Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 36

Thread: Unpacked app deletes itself

  1. #16
    Any suggestions what the problem could be? The image base is the usual 400000h ,VA =401000h.

    Example

    IDA Free disassembly :
    .data:004F204E E8+ call @Sysutils@DateTimeToStr$qqrx16System@TDateTime

    OllyDbg after apply exported .map file:

    004F204E E8 99ABF1FF CALL myapp.0040CBEC

    Maybe something to do with code being in the .data section rather than .code/.text section? How do I correct this if that is the case?
    Last edited by 5aLIVE; October 1st, 2007 at 02:36. Reason: typo of base addr

  2. #17
    Quote Originally Posted by 5aLIVE View Post
    The image base is the usual 40000h
    That's rather low. The usual is texth times that.

  3. #18
    Quote Originally Posted by LLXX View Post
    That's rather low. The usual is texth times that.
    That was a typo, it should of course read 400000h.

  4. #19
    I wouldn't know, since I've seen 40000 and even 10000 before (some wierd packers do it)

  5. #20
    Quote Originally Posted by 5aLIVE View Post
    From the IDA map file:
    Start Length Name Class
    0001:00000000 0000F1000H .main BSS
    0002:00000000 0000D7000H .data DATA

    Below is the same using Olly memory view.
    Memory map
    Address Size Owner Section Contains Type Access Initial Mapped as
    00400000 00001000 myapp PE header Imag R RWE
    00401000 000F1000 myapp .main Imag R RWE
    004F2000 000D7000 myapp .data code Imag R RWE
    005C9000 00004000 myapp .rdata data,resourc Imag R RWE
    005CD000 00004000 myapp .mackt imports Imag R RWE
    Hold on a minute! Is it because the data section of the unpacked app contains code? When loading the app Olly also warns that the code section is either compressed/encrypted/or contains a large amount of embedded data. It warns that results of code analysis code be unreliable or wrong. I select no as I don't want to continue analysis.

    I also get a suspicious breakpoint warning about placing breakpoints on data which further confirms that code is in the data section.

    Can someone please tell me what I need to do fix this? I've skimmed through the PE format documention but still seek enlightenment.
    Last edited by 5aLIVE; October 1st, 2007 at 09:21.

  6. #21
    There is no real "data section" to speak of from the PE loader's point of view, they are all just sections of data loaded into memory.

    Ignore the warnings, OllyDbg can seem to have a mind of its own sometimes.

  7. #22
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    if you have executable code in .data section simply edit section charecteristics in pe header to make it executable
    alt+m
    select 00400000 00001000 myapp PE header Imag R RWE
    right click -> dump -> right click -> special -> pe header -> scroll down to section headers -> find section flags -> right click -> modify integer --> change (6000000 #### to c000000###) (read about flag description what means readable , what means writable etc

    now in options debugging options (ctrl+o) you can ask ollydbg to extend code sction to extractor in sfx options which will stop the you are setting bp in data section msg box

    ollydbg has a very good mind of its own and it almost warns you rightly what you are performing wrong and has solutions for the warnings embedded inside it for those (you have to apply your mind and use them justly) (these are not Like XL T-Shirt sizes one size fits for all solutions

  8. #23
    Hi Blabberer, thanks for taking the trouble to reply, I was beginning to think I would have to abandon this exercise. I'll be sure to read up on the section flags and try as you suggest. You should publish a book or FAQ on all things related to OllyDbg You know your stuff (like I need to tell you that).

    In your opinion, do you think that applying labels and comments with MapConv to the unpacked file with a now executable data section will be resolved by doing this? Of course I intend to produce another MAP file to capture the changes to the data section beforehand. ALthough I am unsure how this will influence the disassembly. Theres only one way to find out.

    Perhaps there is something else I need to consider? The original Delphi 6/7 file was packed with a custom/scrambled version of UPX which I unpacked manually. The imports had to be resolved with Imprec to get it to run, delete itself/shutdown. Not sure if this is relevant in the grand scheme of things but I thought I'd mention it just in case.

    Thanks,
    5aLIVE

  9. #24
    Blabberer, the section flags of the .data section are originally set to E0000040h which corresponds to mem read/write/execute already being set.
    I also set SFX options to extend code to include extractor. Do I select the Stop at entry of extractor button. What about use real entry from previous run and pass exceptions to SFX extractor? Are either of these checked? Either way, I still get the BP on data message box.

