Flag: Tornado!
Hurricane!
|
|
Topic created on: February 22, 2007 22:11 CST by memo5  .
Hello All
I need some help decrypting some kind of encryption it's seems like PE-Crypt with all section names set tp "peC" I have a small application as a sample but I didnt know how to upload it to this forum it's hard to dumpe bcos it melt all the pe sections in one section and mark the memory pages as privat and if dumped the IAT is very hard to recover i notices that its also create a dll in the temp dir so any one can help reversing this app.
why is the melted pe sections making it harder ?
what do you mean, very hard ? did you try ImportReconstructor (read some imprec tutorials if needed) ?
creating a (protection, i guess) dll in the temp directory sounds pretty common (bp on WriteFile or LoadLibraryA).
the section name usually gives less information that the style of code itself (some packers use section names from other common packers to confuse the ennemy) :
- what's the entry point like ?
- what's the code like (any junk, any special flow, uncommon trick) ?
if you can't upload the file my guess is :
- train more :)
- give more detailed information
|
Thank you simpleuser for your replay
When I said that It's to Hard to dump this program I mean that when try to dump it using any tool the application or the tool crash even when using LoardPE or impRec that because its protect the memory that hold code-data of the program but it's ok I made a pass-throw dll and make the dump my self and I have recovered the code, data, rsrc, rdata sections and make it good enough to let IDA make it's job.
But you know that It will not run because of the lost of the .idata section and the run time initialization of many global variables in data section.
So the only way to make it wark is to decrypt it first.
The entry point of the program is like this, I think that this is a PE-Crypt signature
start:
peC:00444290 pusha
peC:00444291 call $+5
peC:00444296 pop ebp
peC:00444297 sub ebp, offset unk_42EA18
peC:0044429D mov ecx, 0FF10h
peC:004442A2 mov ebx, 0
peC:004442A7 call sub_444702
peC:004442AC push 0FF20B9h
peC:004442B1 add al, ch
peC:004442B3 push ebx
peC:004442B4 add al, 0
peC:004442B6 add [eax-47h], ch
peC:004442B9 xor bh, bh
sub_444702 proc near ; CODE XREF: peC:004442A7 p
peC:00444702 lea edx, dword_42F3DD[ebp]
peC:00444708 jmp short loc_44471A
peC:0044470A ; ___________________________________________________________________________
peC:0044470A lea edx, dword_42F3E1[ebp]
peC:00444710 jmp short loc_44471A
peC:00444712 ; ___________________________________________________________________________
peC:00444712 lea edx, dword_42F3E5[ebp]
peC:00444718 jmp short $+2
peC:0044471A
peC:0044471A loc_44471A: ; CODE XREF: sub_444702+6 j
peC:0044471A ; sub_444702+E j ...
peC:0044471A xor eax, eax
peC:0044471C call near ptr loc_444721+1
peC:00444721
peC:00444721 loc_444721: ; CODE XREF: sub_444702+1A p
peC:00444721 push 0FCE2C103h
peC:00444721 sub_444702 endp
|
sadly this doesn't give any particular hint:
position-independant code
probably checksum-indexed api calls thru 44471a.
nothing special nor useful though.
don't forget to undef the byte in 444721, so that the call target from 44471c will be correctly analyzed by IDA.
|
|
Can I send you a copy of this prog to your e-mail.
|
No, since this is a public forum.
If the file was freely available to everybody here, I'd look at it.
If you have further questions, don't hesitate though :)
|
that disassembly means nothing
and if you tell ida to make the byte at
peC:00444721 loc_444721: ; CODE XREF: sub_444702+1A p
peC:00444721 push 0FCE2C103h
it will turn out to be
00401D4F 03C1 ADD EAX, ECX
00401D51 ^ E2 FC LOOPD SHORT 00401D4F ; WIN_EXE.00401D4F
and ecx from your disassembly was ff01
so you will end up with
7F10F008
in eax after it has looped fully
junk i assume :)
you have lots of manual work to do if you are doing it statically or run around with this baby in a debugger
|
Hello Simpleuser
I didn't mean it's a private program or some thing like that, I'm new in this forum and I don't know if I can upload files to make it public for every one that�s all.
So thank you for your help.
Second I know that jumping into the middle of another instruction is a common technique and used by many code obfuscators and crypters, this code skeleton is like what you can find in (PE-Crypt ed) executable but I think that it's not the common PE-Crypt, maybe its some special version because the Bay-PE Crypt decryptor couldn�t identify it as a PE-Crypt.
