OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: August 12, 2005 11:58 CDT by dwarkeeper .

Hi,

I am working with a encrypted executable. I am trying to dump the unecrypted version of the executable onto disk. It is a proprietory executable, and i would either like to dump the unecrypted executable onto disk or write a small routine to decrypt the executable.

The executable has two additional headers where it looks to be loading the executable from.

I know it is a loaded question so if you can give any pointers to articles or suggestions on how to do so it would help me tremendously.

I don't know if it helps but ollydbg is my prefered tool of choice, but can attempt to work with ida pro too.

thanks

OpsMan		August 12, 2005 12:13.31 CDT
I first always look at the sections of the file image (.exe). Look for non-standard section names. You can then try to match any section names with section names used for known packers/crypters. If you want to dump the file after the unpacking/de-crypting routine you must find the OEP(Original Entry Point) of the executable. Then you can proceed to dump the sections unpacked. Usually this process also involves adjusting values in the PE header to realign section sizes, adjust entry point, etc..You may just RE the unpacking/decrypting routine, depending on the method used this could be simple or very complex. More information can be found on the net of course and a simple search for "software+unpacking" or other variations should result in plenty of hits.

anonymouse		August 12, 2005 12:39.15 CDT
well there are lot of dumper plugins available to ollydbg the notable among them being ollydump by gigapede then there is a pe dumper by fkma also the isdebugpresent plugin has a small dumper routine inside it apart from all these dumpers the ollydbgs native view memory--> dump in cpu --> createbackup and or save data to file (creates a section name$###.mem file ) once you created a backup the context menu increases in option allows you to load it back replacing existing memory delete backups update backups etc should suffice to dump any portion either original or VirtualAlloc() ed before decrypting after decrypting malloc() ed gloablAlloc() ed rep stos rep movs

Darawk		August 12, 2005 12:48.54 CDT
Also you'll want to get this program http://peid.has.it PEiD is capable of detecting most common packers/cryptors automatically. It will also analyze the entropy of the file to determine if it's been packed/compressed even if it can't identify the specific packer. It also comes with an incredibly useful plugin called KANAL(Krypto Analyze) which will search the executable for signatures of common cryptographic algorithms. This often makes analysis of the packing routines much simpler.

ryanlrussell		August 12, 2005 14:36.48 CDT
By "encrypted", you mean it has had some sort of protector run on it? I.e. you can run the binary, and it knows how to unpack itself. It's not like it needs a password to run, or some external program to decrypt it, right? If it's the former, then there are lots of good techniques for bypassing packers/protectors. The basic idea is you let the unpack routines run all the way, and then stop it just as the original code is ready to run. You probably then want to use a tool like Imprec to grab a copy of the in-memory unpacked version, and fix up the imports. Nico taught me how to do this recently, though it was in a class setting. You mention it's "proprietary", so I assume that means you can't share a copy for me to look at. The usual problem is that many of the protectors have antidebugging tricks, and you have to work around those. Check out the HDSpoof article here for a great example.

MohammadHosein		August 21, 2005 07:09.52 CDT
and for articles you wanted : there are two great book you can buy and lots of useful tricks are there , first one is "reversing : secrets of revers engineering" and the second is "Hacker debugger revealed" - kris kaspersky

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit