Results 1 to 8 of 8

Thread: Help unpacking old malware - Malware attached

Hybrid View

  1. #1

    Help unpacking old malware - Malware attached

    I'm been trying for a while to unpack an older piece of malware. I've been reversing key gens and crackmes for a while and I've never really had to manually unpack anything. I've tried a few automatic unpackers but didn't have any luck so I thought I would try to learn how to manually unpack something. I've tried using ollydump->Find OEP by section (trace into) and (trace over), dump the process and then using Import REContructor. After I tried this and looked at it in PEView, the text section doesn't have anything in it still. Also when I tried to open the dumped executable in IDA it has trouble running from the new EP. I've also tried using the "find POPAD" method to reveal the OEP address. I've also opened it in IDA, step into what I thought was the unpacking function, but when it seemed to unpack some code the imports that IDA saw still didn't show up any where in the code. I've been working on this for a while so any help is appreciated. I'm not necessarily looking to have someone to unpack the malware for me (but I would download it and look at it :>) I'd like some guidance to help me get over the hump. I've been trying different approaches that I've found during my research but can't seem to get any where.

    The password for the zip file is "infected" and I changed the extension to .xex

    Thanks in advance and any help is greatly appreciated.
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries

    This is not "packed" in the classical sense. It has obfuscation in the form of garbage instructions designed to confuse, encrypted sections, and perhaps other tricks further along. Forget the automagic solutions at this point, your best bet would be to just single step everything and try to understand what it's doing (use of LoadLibrary/GetProcAddress, VirtualAlloc, import addresses stored on the stack, obfuscation/encryption tricks, etc.)

    As a suggestion, you might want to try for this one the x86 Emulator plugin for IDA

    What that will allow you to do is step through the initial decryption routine for example, in emulation mode, and will update the IDA disassembly with the decrypted changes. Makes it handy for later analysis.

    For example, you should be able to recognize a decryption routine that begins about here:

    :00401011 mov eax, offset StartDecrypt ; 041FE54

    and the decryption loop proper from 401077 -> 40169B

    If you step through that a time or two you should be able to find and name the variables used for the loop counter, the size to be decrypted, the encrypted dword(s), and the decrypted result which will replace it.

    You should also be able to spot the garbage code that accomplishes nothing (i.e. registers used but soon overwritten for naught, variables that are never used, etc.), and soon be able to ignore that. For a fun challenge you might even want to try to pull out the real decryption algorithm from all that and create an IDC script to automate the decryption. That way you make your own 'automagic' solution.

    Anyway, you probably already saw that after this first decryption there is a call into the decrypted code and is the start of the next layer where the imports are resolved:

    4016D9 call [ebp+var_14] ; 42026C

    With x86emu, once you get bored of stepping through the decryption loop, you can use Run To Cursor to 4016D9 and the IDB will now have the decrypted code stored.

    I think the point I'm trying to make is that there is no "easy" solution to this, you won't get a perfect disassembly (nor "unpacked" PE) with all imports defined without a variety of tricks, and even then...

    One of the first imports to be resolved is VirtualAlloc, I didn't go that far but I wouldn't be surprised if it decrypted and ran code from memory. That you will have to dump as a bin file and work with it as best you can.

    You can also note down interesting imports as they are resolved with a break on GetProcAddress and set further breaks on them for when they are used, i.e. VirtualAlloc/Protect, lstrcmp, etc. and that will give some idea of what the malware does with them. In fact, x86emu will log the imports for you as they are resolved.

    Hope this gives you some new ideas at least.


  3. #3
    As for using Import REContructor,you need to be on the OEP.Import REContructor only will able to get the imports on the correct OEP
    If you really want to learn unpacking,lena151's tutorials are really a good start.