The reason why I am interesting in statically decrypt this program is its new to me and no identification tool (like PEid) can identify it, second its not running on a virtual machine, and last Its contain an algo that I need.
|
|
How about you upload it to something like rapidshare, and put a link here.. I am sure people would check it out.
|
as far as dumping it is concerned there shouldnt be any problems
it looks for an already existing file htpecsomecrap.log
and i didnt check further
here is a dumping log
Log data
Address Message
OllyDbg v1.10
Command line plugin v1.10
Written by Oleh Yuschuk
Bookmarks sample plugin v1.06 (plugin demo)
Copyright (C) 2001, 2002 Oleh Yuschuk
NtGlobalFlag Plugin v1.10
Dedicated to oleh yuschuk author of this Debugger
authored by stingduk
and thanks to Detten for cing my asm
OllyDump v2.21.108 by Gigapede
File 'C:\Documents and Settings\Speed\Desktop\odbg110\Boot\Boot.exe'
New process with ID 00000694 created
00444290 Main thread with ID 000000DC created
00400000 Module C:\Documents and Settings\Speed\Desktop\odbg110\Boot\Boot.exe
00401000 Code size in header is 00007000, extending to size of section 'peC'
CRC changed, discarding .udd data
7C800000 Module C:\WINDOWS\system32\kernel32.dll
7C900000 Module C:\WINDOWS\system32\ntdll.dll
00444290 Program entry point
00448AC0 Hardware breakpoint 3 at Boot.00448AC0
OllyDump -- Start "JMP [Thunk]"(0x25FF) and "CALL [Thunk]"(0x15FF) search
OllyDump -- Check Leaked Thunks in Thunk Blocks
OllyDump -- Separate Mixed Thunks
OllyDump -- Import Table
00449400 DLL:kernel32.dll FirstThunkRVA:49400
00449400 DLL Name Address Ordinal API Name
00449400 kernel32.dll 7C810F9F 038C WriteFile
00449404 kernel32.dll 7C801AD0 0371 VirtualProtect
00449408 kernel32.dll 7C80B357 0174 GetModuleFileNameA
0044940C kernel32.dll 7C809B77 0032 CloseHandle
00449410 kernel32.dll 7C801A24 0050 CreateFileA
00449414 kernel32.dll 7C8221CF 01C9 GetTempPathA
00449418 kernel32.dll 7C838A53 001D Beep
0044941C kernel32.dll 7C80AC28 0198 GetProcAddress
00449420 kernel32.dll 7C801D77 0242 LoadLibraryA
00449424 kernel32.dll 7C80B529 0176 GetModuleHandleA
00449428 kernel32.dll 7C802442 033F Sleep
0044942C kernel32.dll 7C860E90 031E SetProcessAffinityMask
00449430 kernel32.dll 7C825992 0199 GetProcessAffinityMask
00449434 kernel32.dll 7C80E00D 013C GetCurrentProcess
OllyDump -- Calculating New File Size...
OllyDump -- Making New Import Table...
OllyDump -- Dump and Rebuild Finish!!
here is the check for that log from original
0012FD1C 0012FD44 |FileName = "C:\DOCUME~1\Speed\LOCALS~1\Temp\HtpecExe.log"
0012FD20 80000000 |Access = GENERIC_READ
0012FD24 00000000 |ShareMode = 0
0012FD28 00000000 |pSecurity = NULL
0012FD2C 00000003 |Mode = OPEN_EXISTING
0012FD30 00000000 |Attributes = 0
0012FD34 00000000 \hTemplateFile = NULL
fails
00448F85 |. FF15 34944400 CALL DWORD PTR DS:[449434] ; [GetCurrentProcess
0012FF48 00448FA0 /CALL to GetProcessAffinityMask from Boot.00448F9E
0012FF4C FFFFFFFF |hProcess = FFFFFFFF
0012FF50 0012FF60 |pProcessAffinityMask = 0012FF60
0012FF54 0012FF64 \pSystemAffinityMask = 0012FF64
if there are a few problems making this runnable then they could be solved i think looking a little bit further dowm the dumped and nondumped at the same time concurrently
the unpacking stub sets a few registers it seems and is depending on it (especially esi should be == 0 )
also there is a tls directory though no callbacks seems to be available at first sight may be tls table was embedded because of the compiler bcb builder (ollydbg has one section too though no callbacks)
|
Hello anonymouse
Thank you for your efforts and hope if you can explane how to do this in OllyDbg, I tried to debug it using Olly but could not reach this point so kindly can you explaine it to me step by step.
|
Where did you find this file ? :)
I am looking at it, using my own little debugger, there are hundreds of single steps.. running line decryption ? I haven't checked coz i couldn't care less, as i just bypass everything.. Then the process died in my debugger, because there are anti vmware code.
It uses Vmware Backdoor detection code, as well as SIDT base address checks.
