Some advices for using the tools with efficiency |
Advanced | |
![]() |
slighly edited by fravia+ | |
fra_00xx 980510 JaZZ 0010 AD PC | 2) Showing a technique and not just a banal "Hey guys, look how I diddit") 3) Teaching AT THE SAME TIME advanced and intermediate/new readers some USEFUL tricks, and "must know": Raw Data Offset 008D8600 Raw Data Size 000F7200Ever found this "raw" stuff dumping PEs? Here you'll see (among other precious things) how important this is... |
|
Magic 010B Linker Version 3.00 Size of Code 0001A600 Size of Initialized Data 00AE5600 Size of Uninitialized Data 00000000 Address of Entry Point 00AEC690 Base of Code 00AEC000 Base of Data 00001000 Image Base 00400000 Section Alignment 00001000 File Alignment 00000200 Operating System Version 4.00 ..... ..... ..... then follows the description of the "objects" of ventura.exe: ..... Section Table ------------- 01 0000001 Virtual Address 00001000 Virtual Size 008D7F7E Raw Data Offset 00000600 Raw Data Size 008D8000 Relocation Offset 00000000 Initialized Data Readable Writeable 02 0000002 Virtual Address 008D9000 Virtual Size 000F7098 Raw Data Offset 008D8600 Raw Data Size 000F7200 Relocation Offset 00000000 Initialized Data Readable ..... ..... a few more follows, and then: ..... 0B 0000011 Virtual Address 00AEC000 Virtual Size 0001A415 Raw Data Offset 00AAC800 Raw Data Size 0001A600 Relocation Offset 00000000 Code Execuatble Readable
* Referenced by :at least 60 jmps ! :00EEC6F0 A1CC39EE00 mov eax, dword ptr [00EE39CC] :00EEC6F5 8B08 mov ecx, dword ptr [eax] :00EEC6F7 8BC1 mov eax, ecx :00EEC6F9 890DB876EE00 mov dword ptr [00EE76B8], ecx :00EEC6FF 25FFFF0000 and eax, 0000FFFF :00EEC704 0135CC39EE00 add dword ptr [00EE39CC], esi :00EEC70A A3BC76EE00 mov dword ptr [00EE76BC], eax :00EEC70F 8BC1 mov eax, ecx :00EEC711 250000FFFF and eax, FFFF0000 :00EEC716 3D00004203 cmp eax, 03420000 :00EEC71B 7713 ja 00EEC730 :00EEC71D 0F845A020000 je 00EEC97D :00EEC723 3D0000E400 cmp eax, 00E40000 :00EEC728 0F840F020000 je 00EEC93D :00EEC72E EBC0 jmp 00EEC6F0 :00EEC730 3D00000407 cmp eax, 07040000 :00EEC735 7713 ja 00EEC74A :00EEC737 0F84C2020000 je 00EEC9FF :00EEC73D 3D00001106 cmp eax, 06110000 :00EEC742 0F8457020000 je 00EEC99F :00EEC748 EBA6 jmp 00EEC6F0 :00EEC74A 3D00007D09 cmp eax, 097D0000 :00EEC74F 7713 ja 00EEC764 :00EEC751 0F84CC020000 je 00EECA23 :00EEC757 3D00006F09 cmp eax, 096F0000 :00EEC75C 0F8495080000 je 00EECFF7 :00EEC762 EB8C jmp 00EEC6F0 :00EEC764 3D00000411 cmp eax, 11040000 :00EEC769 7716 ja 00EEC781 :00EEC76B 0F8408030000 je 00EECA79 :00EEC771 3D00009210 cmp eax, 10920000 :00EEC776 0F84E2020000 je 00EECA5E :00EEC77C E96FFFFFFF jmp 00EEC6F0 .... and over and over....
This is the exit: :00EED00F 33C9 xor ecx, ecx :00EED011 8A88F0D0EE00 mov cl, byte ptr [eax+00EED0F0] :00EED017 FF248DDCD0EE00 jmp dword ptr [4*ecx+00EED0DC] which goes here: :00EED0B5 8B4510 mov eax, dword ptr [ebp+10] :00EED0B8 8B4D0C mov ecx, dword ptr [ebp+0C] :00EED0BB 50 push eax :00EED0BC 8B5508 mov edx, dword ptr [ebp+08] :00EED0BF 51 push ecx :00EED0C0 52 push edx :00EED0C1 FF157430EE00 call dword ptr [00EE3074] ---> this is C552D0, the entry point of the app :00EED0C7 8B4DF0 mov ecx, dword ptr [ebp-10] :00EED0CA 5F pop edi :00EED0CB 64890D00000000 mov dword ptr fs:[00000000], ecx :00EED0D2 5E pop esi :00EED0D3 5B pop ebx :00EED0D4 8BE5 mov esp, ebp :00EED0D6 5D pop ebp :00EED0D7 C20C00 ret 000C
my_adr: push eax mov eax, [the_adress_you_want] pop eax jmp where_you_came_fromUsing bpx my_adr ,and then g=my_adr , the page will be fully loaded. One more tip: if you just want to terminate after, assemble a: INT 3 in place of the jump. It'll generally kill the task right without damaging the already unstable windoze.
:00EED100 53 push ebx :00EED101 33C0 xor eax, eax :00EED103 56 push esi :00EED104 57 push edi :00EED105 8B742414 mov esi, dword ptr [esp+14] :00EED109 C1EE02 shr esi, 02 :00EED10C 8BCE mov ecx, esi :00EED10E 4E dec esi :00EED10F 85C9 test ecx, ecx :00EED111 7431 je 00EED144 :00EED113 8B542410 mov edx, dword ptr [esp+10] :00EED117 8B7C2418 mov edi, dword ptr [esp+18] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00EED142(C) :00EED11B 8BCF mov ecx, edi :00EED11D 8BDF mov ebx, edi :00EED11F C1E104 shl ecx, 04 :00EED122 83C204 add edx, 00000004 :00EED125 C1E305 shl ebx, 05 :00EED128 03CF add ecx, edi :00EED12A C1E909 shr ecx, 09 :00EED12D 33CB xor ecx, ebx :00EED12F 03F9 add edi, ecx :00EED131 8B4AFC mov ecx, dword ptr [edx-04] --> initial bytes :00EED134 33CF xor ecx, edi --> a banal XOR :=) :00EED136 03C1 add eax, ecx :00EED138 894AFC mov dword ptr [edx-04], ecx --> replace with decrypted bytes :00EED13B 33F8 xor edi, eax :00EED13D 8BCE mov ecx, esi :00EED13F 4E dec esi :00EED140 85C9 test ecx, ecx :00EED142 75D7 jne 00EED11B * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00EED111(C) :00EED144 5F pop edi :00EED145 5E pop esi :00EED146 5B pop ebx :00EED147 C20C00 ret 000C
EEC690: push 8A7EAA7A ;the above params push 8D7F7E push 401000 call EED100 ;decrypt jmp C552D0 ;jmp to main programI spare you the suspense; It won't work either, as none of the win32 API pointers in the decrypted code is properly initialised. The initial decrypted code begins with:
:C552D0 PUSH FF PUSH D42660 PUSH C554A4 PUSH eax MOV fs:[0],esp SUB esp,60 PUSH ebx PUSH esi PUSH edi MOV [EBP-18],esp CALL [00E442BC] ;initially bogus, it'll finally be a CALL [kernel32!GetVersion] etc.... ;but for the moment it leads to a crash!
:00EEC3C0 53 push ebx :00EEC3C1 56 push esi :00EEC3C2 57 push edi :00EEC3C3 8B1D7030EE00 mov ebx, dword ptr [00EE3070] --> Imagebase of the executable=400000 :00EEC3C9 55 push ebp :00EEC3CA 031D8400EE00 add ebx, dword ptr [00EE0084] -->RVA of the object= A43000 :00EEC3D0 837B1000 cmp dword ptr [ebx+10], 00000000 :00EEC3D4 7460 je 00EEC436 * Reference To: KERNEL32.GetProcAddress, Ord:0103h | :00EEC3D6 8B3DE8B1EE00 mov edi, dword ptr [00EEB1E8] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00EEC434(C) | :00EEC3DC 8B430C mov eax, dword ptr [ebx+0C] :00EEC3DF 03057030EE00 add eax, dword ptr [00EE3070] --> compute the adress of the dll name :00EEC3E5 50 push eax | :00EEC3E6 FF15ECB1EE00 Call KERNEL32.LoadLibraryA :00EEC3EC 8BE8 mov ebp, eax :00EEC3EE 85ED test ebp, ebp :00EEC3F0 744B je 00EEC43D :00EEC3F2 8B7310 mov esi, dword ptr [ebx+10] :00EEC3F5 03357030EE00 add esi, dword ptr [00EE3070] :00EEC3FB 833E00 cmp dword ptr [esi], 00000000 :00EEC3FE 742D je 00EEC42D :00EEC400 8B06 mov eax, dword ptr [esi] :00EEC402 A900000080 test eax, 80000000 :00EEC407 7407 je 00EEC410 :00EEC409 25FFFF0000 and eax, 0000FFFF :00EEC40E EB0B jmp 00EEC41B :00EEC410 8B0E mov ecx, dword ptr [esi] :00EEC412 A17030EE00 mov eax, dword ptr [00EE3070] :00EEC417 8D440102 lea eax, dword ptr [ecx+eax+02] :00EEC41B 50 push eax :00EEC41C 55 push ebp :00EEC41D FFD7 call edi ---> this is GetProcAdress :00EEC41F 8906 mov dword ptr [esi], eax --> Here ! Install the handler. :00EEC421 85C0 test eax, eax :00EEC423 7429 je 00EEC44E :00EEC425 83C604 add esi, 00000004 :00EEC428 833E00 cmp dword ptr [esi], 00000000 :00EEC42B 75D3 jne 00EEC400 :00EEC42D 83C314 add ebx, 00000014 :00EEC430 837B1000 cmp dword ptr [ebx+10], 00000000 :00EEC434 75A6 jne 00EEC3DC :00EEC436 33C0 xor eax, eax :00EEC438 5D pop ebp :00EEC439 5F pop edi :00EEC43A 5E pop esi :00EEC43B 5B pop ebx :00EEC43C C3 ret
**************************************** EEC690: push 8A7EAA7A ;the decryption part push 8D7F7E push 401000 call EED100 mov eax,400000 ; the API handlers part mov [EE3070],eax mov eax,A43000 mov [EE0084],eax call EEC3C0 jmp C552D0 ;jmp to main program ****************************************