
Polaris
June 26th, 2005, 05:38
Quote:
[Originally Posted by CoDe_InSiDe]Just trace from the Entry Point and look at what it's doing
If it executes "Protector/Packer" like code, then well, it's Protected/Packed

Regards,

CoDe_InSiDe


In fact, startup code for delphi apps is quite standard... If the startup code for the application do not match it, well the app is packed.

BTW, it is good to see a newcomer that search and documents himself before asking for help
marciano
June 27th, 2005, 12:18
Normally Delphi apps have high entropy (most times PEiD says "Maybe packed".
But I think 7.21 is too much for a standard Delphi application.
Tola
June 27th, 2005, 16:14
has it crossed your mind that maybe the application is fully unpacked but some of its resources are compressed or encrypted? (could be anything, from jpg images to mp3 sound files to custom data ;> try to find out what happens when these resources are loaded
shadowcrack
June 27th, 2005, 16:34
Hi marciano and everyone,

Good observation regarding the 7.21. You were spot on, it was too much for a standard delphi application.
I quickly compiled a Delphi7 simple app. And PEiD came up with 6.55 (Maybe Packed) for the entropy entry.

I probably deserve the Bone Head award, when I first started, I loaded up a Resource Hacker and saw that RCDATA was present And had names such as Form1, frmLogin. and that it was packed with asprotect (using PeID).

And when i unpacked asprotect layer, and still seeing RCDATA with mangled data. (and pe scan hinting at me it could be upx or telock etc.)

I started to get wacky ideas, that it may have been "application manifested" by Resource Tunner of somesort. to upgrade it to XP themes. or thought that it maybe using an advanced clever deterrent from ripping the DFM resources. I was dead wrong.

I did quick search on google, and used the first 30 characters inside one of the RCDATA and it pointed me to a Screensaver SCR file on the internet. searched google string "com.ms.wfc.core ResourceReader".
I then used a Hex Editor, and searched for "microsoft", and saw that it was using jdbc connection. It was definitely not delphi. After years using delphi, I would never use a jdbc unless I was using java.

Earlier when i was tracing thru with olly,i saw it was deflating the packed resources with "com.ms.wfc.resourcereader" and streaming it to memory, but disregarded the idea that the target was unpacked.

Now cemented in my mind, RCDATA isn't restricted to Borland exe. I now know can be a Microsoft Visual J++ executable that has exe structure.

Summary
The application turned out to be Microsoft Visual J++
RCDATA not restricted to Borland products
I've nominated myself for the Bone Head award.
This newbie exercise complete. Mission accomplished.

thanks all
ShadowCrack