Im going to watch a movie, then i will check it out further :)
Seems to have a lot of anti debugging tricks, none of them can detect me though ;-)
|
So nico it's like i said contains many painful tricks.
I have found that this file spawn two dll's that it call and
talk to a system driver I don't really understand all things but maybe this dlls check for the integrity of the protection schema a have extract the dll files from the exe and ziped it with the driver and upload it if anyone is interesting and here is the link
http://rapidshare.com/files/18515171/Boot_Files.zip
|
if you want a short answer and have a real spare machine with a clan install that is reimagable with ghost with no network connction etc etc (minimal risk machine)
load this file in ollydbg
alt+f1
he 00448AC0
f9
but i have to ask you like nico asks where did you find this file ?
is it a part of large package?
it has lots of crc32 algorithms doing self chcking
got lots of on the fly decryption of code section
it doesnt look like a packer merged those sctions
it looks like a homebrewed and compiled exe
with /merge linker switch
the resources are in japananse language
it exports lots of functions so it expects some one else to call it
Names in Boot
Address Section Type ( Name Comment
0040BF70 peC Export _BootMainForm
00408098 peC Export ___CPPdebugHook
00407584 peC Export Dsptools::Finalize
0040756C peC Export Dsptools::Initialize
004012D1 peC Export __GetExceptDLLinfo
0044423D peC Import ( KeRnEl32.GetModuleHandleA
00444239 peC Import ( KeRnEl32.GetProcAddress
00444241 peC Import ( KeRnEl32.GetVersionExA
00444235 peC Import ( KeRnEl32.LoadLibraryA
00444290 peC Export <ModuleEntryPoint>
00404C88 peC Export Tamboot::Finalize
00404C78 peC Export Tamboot::Initialize
00402A44 peC Export Tamboot::Register
00402930 peC Export Tambootmain::Finalize
00402920 peC Export Tambootmain::Initialize
00404BC0 peC Export TTamBoot
00408E6C peC Export TTamBoot::
00404960 peC Export TTamBoot::AllBootModeRead
00404AAC peC Export TTamBoot::AllBootModeSet
00403518 peC Export TTamBoot::BootDataSet
0040492C peC Export TTamBoot::BootPercentDraw
00404908 peC Export TTamBoot::CurrentCountSet
00404888 peC Export TTamBoot::DspFileSet
00402FD0 peC Export TTamBoot::ExtractS2Data1
00404808 peC Export TTamBoot::FpgaFileSet
00402FAC peC Export TTamBoot::header_infonum_get
00403028 peC Export TTamBoot::TamBootStart1
00403BA0 peC Export TTamBoot::TamCommonBoot
00402F20 peC Export TTamBoot::TamDevBootEnd
00402E00 peC Export TTamBoot::TamDevOeSet
0040413C peC Export TTamBoot::TamDspBoot
004043B4 peC Export TTamBoot::TamDspCommonBoot
00404710 peC Export TTamBoot::TamDspReadWait
00404078 peC Export TTamBoot::TamFpgaCheck
00403F70 peC Export TTamBoot::TamPowerOnCheck
00403628 peC Export TTamBoot::TamRedSet
00403554 peC Export TTamBoot::TamSramRw
00402AA8 peC Export TTamBoot::TamVgBoot
004036C0 peC Export TTamBoot::TamVgBootMain
004040A8 peC Export TTamBoot::TLB_RegRead
00402940 peC Export TTamBoot::TTamBoot
004029C4 peC Export TTamBoot::~TTamBoot
004075AC peC Export Winclasslib::Finalize
0040759C peC Export Winclasslib::Initialize
google doesnt yield any information on these classes
looking for dsptools i get a few hits that are related to digital signal processing
looking for bootpro.exe or winclasslib i get a few vague results
also there are a few checks for ds segmnent
and do not f8 anywhere us f7
coz
it does this
call foo
foo()
inc byte ptr ds:[esp]
retn
so if you f8 the debuggr will set a tmp bp on next byte
which will never get executed
|
Yes it's part of large JPNs package but I can't name it because of some reasons, About the export table it's not an issue because it's common in exe procduced by BCC for no thing.
And Yes you will not find any related thing on the internet I already make an extensive search.
This topic at this forum is the only place that you can find info about this.
If you want we can put some plane to work on it in parallel.
As start I can reverse the driver and the dlls that this exe use.
So
|
I didn't have much time to work on it, as i don't plan to run it in a non VM machine.. and i don't have any spare box right now. (Gave it to my kid ;)
I was impressed by the number of single steps it makes.