    Update:
    I've had had another look at this and used good old notepad as my reference. Here's what I found:

    Original notepad.exe:
    0100010C 00100000 DD 00001000 ; BaseOfCode = 1000
    01000110 00900000 DD 00009000 ; BaseOfData = 9000

    UPX'd notepad.exe:
    0100010C 00000100 DD 00010000 ; BaseOfCode = 10000
    01000110 00600100 DD 00016000 ; BaseOfData = 16000

    Manually Unpacked notepad.exe:
    0100010C 00000100 DD 00010000 ; BaseOfCode = 10000 <--not recovered
    01000110 00600100 DD 00016000 ; BaseOfData = 16000 <--not recovered

    upx-d unpacked notepad.exe:
    0100010C 00100000 DD 00001000 ; BaseOfCode = 1000 <--recovered
    01000110 00900000 DD 00009000 ; BaseOfData = 9000 <-- recovered

    So the unpacked file retains the base addresses of the code and data sections of the packed file. If I restore the code and data section base addresses to those of the virgin exe I should be able produce a disassembly that can be correctly mapped with labels and comments as well as removing the warning that I am placing breakpoints on the data section too. Right?

    My question, then is how do I recover the base addresses of a packed file to their "virgin" values? What do I look for?
    Remember that I am the file I am working with cannot be unpacked with upx -d. I tried renaming the section names to UPX0 and UPX1 and tried upx -d again, however, I still see the "file is modified/hacked/protected" error message.

    I also tried the generic UPX unpacker PE Explorer plugin without success.

    5aLIVE
    Last edited by 5aLIVE; October 3rd, 2007 at 05:57.

  10. #25
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    an automated response see if you can find your answers in this if not ask

    Code:
    D:\upxalive>dir /b
    upx301w.rar
    odbg110.rar
    g_ollydump300110.rar
    
    D:\upxalive>unrar x *.*
    
    UNRAR 3.51 freeware      Copyright (c) 1993-2005 Alexander Roshal
    
    
    Extracting from upx301w.rar
    
    Creating    upx301w                                                   OK
    Creating    upx301w\upx301w                                           OK
    Extracting  upx301w\upx301w\BUGS                                      OK
    Extracting  upx301w\upx301w\COPYING                                   OK
    Extracting  upx301w\upx301w\LICENSE                                   OK
    Extracting  upx301w\upx301w\NEWS                                      OK
    Extracting  upx301w\upx301w\README                                    OK
    Extracting  upx301w\upx301w\README.1ST                                OK
    Extracting  upx301w\upx301w\THANKS                                    OK
    Extracting  upx301w\upx301w\TODO                                      OK
    Extracting  upx301w\upx301w\upx.1                                     OK
    Extracting  upx301w\upx301w\upx.doc                                   OK
    Extracting  upx301w\upx301w\upx.exe                                   OK
    Extracting  upx301w\upx301w\upx.html                                  OK
    
    Extracting from odbg110.rar
    
    Creating    odbg110                                                   OK
    Extracting  odbg110\readme.txt                                        OK
    Extracting  odbg110\Cmdline.dll                                       OK
    Extracting  odbg110\DBGHELP.DLL                                       OK
    Extracting  odbg110\OLLYDBG.EXE                                       OK
    Extracting  odbg110\OLLYDBG.HLP                                       OK
    Extracting  odbg110\PSAPI.DLL                                         OK
    Extracting  odbg110\BOOKMARK.DLL                                      OK
    Extracting  odbg110\register.txt                                      OK
    Extracting  odbg110\license.txt                                       OK
    
    Extracting from g_ollydump300110.rar
    
    Creating    g_ollydump300110                                          OK
    Extracting  g_ollydump300110\ollydump300110_src.zip                   OK
    Extracting  g_ollydump300110\OllyDump.dll                             OK
    All OK
    
    D:\upxalive>
    
    
    D:\upxalive>dir /b
    upx301w.rar
    odbg110.rar
    g_ollydump300110.rar
    upx301w
    odbg110
    g_ollydump300110
    
    D:\upxalive>
    
    
    D:\upxalive>copy c:\WINDOWS\NOTEPAD.EXE .
            1 file(s) copied.
    
