View Full Version : EXECryptor (Latest version) dump fixing
rockdh
July 2nd, 2006, 10:06
How can i fix the dump of EXECryptor latest?
I think i reached the OEP as the dump i have here can be edited easily (like title and stuff).
But it does not run since i need to fix it.
I tried ImpRec and execryptor plugin but the imports are still invalid.
What do i do?
If you need the dumped program, please let me know.
Did you trace the dump to see where it is crashing? Did you check to see if they messed with the header? What did YOU do to try to solve your problem, and required by our Rules?
Post some code,
with all identifying information about the target removed, as also required by our Rules, and someone might be able to confirm if you found the OEP. If you want to talk about the target with others who respond here, DO IN PM.
Regards,
rockdh
July 8th, 2006, 11:56
Here is some code
Code:
7C935FBA 75 07 JNZ SHORT 7C935FC3
7C935FBC 66:837D D8 00 CMP WORD PTR SS:[EBP-28],0
7C935FC1 75 3E JNZ SHORT 7C936001
7C935FC3 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
7C935FC6 8985 ACFEFFFF MOV DWORD PTR SS:[EBP-154],EAX
7C935FCC F645 E3 80 TEST BYTE PTR SS:[EBP-1D],80
USELESS CODE DELETED TO SAVE SPACE IN THE DATABASE
7C93636C 4E DEC ESI
7C93636D 54 PUSH ESP
7C93636E 286E 74 SUB BYTE PTR DS:[ESI+74],CH
7C936371 64:6C INS BYTE PTR ES:[EDI],DX ; I/O command
7C936373 6C INS BYTE PTR ES:[EDI],DX ; I/O command
7C936374 293A SUB DWORD PTR DS:[EDX],EDI
What do i do next?
deroko
July 8th, 2006, 12:36
disassembly of ntdll.dll isn't useful
SiGiNT
July 8th, 2006, 12:44
Damn, deroko,
You beat my post by about 10 seconds - a word of advice to our mutual friend trying to unpack Execryptor - if you don't know the difference between your target and a system dll I'd aim my sites a little lower and work up to Execryptor.
SiGiNT
LLXX
July 8th, 2006, 19:04
Quote:
| [Originally Posted by sigint33]if you don't know the difference between your target and a system dll I'd aim my sites a little lower and work up to Execryptor. |
LOL. As in going back to basic windows system architecture
There!
I shortened up the eyesore a bit, by putting it inside CODE brackets instead of QUOTE brackets
Regards,
rockdh
July 8th, 2006, 20:33
7C93616A 85C0 TEST EAX,EAX
7C93616C 0F84 9F460000 JE 7C93A811
7C936172 66:834F 38 FF OR WORD PTR DS:[EDI+38],0FFFF
7C936177 66:834F 3A FF OR WORD PTR DS:[EDI+3A],0FFFF
7C93617C 8B75 F4 MOV ESI,DWORD PTR SS:[EBP-C]
MORE USELESS CODE DELETED TO SAVE SPACE IN THE DATABASE
7C936209 74 6C JE SHORT 7C936277
7C93620B 70 53 JO SHORT 7C936260
7C93620D 65:72 69 JB SHORT 7C936279 ; Superfluous prefix
7C936210 61 POPAD
7C936211 6C INS BYTE PTR ES:[EDI],DX ; I/O command
sorry i didnt even notice that i was in NT-DLL.
the og file is 14.5 MB and my dump is 40.5MB.
rockdh:
STOP POSTING LARGE BLOCKS OF CODE YOU HAVE "NO CLUE" WHAT THEY ARE!!!!!"
Also when you post code you should use Code and /CODE, with the words surrounded by [ ], instead of QUOTE /QUOTE surrounded by brackets.
Regards,
Kayaker
July 9th, 2006, 01:05
Er, what are you using for a disassembler, Win32Dasm? Do yourself a favor and at least learn to use IDA freeware version so you don't make erroneous guesses at instruction comments..
This disassembly is wrong:
Code:
7C9361E5 68 0862937C PUSH 7C936208 ; ASCII "RtlpSerializeHeap"
...
7C936204 C2 0400 RETN 4
7C936207 90 NOP
this is ascii, not instructions
7C936208 52 PUSH EDX
7C936209 74 6C JE SHORT 7C936277
7C93620B 70 53 JO SHORT 7C936260
7C93620D 65:72 69 JB SHORT 7C936279 ; Superfluous prefix
7C936210 61 POPAD
7C936211 6C INS BYTE PTR ES:[EDI],DX ; I/O command
This is *supposed* to disassemble to:
Code:
:7C9361E5 68 08 62 93 7C push offset aRtlpserializeh ; "RtlpSerializeHeap"
...
:7C936204 C2 04 00 retn 4
:7C936204 sub_7C9361D2 endp
:7C936207 90 align 4
:7C936208 52 74 6C 70 53 65+aRtlpserializeh db 'RtlpSerializeHeap',0
Hi Kayaker. Actually, my glasses weren't dirty.
The Board froze on me for a moment and I could not get the Edit Button to work, so I hit Back on my browser to try to fix a spelling error. When I saved it again, it only showed me one copy of the Post, rather than the double Post.
Thanks for "cleaning up" for me.
Regards,
deroko
July 9th, 2006, 04:36
Quote:
[Originally Posted by rockdh][CODE]
sorry i didnt even notice that i was in NT-DLL.
|
You are still in ntdll
on xp when you see base 7c9xxxxx or 7c8xxxxx you know already that you are in ntdll or kernel32.
SiGiNT
July 9th, 2006, 10:19
Actually if you see 8 digit addresses you are not in your target, you're in a system file of some sort, (or an associated dll, ocx or other file), just glance up to the top of your cpu window in olly, it'll tell you what you are in, if it says "main" you're in memory, (unpacked running code), you usually should be in the address range of 4XXXXX - 8XXXXX.
SiGiNT
rockdh
July 10th, 2006, 07:35
i think this code should do (it is from the entry point)
Code:
8nuz96wg:02BFB7C1
_8nuz96wg:02BFB7C1
_8nuz96wg:02BFB7C1 public start
_8nuz96wg:02BFB7C1 start proc near
_8nuz96wg:02BFB7C1 push ebp
_8nuz96wg:02BFB7C2 pop ebx
_8nuz96wg:02BFB7C3 rol eax, 18h
_8nuz96wg:02BFB7C6 and [ecx+2Fh], cl
_8nuz96wg:02BFB7C9 add [ebx], edx
_8nuz96wg:02BFB7CB adc bh, ds:0A10CB81h
_8nuz96wg:02BFB7D1 inc ecx
_8nuz96wg:02BFB7D2 mov ebx, 3D2AF381h
_8nuz96wg:02BFB7D7 sbb ds:4468C31Bh[ebx*4], bl
_8nuz96wg:02BFB7DE sbb eax, [ecx+ecx*8+0F11CC15h]
_8nuz96wg:02BFB7E5 test [edi-53h], esp
_8nuz96wg:02BFB7E8 and ecx, 816F2D1Dh
_8nuz96wg:02BFB7EE into
_8nuz96wg:02BFB7EF mov ebp, 81FA1AE0h
_8nuz96wg:02BFB7F4 jmp far ptr 0B120h:8CDAB722h
_8nuz96wg:02BFB7F4 start endp
_8nuz96wg:02BFB7F4
_8nuz96wg:02BFB7F4 ; ---------------------------------------------------------------------------
please let me know whether it is unpacked
naides
July 10th, 2006, 08:03
Cannot tell for sure if it is unpacked,
but look at the code itself, the instructions, aimless and illogical.
Chances are it is still packed and you just disassembled a random string of bytes, or heavily obfuscated code,
OR less likely,
It is unpacked, but the original code was itself heavily obfuscated.
deroko
July 10th, 2006, 08:16
nope it isn't unpacked nor oep.
First you have to dump program from memory and try to figure what compiler it is. After that you may break at certain parts of code close to oep and dump code.
rockdh
July 10th, 2006, 08:38
can you help me in this?
i have put alot of effort into trying to unpack this program.
please help me sir.
deroko
July 10th, 2006, 09:13
use ida and signatures to locate code generated by compilers. Then you may find oep by looking at code. ExeCryptor also unpacks executable in tlscallback so when you get out of it, you may dump application and start searching for oep using signatures in ida, of course, you may find some spot close to oep because some bytes from oep are stolen and morphed.
rockdh
July 10th, 2006, 09:16
what do you mean by use IDA and Signatures?
i can enter TLSCallBacks using NtGlobalFlag right?
what do you mean by get out of it?
please check your PM.
regards,
david howie
deroko
July 10th, 2006, 10:11
Quote:
[Originally Posted by rockdh]what do you mean by use IDA and Signatures?
|
in IDA -> shift + f5 then you select either signatures for borland or msvc depending on your target. if it is VB then finding oep is nothing more than using bpx at msvbvm6/50!ThunRtMain.
Quote:
i can enter TLSCallBacks using NtGlobalFlag right?
what do you mean by get out of it?
|
Dunno about NtGlobalFlag, I use my loader to do that for me. Please check ARTeam ezine(http://ezine.accessroot.com), I wrote small txt how to get in/out from tlscallback.
rockdh
July 14th, 2006, 00:05
I have entered the TLS callbacks and the last command i see before 0000's is a JMP.
i followed that jump and i think that i'm close to OEP>
please check the attached pictures.
the first one is the final jump i saw and the second is after i follow the jump.