    Reverse the code,Reverse Your Minds First

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    well the first layer as posted already isnt a packer per se more of a obfuscation crap blah blah
    the second layer seems to be upx though upx -d errs with some check sum error
    ollydbg and ollydump does a neat job
    to be on upx oep after popad
    dumped raw
    ida seem to load it after a few hiccups reloc is probably corrupt still
    a dialer it seems

    004019C8  Hardware breakpoint 1 at Malware.004019C8
              Analysing Malware
                3 heuristical procedures
                24 calls to known functions
                2 loops
    004019C2  CALL to memcpy from Malware.0040136C
                dest = 10000000
                src = Malware.00403044
                n = 1120 (4384.)
    004019C2  Breakpoint at Malware.004019C2
    004019C2  CALL to memcpy from Malware.00401466
                dest = 10036000
                src = Malware.00403444
                n = 14400 (82944.)
    004019C2  Breakpoint at Malware.004019C2
    004019C2  CALL to memcpy from Malware.00401466
                dest = 1004B000
                src = Malware.00417844
                n = 1000 (4096.)
    004019C2  Breakpoint at Malware.004019C2
    76B20000  Module C:\WINDOWS\system32\ATL.DLL
    76D60000  Module C:\WINDOWS\system32\iphlpapi.dll
    71AB0000  Module C:\WINDOWS\system32\WS2_32.dll
    71AA0000  Module C:\WINDOWS\system32\WS2HELP.dll
    774E0000  Module C:\WINDOWS\system32\ole32.dll
    77120000  Module C:\WINDOWS\system32\OLEAUT32.dll
    7C9C0000  Module C:\WINDOWS\system32\SHELL32.dll
    77F60000  Module C:\WINDOWS\system32\SHLWAPI.dll
    773D0000  Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
    76EB0000  Module C:\WINDOWS\system32\TAPI32.dll
    76E80000  Module C:\WINDOWS\system32\rtutils.dll
    76B40000  Module C:\WINDOWS\system32\WINMM.dll
    7E1E0000  Module C:\WINDOWS\system32\urlmon.dll
    77C00000  Module C:\WINDOWS\system32\VERSION.dll
    771B0000  Module C:\WINDOWS\system32\WININET.dll
    77A80000  Module C:\WINDOWS\system32\CRYPT32.dll
    004019A2  Hardware breakpoint 2 at Malware.004019A2
    10025D27  Hardware breakpoint 3 at 10025D27
              OllyDump -- Start "JMP [Thunk]"(0x25FF) and "CALL [Thunk]"(0x15FF) search
              OllyDump -- Import Table
    10027000  DLL:ADVAPI32.dll  FirstThunkRVA:27000
                DLL Name      Address   Ordinal   API Name
    10027000    ADVAPI32.dll  77DDECD5   01D4     RegDeleteValueA
    10027004    ADVAPI32.dll  77DD6C17   01CB     RegCloseKey
    10027008    ADVAPI32.dll  77DDE9E4   01CF     RegCreateKeyExA
    1002700C    ADVAPI32.dll  77DD797B   01AB     OpenProcessToken
    10027010    ADVAPI32.dll  77DD7842   01E5     RegOpenKeyExA
    10027014    ADVAPI32.dll  77DD7AAB   01EF     RegQueryValueExA
    10027018    ADVAPI32.dll  77DDEAD7   01FC     RegSetValueExA
    1002701C    ADVAPI32.dll  77DE4280   01D2     RegDeleteKeyA
    10027020    ADVAPI32.dll  77DE5196   01D9     RegEnumKeyExA
    10027024    ADVAPI32.dll  77DE4312   01EA     RegQueryInfoKeyA
    10027028    ADVAPI32.dll  77DDEFFC   001E     AdjustTokenPrivileges
    1002702C    ADVAPI32.dll  77DFC208   014E     LookupPrivilegeValueA
    10027034  DLL:ATL.DLL  FirstThunkRVA:27034
                DLL Name      Address   Ordinal   API Name
    10027034    ATL.DLL       76B2376F   002F     AtlAxGetControl
    10027038    ATL.DLL       76B299D0   002A     AtlAxWinInit
    10027040  DLL:COMCTL32.dll  FirstThunkRVA:27040
                DLL Name      Address   Ordinal   API Name
    10027040    COMCTL32.dll  5D0965CF   0011     InitCommonControls
    10027048  DLL:GDI32.dll  FirstThunkRVA:27048
                DLL Name      Address   Ordinal   API Name
    10027048    GDI32.dll     77F3BC60   003A     CreateFontA
    1002704C    GDI32.dll     77F1D3EA   00DE     ExtTextOutA
    10027050    GDI32.dll     77F15E29   0217     SetBkColor
    10027054    GDI32.dll     77F15D77   023E     SetTextColor
    10027058    GDI32.dll     77F16BFA   0090     DeleteObject
    1002705C    GDI32.dll     77F161A5   0051     CreateSolidBrush
    10027064  DLL:kernel32.dll  FirstThunkRVA:27064
                DLL Name      Address   Ordinal   API Name
    10027064    kernel32.dll  7C810C1E   030A     SetFilePointer
    10027068    kernel32.dll  7C80A045   024A     LoadResource
    1002706C    kernel32.dll  7C80BCF9   0342     SizeofResource
    10027070    kernel32.dll  7C80CD27   0258     LockResource
    10027074    kernel32.dll  7C80BF19   00E0     FindResourceA
    10027078    kernel32.dll  7C813869   00D1     FindFirstFileA
    1002707C    kernel32.dll  7C834EC9   00DA     FindNextFileA
    10027080    kernel32.dll  7C865B1F   0070     CreateToolhelp32Snapshot
    10027084    kernel32.dll  7C864DF5   0288     Process32First
    10027088    kernel32.dll  7C864F68   028A     Process32Next
    1002708C    kernel32.dll  7C8099B0   013D     GetCurrentProcessId
    10027090    kernel32.dll  7C8104BC   0068     CreateRemoteThread
    10027094    kernel32.dll  7C8021D0   02AA     ReadProcessMemory
    10027098    kernel32.dll  7C802213   0399     WriteProcessMemory
    1002709C    kernel32.dll  7C802530   037F     WaitForSingleObject
    100270A0    kernel32.dll  7C82141D   0154     GetExitCodeThread
    100270A4    kernel32.dll  7C809B74   0372     VirtualFree
    100270A8    kernel32.dll  7C809AE1   036F     VirtualAlloc
    100270AC    kernel32.dll  7C835EA7   0261     MoveFileA
    100270B0    kernel32.dll  7C835DE2   01CC     GetTempPathA
    100270B4    kernel32.dll  7C861807   01CA     GetTempFileNameA
    100270B8    kernel32.dll  7C812B6E   01DF     GetVersionExA
    100270BC    kernel32.dll  7C80BB31   03AE     lstrcmpi
    100270C0    kernel32.dll  7C8309D1   0278     OpenProcess
    100270C4    kernel32.dll  7C830BAB   01F0     GlobalDeleteAtom
    100270C8    kernel32.dll  7C8360DB   01F1     GlobalFindAtomA
    100270CC    kernel32.dll  7C8360C1   01EC     GlobalAddAtomA
    100270D0    kernel32.dll  7C85AC7C   027F     OutputDebugStringA
    100270D4    kernel32.dll  7C80FDBD   01EE     GlobalAlloc
    100270D8    kernel32.dll  7C80FCBF   01F5     GlobalFree
    100270DC    kernel32.dll  7C8325D4   0254     LocalSize
    100270E0    kernel32.dll  7C809A1D   024B     LocalAlloc
    100270E4    kernel32.dll  7C830917   0252     LocalReAlloc
    100270E8    kernel32.dll  7C81CAFA   00B7     ExitProcess
    100270EC    kernel32.dll  7C901000   0097     EnterCriticalSection
    100270F0    kernel32.dll  7C9010E0   0244     LeaveCriticalSection
    100270F4    kernel32.dll  7C91135A   0080     DeleteCriticalSection
    100270F8    kernel32.dll  7C809F81   0219     InitializeCriticalSection
    100270FC    kernel32.dll  7C8099BF   024F     LocalFree
    10027100    kernel32.dll  7C80A164   0383     WideCharToMultiByte
    10027104    kernel32.dll  7C809E91   0228     IsBadReadPtr
    10027108    kernel32.dll  7C8286D6   0040     CopyFileA
    1002710C    kernel32.dll  7C831EC5   0082     DeleteFileA
    10027110    kernel32.dll  7C80E9CF   005D     CreateMutexA
    10027114    kernel32.dll  7C8024B7   02B4     ReleaseMutex
    10027118    kernel32.dll  7C821794   0048     CreateDirectoryA
    1002711C    kernel32.dll  7C814F7A   01BA     GetSystemDirectoryA
    10027120    kernel32.dll  7C82134B   01E9     GetWindowsDirectoryA
    10027124    kernel32.dll  7C90FE01   0169     GetLastError
    10027128    kernel32.dll  7C80B55F   0175     GetModuleFileNameA
    1002712C    kernel32.dll  7C8106C7   006D     CreateThread
    10027130    kernel32.dll  7C80236B   0063     CreateProcessA
    10027134    kernel32.dll  7C801A28   0050     CreateFileA
    10027138    kernel32.dll  7C810B07   015C     GetFileSize
    1002713C    kernel32.dll  7C801812   02A7     ReadFile
    10027140    kernel32.dll  7C80BE91   03B1     lstrcpy
    10027144    kernel32.dll  7C834D59   03A8     lstrcat
    10027148    kernel32.dll  7C8101A1   03B4     lstrcpyn
    1002714C    kernel32.dll  7C80BE46   03B7     lstrlen
    10027150    kernel32.dll  7C802446   0343     Sleep
    10027154    kernel32.dll  7C809C88   0268     MultiByteToWideChar
    10027158    kernel32.dll  7C8097F6   0221     InterlockedIncrement
    1002715C    kernel32.dll  7C80980A   021D     InterlockedDecrement
    10027160    kernel32.dll  7C90FE10   02C2     RestoreLastError
    10027164    kernel32.dll  7C801AD4   0375     VirtualProtect
    10027168    kernel32.dll  7C80DE85   013C     GetCurrentProcess
    1002716C    kernel32.dll  7C80AC6E   00F1     FreeLibrary
    10027170    kernel32.dll  7C80AE30   0199     GetProcAddress
    10027174    kernel32.dll  7C801D7B   0245     LoadLibraryA
    10027178    kernel32.dll  7C80B731   0177     GetModuleHandleA
    1002717C    kernel32.dll  7C830D64   03AB     lstrcmp
    10027180    kernel32.dll  7C80932E   01D5     GetTickCount
    10027184    kernel32.dll  7C809BD7   0032     CloseHandle
    10027188    kernel32.dll  7C81CB23   034C     TerminateThread
    1002718C    kernel32.dll  7C810E17   0390     WriteFile
    10027190    kernel32.dll  7C801E1A   034B     TerminateProcess
    10027198  DLL:MSVCRT.dll  FirstThunkRVA:27198
                DLL Name      Address   Ordinal   API Name
    10027198    MSVCRT.dll    77C623D8   00B7     _adjust_fdiv
    1002719C    MSVCRT.dll    77C2C407   02D9     malloc
    100271A0    MSVCRT.dll    77C39D67   013C     _initterm