    D:\upxalive>
    
    D:\upxalive\upx301w\upx301w>upx -o upxnotepad.exe D:\upxalive\NOTEPAD.EXE
                           Ultimate Packer for eXecutables
      Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
    UPX 3.01w       Markus Oberhumer, Laszlo Molnar & John Reiser   Jul 31st 2007
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
         69120 ->     48128   69.63%    win32/pe     upxnotepad.exe
    
    Packed 1 file.
    
    D:\upxalive\upx301w\upx301w>
    
    D:\upxalive\upx301w\upx301w>copy upxnotepad.exe D:\upxalive
            1 file(s) copied.
    
    D:\upxalive\upx301w\upx301w>cd ..
    
    D:\upxalive\upx301w>cd ..
    
    D:\upxalive>
    
    
    
    D:\upxalive>cd g_ollydump300110
    
    
    D:\upxalive\g_ollydump300110>copy OllyDump.dll ..\odbg110\
            1 file(s) copied.
    
    D:\upxalive\g_ollydump300110>
    
    D:\upxalive\g_ollydump300110>cd ..
    
    D:\upxalive>
    
    D:\upxalive>NOTEPAD.EXE
    
    D:\upxalive>upxnotepad.exe
    
    D:\upxalive>
    
    D:\upxalive>odbg110\OLLYDBG.EXE upxnotepad.exe
    
    D:\upxalive>upxnotepadmup.exe
    
    D:\upxalive>
    Log data
    Address    Message
               OllyDbg v1.10
               Command line: upxnotepad.exe
    
               File 'D:\upxalive\upxnotepad.exe'
               Command line plugin v1.10
                 Written by Oleh Yuschuk
               Bookmarks sample plugin v1.06 (plugin demo)
                 Copyright (C) 2001, 2002 Oleh Yuschuk
               OllyDump v3.00.110  by Gigapede
               New process with ID 00000C48 created
    01015360   Main thread with ID 00000C58 created
    01000000   Module D:\upxalive\upxnotepad.exe
                 CRC changed, discarding .udd data
    73000000   Module C:\WINDOWS\system32\WINSPOOL.DRV
    763B0000   Module C:\WINDOWS\system32\comdlg32.dll
    773D0000   Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.dll
    77C10000   Module C:\WINDOWS\system32\msvcrt.dll
    77D40000   Module C:\WINDOWS\system32\USER32.dll
    77DD0000   Module C:\WINDOWS\system32\ADVAPI32.dll
    77E70000   Module C:\WINDOWS\system32\RPCRT4.dll
    77F10000   Module C:\WINDOWS\system32\GDI32.dll
    77F60000   Module C:\WINDOWS\system32\SHLWAPI.dll
    7C800000   Module C:\WINDOWS\system32\kernel32.dll
    7C900000   Module C:\WINDOWS\system32\ntdll.dll
    7C9C0000   Module C:\WINDOWS\system32\SHELL32.dll
    01015360   Program entry point
    010154EB   Hardware breakpoint 1 at upxnotep.010154EB
               OllyDump -- Start "JMP [Thunk]"(0x25FF) and "CALL [Thunk]"(0x15FF) search
    01001984   call[Thunk] found on 01001984  Thunk:010010D8
    <--------------------------------snip---------------------------->
    010075FC   jmp [Thunk] found on 010075FC  Thunk:0100133C
               OllyDump --  Check Leaked Thunks in Thunk Blocks
               OllyDump -- Resolve Forwarder
               ntdll.RtlGetLastWin32Error must be forwarded API from kernel32.dll
    7C802654   Export Address Table RVA:00002654
    7C80903D   Forwarded API ntdll.RtlGetLastWin32Error found on the ForwarderRVA:0000903D  pos:360
    7C80667D   *pDW:0000667D  Forwarder:GetLastError  Forwarded:ntdll.RtlGetLastWin32Error
               ntdll.RtlRestoreLastWin32Error must be forwarded API from kernel32.dll
    7C802654   Export Address Table RVA:00002654
    7C80918A   Forwarded API ntdll.RtlRestoreLastWin32Error found on the ForwarderRVA:0000918A  pos:702
    7C807E20   *pDW:00007E20  Forwarder:RestoreLastError  Forwarded:ntdll.RtlRestoreLastWin32Error
               OllyDump -- Import Table
    01001000   DLL:ADVAPI32.dll  FirstThunkRVA:1000
                 DLL Name      Address   Ordinal   API Name
    01001000     ADVAPI32.dll  77DD6FC8   01EF     RegQueryValueExW
    