MORE USELESS CODE REMOVED
rockdh
July 14th, 2006, 00:06
Picture 2
AND EVEN MORE USELESS CODE REMOVED
deroko
July 14th, 2006, 06:10
man, get out of TLS callback, or simply dump app while it is running, load dump in IDA and apply signatures, find something that must be called close to oep. Analyze logic of compiler and you will find place close to oep where hook can be applied and where target may be dumped.
Pictures that you have posted are not useful at all, 1st one is entry of tlscallback, second one is still tlscallback...
rockdh
July 14th, 2006, 21:51
I've been trying and the dump finally loaded in IDA (40.5MB) because i wanted it to disassemble fully.
then i used the signatures and found this:
Code:
CODE:00403B34 ; ---------------------------------------------------------------------------
CODE:00403B34 push ebp
CODE:00403B35 mov ebp, esp
CODE:00403B37 add esp, 0FFFFFFF4h
CODE:00403B3A movzx eax, ds:word_4C6024
CODE:00403B41 mov [ebp-8], eax
CODE:00403B44 lea eax, [ebp-4]
CODE:00403B47 push eax
CODE:00403B48 push 1
CODE:00403B4A push 0
CODE:00403B4C push offset aSoftwareBorlan ; "SOFTWARE\\Borland\\Delphi\\RTL"
CODE:00403B51 push 80000002h
CODE:00403B56 call sub_401384
CODE:00403B5B test eax, eax
CODE:00403B5D jnz short loc_403BAC
CODE:00403B5F xor eax, eax
CODE:00403B61 push ebp
CODE:00403B62 push offset loc_403BA5
CODE:00403B67 push dword ptr fs:[eax]
CODE:00403B6A mov fs:[eax], esp
CODE:00403B6D mov dword ptr [ebp-0Ch], 4
CODE:00403B74 lea eax, [ebp-0Ch]
CODE:00403B77 push eax
CODE:00403B78 lea eax, [ebp-8]
CODE:00403B7B push eax
CODE:00403B7C push 0
CODE:00403B7E push 0
CODE:00403B80 push offset aFpumaskvalue ; "FPUMaskValue"
CODE:00403B85 mov eax, [ebp-4]
CODE:00403B88 push eax
CODE:00403B89 call sub_40138C
CODE:00403B8E xor eax, eax
CODE:00403B90 pop edx
CODE:00403B91 pop ecx
CODE:00403B92 pop ecx
CODE:00403B93 mov fs:[eax], edx
CODE:00403B96 push offset loc_403BAC
CODE:00403B9B
CODE:00403B9B loc_403B9B: ; CODE XREF: CODE:00403BAA�j
CODE:00403B9B mov eax, [ebp-4]
CODE:00403B9E push eax
CODE:00403B9F call sub_40137C
CODE:00403BA4 retn
CODE:00403BA5 ; ---------------------------------------------------------------------------
CODE:00403BA5
CODE:00403BA5 loc_403BA5: ; DATA XREF: CODE:00403B62�o
CODE:00403BA5 jmp loc_404418
CODE:00403BAA ; ---------------------------------------------------------------------------
CODE:00403BAA jmp short loc_403B9B
CODE:00403BAC ; ---------------------------------------------------------------------------
CODE:00403BAC
CODE:00403BAC loc_403BAC: ; CODE XREF: CODE:00403B5D�j
CODE:00403BAC ; DATA XREF: CODE:00403B96�o
CODE:00403BAC mov ax, ds:word_4C6024
CODE:00403BB2 and ax, 0FFC0h
CODE:00403BB6 mov dx, [ebp-8]
CODE:00403BBA and dx, 3Fh
CODE:00403BBE or ax, dx
CODE:00403BC1 mov ds:word_4C6024, ax
CODE:00403BC7 mov esp, ebp
CODE:00403BC9 pop ebp
CODE:00403BCA retn
CODE:00403BCA ; ---------------------------------------------------------------------------
CODE:00403BCB align 4
CODE:00403BCC aSoftwareBorlan db 'SOFTWARE\Borland\Delphi\RTL',0 ; DATA XREF: CODE:00403B4C�o
CODE:00403BE8 aFpumaskvalue db 'FPUMaskValue',0 ; DATA XREF: CODE:00403B80�o
CODE:00403BF5 align 4
CODE:00403BF8
CODE:00403BF8 ; ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ S U B R O U T I N E ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ
CODE:00403BF8
CODE:00403BF8
CODE:00403BF8 sub_403BF8 proc near ; CODE XREF: sub_40469C-518�p
CODE:00403BF8 ; sub_41F8F4-1B64A�p ...
