Unpacking question [Archive] - RCE Messageboard's Regroupment

BoredTC

April 29th, 2006, 18:23

Hi all,

Let's get straight to the point;
I've read a whole bunch of tut's about the unpacking subject.
And I ran into a prob.
I wanted to unpack this proggie, and PEid told me it was UPXed.
So the 1st thing i did was trying to unpack it with UPX, but no luck,that was too easy

.:doh:
So it must be an modified UPXed app?
Next i opened the app in ollydbg and used a pre-made script to find the app's
OEP, but i just don't trust the script so if anyone could explain the step-by-step basics or link me to an step-by-step tut, or tell me what im doing wrong,
that will be well appreciated!

P.S. Sorry for the poor english, but u'll understand,.....right?

Thanks in Advance

BoredTC

LLXX

April 29th, 2006, 20:17

Are you sure it's UPX? Entry point begins with a PUSHAD. Scroll down and you'll see POPAD and a JMP to OEP followed by padding nulls if it really is UPX.

Breakpoint on the JMP, run, hit once the JMP and you'll be at OEP. Dump and restore imports, and it's done.

BoredTC

April 29th, 2006, 20:57

Hi there,

Thx 4 the quick reply btw

,
I did it exactly like U explained, tried to restore the imports with
"Import REConstructor" and it told me:

Code:

Analysing process...

Module loaded: c:\windows\system32\ntdll.dll

Module loaded: c:\windows\system32\kernel32.dll

Module loaded: c:\windows\system32\user32.dll

Module loaded: c:\windows\system32\gdi32.dll

Module loaded: c:\windows\system32\advapi32.dll

Module loaded: c:\windows\system32\rpcrt4.dll

Module loaded: c:\windows\system32\oleaut32.dll

Module loaded: c:\windows\system32\msvcrt.dll

Module loaded: c:\windows\system32\ole32.dll

Module loaded: c:\windows\system32\version.dll

Module loaded: c:\windows\system32\olepro32.dll

Module loaded: c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

Module loaded: c:\windows\system32\shlwapi.dll

Module loaded: c:\windows\system32\imm32.dll

Module loaded: c:\windows\system32\winspool.drv

Module loaded: c:\windows\system32\shell32.dll

Module loaded: c:\windows\system32\comdlg32.dll

Module loaded: c:\windows\system32\wsock32.dll

Module loaded: c:\windows\system32\ws2_32.dll

Module loaded: c:\windows\system32\ws2help.dll

Module loaded: c:\windows\system32\winmm.dll

Module loaded: c:\windows\system32\crypt32.dll

Module loaded: c:\windows\system32\msasn1.dll

Module loaded: c:\windows\system32\uxtheme.dll

Module loaded: c:\windows\system32\msctf.dll

Module loaded: c:\windows\system32\ctagent.dll

Module loaded: c:\windows\system32\msimg32.dll

Module loaded: c:\windows\system32\setupapi.dll

Module loaded: c:\program files\powerarchiver\unrar3.dll

Module loaded: c:\program files\powerarchiver\cabinet.dll

Module loaded: c:\program files\powerarchiver\paiso.dll

Module loaded: c:\program files\powerarchiver\dunzips32.dll

Module loaded: c:\program files\powerarchiver\dzips32.dll

Module loaded: c:\windows\system32\mscms.dll

Module loaded: c:\windows\system32\apphelp.dll

Module loaded: c:\windows\system32\clbcatq.dll

Module loaded: c:\windows\system32\comres.dll

Module loaded: c:\windows\system32\cscui.dll

Module loaded: c:\windows\system32\cscdll.dll

Module loaded: c:\windows\system32\wbocx.ocx

Module loaded: c:\windows\system32\mfc42.dll

* No export for module: c:\windows\system32\mfc42loc.dll

Getting associated modules done.

Image Base:00400000 Size:0082C000

Original IAT RVA found at: 007F20EC in Section RVA: 007F2000 Size:00039000

IAT read successfully.

---------------------------------------------------------------------------------------------------------------------------

Current imports:

0 (decimal:0) valid module(s)

0 (decimal:0) imported function(s).

Any ideas?

Thanx in advance!!!

BoredTC

PS: The Packed-entrypoint doesn't start with PUSHAD

naides

April 29th, 2006, 22:52

PEid is quite useful but far from perfect. It may NOT be UPX despite what PEid says.

BoredTC

April 29th, 2006, 22:57

And how will i know for sure?
How can I see the real encryption-format?