    01001018     ADVAPI32.dll  77DDD7CC   01FC     RegSetValueExW
    01001028   DLL:GDI32.dll  FirstThunkRVA:1028
                 DLL Name      Address   Ordinal   API Name
    01001028     GDI32.dll     77F25923   0099     EndPage
    
    01001084     GDI32.dll     77F159A0   020F     SelectObject
    0100108C   DLL:kernel32.dll  FirstThunkRVA:108C
                 DLL Name      Address   Ordinal   API Name
    0100108C     kernel32.dll  7C809737   013F     GetCurrentThreadId
    
    0100116C     kernel32.dll  7C862B8A   0358     UnhandledExceptionFilter
    01001174   DLL:SHELL32.dll  FirstThunkRVA:1174
                 DLL Name      Address   Ordinal   API Name
    01001174     SHELL32.dll   7CA73FA2   008B     DragFinish
    
    01001180     SHELL32.dll   7CA5F8EB   0163     ShellAboutW
    01001188   DLL:USER32.dll  FirstThunkRVA:1188
                 DLL Name      Address   Ordinal   API Name
    01001188     USER32.dll    77D4B556   0100     GetClientRect
    
    010012AC     USER32.dll    77D6E3D3   027F     SetWinEventHook
    010012B4   DLL:WINSPOOL.DRV  FirstThunkRVA:12B4
                 DLL Name      Address   Ordinal   API Name
    010012B4     WINSPOOL.DRV  73006090   0100     GetPrinterDriverW
    
    010012BC     WINSPOOL.DRV  73005749   0106     OpenPrinterW
    010012C4   DLL:comdlg32.dll  FirstThunkRVA:12C4
                 DLL Name      Address   Ordinal   API Name
    010012C4     comdlg32.dll  763D48D6   0074     PageSetupDlgW
    
    010012E4     comdlg32.dll  763C7CF3   0071     GetSaveFileNameW
    010012EC   DLL:msvcrt.dll  FirstThunkRVA:12EC
                 DLL Name      Address   Ordinal   API Name
    010012EC     msvcrt.dll    77C32DAE   0050     _XcptFilter
    
    01001340     msvcrt.dll    77C4806B   0331     wcsncpy
               OllyDump -- Calculating New File Size...
               New Import Section Size:1000  New File Size:1F000
               OllyDump -- Making New Import Table...
               OllyDump -- Dump and Rebuild Finish!!
    
    
    D:\upxalive>upx301w\upx301w\upx.exe -d -o upxnotepadupx.exe upxnotepad.exe
                           Ultimate Packer for eXecutables
      Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
    UPX 3.01w       Markus Oberhumer, Laszlo Molnar & John Reiser   Jul 31st 2007
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
         69120 <-     48128   69.63%    win32/pe     upxnotepadupx.exe
    
    Unpacked 1 file.
    
    D:\upxalive>
    
    
    D:\upxalive>dir /b
    upx301w.rar
    odbg110.rar
    g_ollydump300110.rar
    upx301w
    odbg110
    g_ollydump300110
    NOTEPAD.EXE
    upxnotepad.exe
    upxnotepadmup.exe
    upxnotepadupx.exe
    upxnotepadmupnofix.exe
    upxnotepadmupnofix2000.exe
    5alive3.PNG
    
    D:\upxalive>
    
    D:\Borland\upxalive>rar a 5alive.rar *.exe 5alive3.PNG
    
    RAR 3.51   Copyright (c) 1993-2005 Alexander Roshal   7 Oct 2005
    Shareware version         Type RAR -? for help
    
    Evaluation copy. Please register.
    
    Creating archive 5alive.rar
    
    Adding    NOTEPAD.EXE                                                 OK
    Adding    upxnotepad.exe                                              OK
    Adding    upxnotepadmup.exe                                           OK
    Adding    upxnotepadupx.exe                                           OK
    Adding    upxnotepadmupnofix.exe                                      OK
    Adding    upxnotepadmupnofix2000.exe                                  OK
    Adding    5alive3.PNG                                                 OK
    Done
    
    D:\Borland\upxalive>
    rename zip as rar and unrar
    Attached Files Attached Files

  11. #26
    Quote Originally Posted by blabberer View Post
    an automated response see if you can find your answers in this if not ask
    Hi Blabberer, From your automated response I can follow the majority of the steps you took with the virgin notepad.exe.

    I am not clear about how you produced upxnotepadmupnofix.exe and upxnotepadmupnofix2000.exe.

    I understand that you manually unpacked them both with OllyDump. With upxnotepadmupnofix.exe having the base addresses which correctly match the virgin notepad.exe, on the other hand, upxnotepadmupnofix2000.exe has a code base address of 2000h, why I don't know?

    I am aware that you can enter the code and data base addresses into OllyDump before you dump memory to file. I'm not sure if this is what you were hoping illustrate or perhaps I've missed the point?

    What I still remain unclear about is how you can detemine the correct base addresses for a file which you don't have a virgin copy of as a reference, nor am I able to produce one using upx -d on account of the file being "scrambled" in some way.

    Thanks for taking the time to help thus far.

    5aLIVE

  12. #27
    The PE loader ignores BaseOfCode and BaseOfData, and you should too.

    Try setting them both to FFFFFFFF and see that it still runs.

    Those two fields are only used during the linking process in COFF files, if I remember correctly.

    Now let's get back to your original topic...

  13. #28
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    The PE loader ignores BaseOfCode and BaseOfData, and you should too.
    you should not may be the pe loader ignores it or may be it doesnt care about where it is
    but ollydbg depends on a few correct values there for its internal usage (or for that matter anything which doesnt use a brain but a bit of heuristics to work require approximately correct values there )

    @ 5alive
    you can change your base of code in ollydump itself as well as base of data before dumping

    as demonstrated the exe will run without it being right or with any random values like my 2000

    but load the thingy in ollydbg
    you will see an entry point out of code section (and obviously no analysis as well)
    you change the section flag to e00000e0 the msg box would still be there ??
    wtf
    if you notice you will see size of code is 0x5000 which is lesser than the entry point viz 739d
    change it to 0x10000 and the entry point nag will get out

    and the analysis will start working but if you notice the analysis will start its working from
    > 0x10002000 this is where the base of code comes into action whether peloader cares about it or not

    you change it to 0x1000 arbitrarily and save it
    now you will have a full analysis from 1001000

    the import table strings will get their proper names with 0x1000 as base of code while with 0x2000 the import table strings will be looking like gibberish

    as to how to find where or what you need there its a bit of deduction

    when you are on oep in this notepad scrollup and you will see the memory section starts from 0x1001000
    if you look at memory map you will see the peheader ends at 0x1000 so that is where it should match
    is an educated guess (as always this is not a firm rule etched in stone that could last an era)
    as to base of data again it depends you have to deduce looking at it (this field will come into action where ollydbg will map the dump in its dump window (note pad has /link merge erw .text compiler switch so its data section is within code section)

    hope that helps

  14. #29
    Right-click what you think the code section is and select Analyze, or hit Ctrl+A.

  15. #30
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    Right-click what you think the code section is and select Analyze, or hit Ctrl+A.
    well you still are not getting the point i mean to say ctrl+a WILL not have any effect ollydbg will refuse to analyze anything if the eip it is standing on is not code section inherently

    it needs to know beforehand (it performs a check) whether it is analysing a code section or not and if it is not it wont analyze
    if you open up the AnalyzeThis plugin by JoeStewert you will notice he is doing a force analysis of non code section with certain limitations

    ollydbg will not analyze heap , Rtl_user_parameters Page0x200000 (contins startup code by ntdll LoaderInIt) , KUSER_SHARED_PAGE(contains Sysenter) and neither any virtual alloced pages even if they are executing and contain codes

    your one liner looks like one size fits for all solution which isnt the case

Similar Threads

  1. Unpacked executable won't break
    By riptide in forum OllyDbg Support Forums
    Replies: 7
    Last Post: February 8th, 2004, 22:47
  2. Unpacked prog. does not run on different OS.
    By Harding in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: September 5th, 2003, 22:09
  3. CommView 3.3 Unpacked but have question
    By foxthree in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 17th, 2002, 09:31
  4. Unpacked exe and dll
    By KillingJoke in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 8th, 2002, 20:07
  5. loader32 deletes my .nms file after creating it?
    By latigo in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: August 3rd, 2001, 17:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •