View Full Version : Rebuilding Section Headers and Tables
Code Pilot
06-13-2004, 12:39 AM
:shock:
To all the great minds out there I have a question for you!
I am currently working on a project that as an unknown encrytper. Don't believe its packed. I used ProcDump and have been able to get most of the code but there is the problem. I am trying to add a .gif file to the project but as soon as I add it the program no longer runs.
After some researching I have found that the problem is because the resources are not placed at the end of the file.
Here is the section headers.
.text
.rdata Import Table
.data
.rsrc Resource Table
.MPS Relocation Table
I am not quite sure what this .MPS is, but that is where the OEP is located. After unencrypting or unpacking the OEP is moved to the .text section.
If I add a resourse the .MPS address move. How do I go about moving that .MPS section above the .rsrc section and rebuilt the tables. I have worked weeks and read many tuts with no luck.
I hope I explained it Ok.
Thanks for the help.
Code Pilot
06-13-2004, 04:54 PM
I have a little update.
Some how I need to move the .mps section above the .rsrc. I have tried just about everything to move the sections around. At the end of everthing I get that the file is not a valid Win32 Application.
I am not sure what this .mps section is. I have not seen it before. Any ideas would be helpfull.
:?
CoDe_InSiDe
06-14-2004, 05:03 AM
Hi Code Pilot,
After some researching I have found that the problem is because the resources are not placed at the end of the file.
This is no problem, the Resource Section can be anywhere in the file :)
If I add a resourse the .MPS address move. How do I go about moving that .MPS section above the .rsrc section and rebuilt the tables. I have worked weeks and read many tuts with no luck.
You mean move the .MPS Section below/infront of the .rsrc Section? :)
Copy/cut the whole .MPS Section and place it before the Resource Section, then update the PE Header's Section Table :)
I am not sure what this .mps section is. I have not seen it before. Any ideas would be helpfull.
I'm also interested what this "MPS" Protector is, i've never seen it before :)
I'm going to search a bit... (BTW, is there maybe some information about it from where you got this program?)
And another thing, you can't simply add a GIF file to the Resource Section.
Well you can, but you need to rebuild the whole Resource Section (And the PE Header).
You could use a program like Resource Hacker i believe, if you want, or do it manually ;)
Regards,
CoDe_InSiDe
RE: Rebuilding Section Headers and Tables
Hi and welcome to the RET message board. It is not my intension to try and put you down, but you seem to be in way over your head.
One step at a time:
I am currently working on a project that as an unknown encrytper. Don't believe its packed.
You can easily tell if the data is compressed or not; The idea when compressing data is to make it smaller (i.e. make it fit in a smaller area) and by comparing a section's physical size to its virtual size you can see if it grows in memory. Most sections grow to some extent because they usually have a different alignment on disk versus in memory. Think accordion. If this makes no sense to you whatsoever, you need to go read up on the PE file format.
I am trying to add a .gif file to the project but as soon as I add it the program no longer runs.
Okay, first of all, you normally wouldn't try to add a .GIF file because there will be issues with parsing it and blitting it to the screen (or wherever). You'd have to use COM or rely on an external GIF library to parse the image data so all in all = BAD IDEA.
After some researching I have found that the problem is because the resources are not placed at the end of the file.
There's nothing that sais you can't place arbitrary data at the end of a file. The only difference is in how you access the data from inside the application. When placing it at the end you cannot load it resource-style but you can still access it (and it does work!).
...that is where the OEP is located. After unencrypting or unpacking the OEP is moved to the .text section.
OEP is a made up abbreviation that stands for Original Entry Point. You can't have two original entrypoints. The one in the .text section is the original one.
Also, moving sections around is bad mojo. You should try to determine what that .MPS section is - maybe it's not needed any longer since the original data is restored already before the file is ran (in your dumped version, that is). In your first post you imply that there's a relocation table stored inside the section and as it happens, stand-alone executables on Win32 do not relocate (ever!) so you can strip it out. And i'm not sure how you "add a resource" but you can't just tack it on at the end and not rebuild the resource index.
I see our friend Code beat me to it hehe
Regards, sna
CoDe_InSiDe
06-14-2004, 07:07 AM
Hi sna,
Okay, first of all, you normally wouldn't try to add a .GIF file because there will be issues with parsing it and blitting it to the screen (or wherever). You'd have to use COM or rely on an external GIF library to parse the image data so all in all = BAD IDEA.
Ah yes, i totally forget that, hehe :D
Better use BMP if you don't want to get too much trouble... ;)
Code Pilot:
First unpack this program (Rebuilding Import Table needed?) and clean the file :) (Getting rid of the .MPS Section ;) ).
Then you can either add a "BMP" (GIF is indeed not very handy...) to the Resource Section, or put some of your own code in a new Section (Use the .MPS Section ;) ) to load the BMP (Be aware of any API's you will need).
Ok, i think that should do it... :)
sna:
BTW, are you still checking ACProtect? :)
There's a new version which uses the "Exception Protection" (Let's call it like this ;) from tE!'s tElock) at the beginning of the Loader.
I haven't really checked this new version yet, but i hope it's different then the previous versions ;)
Regards,
CoDe_InSiDe
Hi again,
I lost interest in ACProtect so i havn't looked at any recent versions. I'm also not familiar with "Exception Protection"; is it doing all the data inflation/decryption inside an exception handler? If so, what's keeping me from putting a breakpoint at the start of the handler and then step through it?
Anything you might find out about the new versions, please post it in the ACProtect thread. BTW, you're one happy fella did anyone ever tell you that?
Kind regards, sna
Code Pilot
06-14-2004, 11:40 AM
Thanks guys,
You comments helped.
The file doesn't looked compressed but it was encrypted. Still not sure with what. This ".MPS" section has got me stumped.
Anyway. I just moved the .rsrc below the .MPS and corrected the header section to the new location of the .rsrc.
Corrected the checksum and done.
Works great.
But I will still continue to find out what this .MPS is. If I find something I will let you guys know. And vise versa I hope... :wink:
Thanks again guys.
CoDe_InSiDe
06-14-2004, 01:15 PM
Hi sna/Code Pilot,
sna:
I lost interest in ACProtect
I can understand what you mean... ;)
I'm also not familiar with \"Exception Protection\"; is it doing all the data inflation/decryption inside an exception handler? If so, what's keeping me from putting a breakpoint at the start of the handler and then step through it?
Hehe, no not really...
It sets up an SEH and performs an exception. In the SEH it puts 4 Offsets in the DRx registers and then leaves the SEH and continues execution. If any of those Offsets are going to be executed it "jumps" back to the SEH and does some decryption related stuff... :)
I hope i explained it good enough...
In tElock it's made a little bit tougher if i remember correctly.
In ACprotect you can easily skip this decryption routine (In fact it's easier to skip this new decryption routine then the decryption routines in the earlier versions, hehe :D )
Anything you might find out about the new versions, please post it in the ACProtect thread.
Ok.
BTW, you're one happy fella did anyone ever tell you that?
Haha, no, you are actually the first one :D
Yeah i know, i'm using too much smilies i'm afraid ;)
Well, if i write down a sentence and then if i don't put a smilie behind it, the sentence doesn't look like it's complete in some way... i don't know why? :)
But a smilie isn't always needed . . .
Code Pilot:
But I will still continue to find out what this .MPS is. If I find something I will let you guys know. And vise versa I hope...
I hope so too :)
I've already searched a little bit but i couldn't find anything...
It could also be that it has been protected with just some Encrypter in which you've got the option of changing the Section names...
Could you be so kind to paste here, let's say, the first 20/30 bytes? or maybe some suspicious text?
Maybe i recognize it (Or someone else?).
Regards,
CoDe_InSiDe
Code Pilot
06-14-2004, 03:19 PM
I hope this is what you were looking for. If its not... Let me know. I am new to this site and trying to get familiar with everyone on this site. Again thanks for you help.
First 30 bytes (hex):
E8 00 00 00 00 5B 81 EB 05 00 00 00 60 E9 00 00
00 00 E8 0F 00 00 00 8B 44 24 0C 8B A0 C4 00 00
00 E9 0C 00 00 00 31 D2 64 FF 32 64 89 22 89 12
EB E0 58 64 A3 00 00 00 00 58 61 55 89 D9 81 C1
I am currently working on the .dll file that they also encrypted. Seems quite strange. I really wish I know what this was. After playing around with some of the PE detector apps you guys have posted once it came up as Neolite 2.0. But non of the referenced matched. Hope this well help.
CoDe_InSiDe
06-15-2004, 02:16 AM
Hi Code Pilot,
Hmm, i don't recognize these first 30 bytes, so the Encrypter is unknown to me...
Too bad i can't see this protected program myself ;)
Regards,
CoDe_InSiDe
vBulletin® v3.6.4, Copyright ©2000-2016, Jelsoft Enterprises Ltd.