Thanx in advance

BoredTC

OHPen

April 29th, 2006, 23:44

Hi,

you wont recognize the packer/protector until you did lots of targets.
For exampel if you did two or three pecompact apps you will recognize them in a millisec if you see one. The same with all other packers/protector..
You have to get more experience.

As mentioned above you can identify normal upx by the popad and the jump to OEP. If this is present in your application you probably have to do with UPX. If not, i can be everything....

Did you reach the OEP right now ???

If yes, why do you know that this is the OEP ?

What values did you use to reconstruct the import with imprec ?

At the end you should be able to answer all these questions by your own,
then this target is a big success for you. Unpacked or not.

Regards,

OHPen aka PAPiLLiON

PS: Try to be a little bit more detailed in future

BoredTC

April 30th, 2006, 07:50

Quote:

As mentioned above you can identify normal upx by the popad and the jump to OEP. If this is present in your application you probably have to do with UPX. If not, i can be everything....

Correct me if i'm wrong but if the pushad is present, not the entry-point of the packed-app, but only present, im dealing with a UPX.
And if the packed -entry-point doesn't start with PUSHAD, i'm dealing with an modified version of UPX? (because PUSHAD is present in my target, only it isn't the packed entry-point)

Hearing from you,

BoredTC

PS Thanx for thr quick reply

OHPen

April 30th, 2006, 12:12

Lo again,

look at this code snippet:

Code:





004486DA   . 09C0           OR EAX,EAX

004486DC   . 74 07          JE SHORT ipscan.004486E5

004486DE   . 8903           MOV DWORD PTR DS:[EBX],EAX

004486E0   . 83C3 04        ADD EBX,4

004486E3   .^EB D8          JMP SHORT ipscan.004486BD

004486E5   > FF96 30940400  CALL DWORD PTR DS:[ESI+49430]

004486EB   > 61             POPAD

004486EC   .-E9 C863FCFF    JMP ipscan.0040EAB9

004486F1     00             DB 00

004486F2     00             DB 00

004486F3     00             DB 00

This for example is an standard upx packed application. Look at that POPAD followed by the jump to OEP.
Almost every UPX(Standard, not scrambled ones) look like this before they jump to the OEP of the packed application.
So you trace over that jump you are at the frist instruction of the original applications code.

Looks like this for me:

Code:





0040EAB9   55               PUSH EBP

0040EABA   8BEC             MOV EBP,ESP

0040EABC   6A FF            PUSH -1

0040EABE   68 48BC4200      PUSH ipscan.0042BC48

0040EAC3   68 88DC4000      PUSH ipscan.0040DC88

If you do more targets you we soon identify this to be a real OEP, but depends on the coding language of the app.

After dumping you have to reconstruct the imports in your case it's the best way to do this with imprec. To get the Offset of OEP substraction VA[EP] - ImageBase == EAB9.

This value have to be enter in Imprec.

Why the hell do i use this value ?
Simple cause Imprec starts search the application mapped in memory at that point. So to start at the OEP's offset is almost a good idea when you start unpacking.

Hope you now better understand.

Cheers,

PAPiLLiON

Admiral

April 30th, 2006, 19:55

I hope that's not a commercial target you've just inadvertently disemboweled in public, OHPen

Admiral

LLXX

April 30th, 2006, 22:03

A most strange target indeed...

Appears to be Delphi-compiled and intact, but OEP is in a section with lots of obfuscated code followed by data that looks LZ-compressed.

Certainly not any UPX I've seen before...

BoredTC

May 1st, 2006, 07:52

Well, I think i'll just skip this one as it is so unlclear.
I've never encountered an app like this one b4.
But i'll thank you for all the info, i've learned alot!!!

BoredTC

OHPen

May 1st, 2006, 10:48

@Admiral: Lol, thx for the hint

@LLXX: No you are wrong, it an normal target(Microsoft Visual C++ 6.0) in this case. Nothing strange for me while unpacking it in half an minute. Only two invalid references in imprec while rebuild not more...

@BoredTC: Cool that you learn someting, i hope you will intense your work in this topic

Aloha,

PAPiLLiON

SiGiNT

May 1st, 2006, 11:55

Before you give up, try a little experiment, take a small executable that's not packed, I'd suggest notepad, but I think something else would be more real-world, then pack it with UPX and open it in Olly - compare what you find with your target and note the differences - BTW in the recent crackme posted by Zairon, in the projects area Bilbo describes a trick to fool packer detectors that can be be fixed easily. Also you might want to try a few other packer detectors - RDG seems to be one of the better ones, but it's not always correct either.

SiGiNT

May 1st, 2006, 17:38

if its powerarchiver, its execryptor.