495 single steps, then one access violation, then int 3, and it starts the Virtual Machine checks :) (SIDT, VMware backdoor, and Virtual PC invalid opcodes)
The whole package would make it easier to test.. i'd rather make sure the exe can run in my VM, so i can unpack it.
|
|
The whole package containe many programs and this is one of them its the smallest and can run alone with cc3260mt.dll and borlndmm.dll so I chose this file as a good example to new cryptor.
|
|
does the executable show anything on the computer when it works ? Because, im trying to make it run inside my VM, where i was able to change things at runtime, using my own debugger, but i don't see anything displayed.. Therefore, i am not sure if it really works or not.. i didn't see any created file either..
|
|
The program has no user interface but it will run like old TSR dos program.
|
I have to tell you that you have to register the service on you system to make it run on non virtual machine.
And it's safe I am running/debuggin it on my original machine with with no harm.
|
What service ?
So it basically, just wait in memory? so it must be working in my VM.
I am debugging it on a virtual machine, i got past all the anti vms (you can't just patch some stuff, some tests are just "fake".. you are redirected somewhere else from the seh).
I am currently looking at the little piece of code, that does the dll creation/loading.
Don't take it personally, but i don't know you, so i won't run this file on my host machine, until i know for sure, what it does ;-)
|
I have extracted 7 dlls (might have the driver in those files).
With my own debugger, i scripted bypassing of every anti reversing tricks, then i added a jmp eip in the code, attached olly, traced a bit, found a memory block full of MZ headers ;-)
Dumped it to disk, loaded the bin file in IDA, and used a little IDC script to dump all dlls, with clean import table and export table :)
I start to wonder if the executable isn't made with some encrypted PEbundler, using "virtual dlls".
Not sure what else is missing.. The exe itself, isn't fully decrypted, but it seems that it doesn't decrypt it..
I have seen a dll with exports such as AESblabla :)
Is that file waiting for a dongle or special license to decrypt the code section ?
Does License.DLL rings a bell?
I feel like you don't tell everything..
|
Btw, the dummy dll that gets created (1.5kb one), does nothing.
But in memory, that dll is patched.. you get a "call" that links inside the exe..
|
Hello nico
First I want to ask you if you download the file Boot_Files.zip I already upload this file and it contains the dlls that I could extract from the memory dump. and the driver from the driver directory.
You mentioned that you have extract 7 dlls so can you upload it or tell me how can I find it please.
The HtdpDumy.dll is a dummy dll created at the temp directory as you said maybe its patched.
I found a string referance to lsass.exe, csrss.exe in the memory I dont know what that mean, maybe it injects some dll into the space of these system procs.
Last thig I have export IDA database idc file for the driver.
I hope it will help.
about the Licence.dll, using patched filemon utility i found that the appl try to find this dll but it exist no where and the program run with no problems.
using Devfilter utility I have monitor the IOCTL between the driver and the app and found that not only the program send command to this driver but system procs too.
Thats all and i dont hid any thing.
|
I didn't grab your zip , i missed it.
One of the dlls, i got from my extracting, i didn't have the driver, but i have 6 others dll.
To find them, i first bypassed the detection tricks, then faked the Anti VM detections, (and you have to be careful, you can't just patch conditional jumps when a real exception must occurs, it silently log it, and kick ur ass later on).
Then, with my own debugger, i did put a breakpoint on some functions and let it run.. attached with olly, debugged it and found memory with MZ header.. i dumped the whole block, and found out there were many more dlls.
I wrote an IDC script to just dump PE objects from any file, reading the pe headers to find size etc..
Btw, i found a reference on a chinese unpacking site, to the string we find in the driver. if anyone can understand chinese:
http://216.239.59.104/search?q=cache:YHPeqsMIcPAJ:bbs.unpack.cn/archiver/%3Ftid-4722.html+HtsysmNTSys&hl=fr&ct=clnk&cd=1&gl=fr
Apparently, the driver is part of the protection system, according to the path in it.. LibPEC32.
You mentionned a service, what about it ?
I wish i had a better executable to play with..
Do you happen to have one that display something on the machine when run ? I need to be sure it works as expected before i can really work on it.. it never dropped the driver on my VM.. and i am not going to run it, on my box :)
Edit:
http://rapidshare.com/files/18714640/extracted_dlls.zip.html
They don't have real names, since i just extracted them from a memory dump
Should you need more info, just mail me:
nicolas(dot)brulez(at)reverse-engineer(dot)org
|
By the way the artical at this chines site is
"Discovere a super new shell is born (belt to actuate) the partial analyzes"
|
|
I wonder what protection system this is.
|
Hello All
OpenRCE is the best place to discuss such issue so every one is invited to help in this strong protection system.
|
I will get back to it someday.. i am busy coding my debugger.
Provide me an executable that display something, so i can be sure that it works in my machine, and i will unpack it.
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,311 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}