CODE:00403BF8 fninit
CODE:00403BFA wait
CODE:00403BFB fldcw ds:word_4C6024
CODE:00403C01 retn
CODE:00403C01 sub_403BF8 endp
CODE:00403C01
CODE:00403C01 ; ---------------------------------------------------------------------------
CODE:00403C02 align 4
CODE:00403C04
CODE:00403C04 ; ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ S U B R O U T I N E ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ
CODE:00403C04
CODE:00403C04
CODE:00403C04 sub_403C04 proc near ; CODE XREF: sub_410DC0+E2�p
CODE:00403C04 ; sub_410DC0+103�p ...
CODE:00403C04 mov al, 4
CODE:00403C06 jmp sub_4028E8
CODE:00403C06 sub_403C04 endp
CODE:00403C06
CODE:00403C0B ; ---------------------------------------------------------------------------
CODE:00403C0B retn
CODE:00403C0C
CODE:00403C0C ; ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ S U B R O U T I N E ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ
CODE:00403C0C
CODE:00403C0C
CODE:00403C0C sub_403C0C proc near ; CODE XREF: sub_416C48+C�p
CODE:00403C0C ; sub_41AE08+5D�p ...
CODE:00403C0C mov eax, [eax]
CODE:00403C0E mov edx, eax
CODE:00403C10 mov eax, edx
CODE:00403C12 retn
CODE:00403C12 sub_403C0C endp
CODE:00403C12
CODE:00403C12 ; ---------------------------------------------------------------------------
CODE:00403C13 align 4
CODE:00403C14
CODE:00403C14 ; ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ S U B R O U T I N E ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ
So i thought that OEP is somewhere between 00403B34 and 00403BA5 so i opened the target again in olly and used NtGlobalFlag to break at Tlscallbacks.
Then i ran a search for the following strings:
Code:
01E1899F 33C0 XOR EAX,EAX
01E189A1 5A POP EDX
01E189A2 59 POP ECX
01E189A3 59 POP ECX
01E189A4 64:8910 MOV DWORD PTR FS:[EAX],EDX
I found them and also two PUSH EBP's when i scrolled up.
Could this be somewhere close to the OEP?
I've made a lot of progress,thanks to deroko.
LLXX
July 15th, 2006, 05:21
It looks like you're somewhere inside of Borland's Delphi Run-time Library. 403b34 looks like it might be it.
rockdh
July 15th, 2006, 05:31
Quote:
| [Originally Posted by LLXX]It looks like you're somewhere inside of Borland's Delphi Run-time Library. 403b34 looks like it might be it. |
i dumped it there at the code you told (in OllyDbg it's 01E1892B) with rebuild Import in OllyDump.
What next?
deroko
July 15th, 2006, 05:55
Now find InitExe signature and dump there. but you have to break on init exe to get value of eax (delphi code) + you have to see where init exe will take you since it is called from morphed code so you assemble something liek this later in dump:
Code:
mov eax, magic_value
push ret_address
jmp __InitExe
rockdh
July 15th, 2006, 06:00
SO the first dump i just made now is useless?
How do i break on InitExe?
deroko
July 15th, 2006, 06:29
that's why you need dump to find it, then load app and set bpx on it after TLS callback gets executed! That's when ExeCryptor's code is decrypted and you may set BPX on that procedure without aproblem.
rockdh
July 18th, 2006, 08:06
I assembled the following in some empty space
Code:
004C6000 B8 AEE2C802 MOV EAX,02C8E2AE
004C6005 68 9F1AC902 PUSH 02C91A9F
rockdh
July 28th, 2006, 12:10
I am still trying to unpack this app.
Then i read a bit of ASM tutorials and stuff.
I got to know that i was doing all wrong.
I found the correct OEP and stuff now.
Even assembled the InitExe jump properly (the last one wasnt proper).
THe problem now is fixing imports.
I press IAT autosearch in ImpRec and it finds one import and the rest are invalid.
The valid one found is MessageBoxA.
I tried the ExeCryptor ImpRec plugin but still they are invalid.
Deroko, please help me.
deroko
August 6th, 2006, 17:00
Don't use IAT autosearch, locate IAT manually, then type rva/size in imprec and locate invalid pointers, run plugin on them and voila. If target fails on some pointer, simply save tree.txt, skip that pointer and run plugin on others, later you may locate invalid ptrs manually. Logic is simple -> ExeCryptor will call GetModuleHandle or LoadLibrary to get dll base or to load needed .dll and will use custom implementation of getprocaddress to find API.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.