Topic created on: March 23, 2008 19:14 CDT by morphique  .
Hi,
I am looking at this binary which unpack itself using this bit of code:
00A25BCE > 8A07 MOV AL,BYTE PTR DS:[EDI] - 401561
00A25BD0 . 47 INC EDI
00A25BD1 . 2C E8 SUB AL,0E8
00A25BD3 > 3C 01 CMP AL,1
00A25BD5 .^77 F7 JA SHORT sm.00A25BCE
00A25BD7 . 803F 86 CMP BYTE PTR DS:[EDI],86
00A25BDA .^75 F2 JNZ SHORT sm.00A25BCE
00A25BDC . 8B07 MOV EAX,DWORD PTR DS:[EDI]
00A25BDE . 8A5F 04 MOV BL,BYTE PTR DS:[EDI+4]
00A25BE1 . 66:C1E8 08 SHR AX,8
00A25BE5 . C1C0 10 ROL EAX,10
00A25BE8 . 86C4 XCHG AH,AL
00A25BEA . 29F8 SUB EAX,EDI
00A25BEC . 80EB E8 SUB BL,0E8
00A25BEF . 01F0 ADD EAX,ESI
00A25BF1 . 8907 MOV DWORD PTR DS:[EDI],EAX
00A25BF3 . 83C7 05 ADD EDI,5
00A25BF6 . 89D8 MOV EAX,EBX
00A25BF8 .^E2 D9 LOOPD SHORT sm.00A25BD3
Is there quick way of figuring out it's new imports and code section, in memory?
Hi,
The code snippet you provide is for post-decompression filtering (replacing tokenised calls with their correct relative offsets) and is not responsible for import reconstruction.
The import reconstruction code usually follows the filter however attempting to emulate it wont rebuild your imports unless your emulator is clever enough.
-nevar
|
"however attempting to emulate it wont rebuild your imports unless your emulator is clever enough"
Nevar what are you talking about hehe..??
|
> Is there quick way of figuring out it\'s new imports and code section, in memory?
The code you cite is from UPX, After it falls out of this loop it rebuilds the import table. ida-x86emu easily handles UPX. Launch the emulator with the cursor on _start and it will label the import table for you if you designate the instruction that reads:
mov [ebx], eax
as an "import address save point" (Emulate>Windows>Set import addr save point).
The instruction above should appear about 24 lines after the end of the loop you posted.
Chris
|
yeah, it's UPX indeed, classic :-)
dissembler isn't the best tool to find out what it is, better to use debugger, it shows real addresses and resolves names makes it very easy to understand what it is, see:
00438776 89D8 MOV EAX,EBX
00438778 ^E2 D9 LOOPD SHORT upx.00438753
0043877A 8DBE 00600300 LEA EDI,DWORD PTR DS:[ESI+36000]
00438780 8B07 MOV EAX,DWORD PTR DS:[EDI]
00438782 09C0 OR EAX,EAX
00438784 74 3C JE SHORT upx.004387C2
00438786 8B5F 04 MOV EBX,DWORD PTR DS:[EDI+4]
00438789 8D8430 44830300 LEA EAX,DWORD PTR DS:[EAX+ESI+38344]
00438790 01F3 ADD EBX,ESI
00438792 50 PUSH EAX
00438793 83C7 08 ADD EDI,8
00438796 FF96 80830300 CALL DWORD PTR DS:[ESI+38380] ; KERNEL32.LoadLibraryA
004387A2 ^74 DC JE SHORT upx.00438780
004387A4 89F9 MOV ECX,EDI
004387A6 57 PUSH EDI
004387A7 48 DEC EAX
004387A8 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004387AA 55 PUSH EBP
004387AB FF96 84830300 CALL DWORD PTR DS:[ESI+38384] ; KERNEL32.GetProcAddress
004387B1 09C0 OR EAX,EAX
004387B3 74 07 JE SHORT upx.004387BC
004387B5 8903 MOV DWORD PTR DS:[EBX],EAX ; KERNEL32.GetStdHandle
the sequence LoadLibraryA/GetProcAddress is the clue you need. and KERNEL32.GetStdHandle shows names, if isn't not an import table - what's else it might be?
if you analyze malware code, use virtual machines like vm-ware. IDA emulators are my last resort.
|
|
Yeah, anything that fully emulates can easily be retooled to reverse engineer practically anything just by asking it to dump the instruction if it's anywhere the EIP hasn't already been.
|
Note: Registration is required to post to the forums.
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}