    100271A4    MSVCRT.dll    77C34DF8   01B5     _onexit
    100271A8    MSVCRT.dll    77C34E51   006C     __dllonexit
    100271AC    MSVCRT.dll    77C2C0C3   0288     calloc
    100271B0    MSVCRT.dll    77C4FA30   0119     _ftol
    100271B4    MSVCRT.dll    77C4D1C0   02E5     pow
    100271B8    MSVCRT.dll    77C47660   02FF     strchr
    100271BC    MSVCRT.dll    77C47BE0   030B     strrchr
    100271C0    MSVCRT.dll    77C41B72   02FD     sscanf
    100271C4    MSVCRT.dll    77C4139C   02AA     fseek
    100271C8    MSVCRT.dll    77C41574   02AC     ftell
    100271CC    MSVCRT.dll    77C40BB1   029A     fgets
    100271D0    MSVCRT.dll    77C46320   01FB     _strlwr
    100271D4    MSVCRT.dll    77C3F010   029F     fopen
    100271D8    MSVCRT.dll    77C411FB   02A5     fread
    100271DC    MSVCRT.dll    77C40AB1   0294     fclose
    100271E0    MSVCRT.dll    77C4173B   02AE     fwrite
    100271E4    MSVCRT.dll    77C36D02   02B2     getenv
    100271E8    MSVCRT.dll    77C1CF90   0284     atof
    100271EC    MSVCRT.dll    77C315E8   017D     _mbclen
    100271F0    MSVCRT.dll    77C31E1D   0193     _mbsnbcmp
    100271F4    MSVCRT.dll    77C30C6B   0150     _ismbcdigit
    100271F8    MSVCRT.dll    77C3FE49   0324     vsprintf
    100271FC    MSVCRT.dll    77C32903   01A5     _mbsrchr
    10027200    MSVCRT.dll    77C32BB0   01AA     _mbsstr
    10027204    MSVCRT.dll    77C21868   0010     ??1type_info@@UAE@XZ
    10027208    MSVCRT.dll    77C31C3E   018F     _mbsinc
    1002720C    MSVCRT.dll    77C317FF   0186     _mbschr
    10027210    MSVCRT.dll    77C472B0   02E0     memmove
    10027214    MSVCRT.dll    77C2C21B   02A6     free
    10027218    MSVCRT.dll    77C2C437   02EF     realloc
    1002721C    MSVCRT.dll    77C1BE7B   0286     atol
    10027220    MSVCRT.dll    77C47A50   0308     strncmp
    10027224    MSVCRT.dll    77C31881   0187     _mbscmp
    10027228    MSVCRT.dll    77C47A90   0309     strncpy
    1002722C    MSVCRT.dll    77C4AECF   0318     time
    10027230    MSVCRT.dll    77C371BC   02FC     srand
    10027234    MSVCRT.dll    77C371D3   02EE     rand
    10027238    MSVCRT.dll    77C3F931   02FA     sprintf
    1002723C    MSVCRT.dll    77C31CBA   0191     _mbslwr
    10027240    MSVCRT.dll    77C1BF18   0285     atoi
    10027244    MSVCRT.dll    77C36BD0   027D     abs
    10027248    MSVCRT.dll    77C478A0   0306     strlen
    1002724C    MSVCRT.dll    77C3FA76   01E3     _snprintf
    10027250    MSVCRT.dll    77C35F0D   01C2     _purecall
    10027254    MSVCRT.dll    77C46EB0   02DE     memcmp
    10027258    MSVCRT.dll    77C47730   0300     strcmp
    1002725C    MSVCRT.dll    77C35C94   00EE     _except_handler3
    10027260    MSVCRT.dll    77C46030   0189     _mbscpy
    10027264    MSVCRT.dll    77C46040   0185     _mbscat
    10027268    MSVCRT.dll    77C46F70   02DF     memcpy
    1002726C    MSVCRT.dll    77C47C60   030D     strstr
    10027270    MSVCRT.dll    77C29CC5   0011     ??2@YAPAXI@Z
    10027274    MSVCRT.dll    77C47FCC   032E     wcslen
    10027278    MSVCRT.dll    77C29CDD   0012     ??3@YAXPAX@Z
    1002727C    MSVCRT.dll    77C226F6   0049     _CxxThrowException
    10027280    MSVCRT.dll    77C3EC4B   0102     _fileno
    10027284    MSVCRT.dll    77C2D8E2   0100     _filelength
    10027288    MSVCRT.dll    77C1C222   0174     _ltoa
    1002728C    MSVCRT.dll    77C46665   0205     _strupr
    10027290    MSVCRT.dll    77C4624E   01F5     _strcmpi
    10027294    MSVCRT.dll    77C1C1F3   0161     _itoa
    10027298    MSVCRT.dll    77C475F0   02E1     memset
    100272A0  DLL:OLEAUT32.dll  FirstThunkRVA:272A0
                DLL Name      Address   Ordinal   API Name
    100272A0    OLEAUT32.dll  77124880   0006     SysFreeString
    100272A4    OLEAUT32.dll  771248F0   0009     VariantClear
    100272A8    OLEAUT32.dll  77124BA2   0002     SysAllocString
    100272AC    OLEAUT32.dll  77124C35   0096     SysAllocStringByteLen
    100272B0    OLEAUT32.dll  77124C1B   0007     SysStringLen
    100272B4    OLEAUT32.dll  77124950   0008     VariantInit
    100272B8    OLEAUT32.dll  77124CFD   000A     VariantCopy
    100272BC    OLEAUT32.dll  77126BBB   000C     VariantChangeType
    100272C0    OLEAUT32.dll  77124B39   0004     SysAllocStringLen
    100272C8  DLL:SHELL32.dll  FirstThunkRVA:272C8
                DLL Name      Address   Ordinal   API Name
    100272C8    SHELL32.dll   7CA24909   0113     SHChangeNotify
    100272CC    SHELL32.dll   7CA221D6   016D     Shell_NotifyIcon
    100272D0    SHELL32.dll   7CA41150   0167     ShellExecuteA
    100272D8  DLL:SHLWAPI.dll  FirstThunkRVA:272D8
                DLL Name      Address   Ordinal   API Name
    100272D8    SHLWAPI.dll   77FA4980   033B     StrTrimA
    100272E0  DLL:TAPI32.dll  FirstThunkRVA:272E0
                DLL Name      Address   Ordinal   API Name
    100272E0    TAPI32.dll    76EBFF3D   008C     lineInitialize
    100272E4    TAPI32.dll    76EBA378   0095     lineNegotiateAPIVersion
    100272E8    TAPI32.dll    76EBA600   0098     lineOpenA
    100272EC    TAPI32.dll    76EB9765   0078     lineGetNewCalls
    100272F0    TAPI32.dll    76EB874C   005F     lineGetCallInfoA
    100272F4    TAPI32.dll    76EC013F   00D1     lineShutdown
    100272FC  DLL:USER32.dll  FirstThunkRVA:272FC
                DLL Name      Address   Ordinal   API Name
    100272FC    USER32.dll    7E4242ED   0258     SetForegroundWindow
    10027300    USER32.dll    7E42AF56   0293     ShowWindow
    10027304    USER32.dll    7E42D1D2   010F     GetDesktopWindow
    10027308    USER32.dll    7E42E4A9   0061     CreateWindowExA
    1002730C    USER32.dll    7E418A80   017C     GetWindowThreadProcessId
    10027310    USER32.dll    7E42AAFD   0200     PostMessageA
    10027314    USER32.dll    7E431211   028B     SetWindowsHookExA
    10027318    USER32.dll    7E46670B   0276     SetSystemCursor
    1002731C    USER32.dll    7E42DC14   004A     CopyImage
    10027320    USER32.dll    7E41DE72   0049     CopyIcon
    10027324    USER32.dll    7E42D33E   01B8     LoadCursorA
    10027328    USER32.dll    7E42F25B   0164     GetTopWindow
    1002732C    USER32.dll    7E455F7F   0045     CloseWindow
    10027330    USER32.dll    7E419689   01EB     MsgWaitForMultipleObjects
    10027334    USER32.dll    7E43C972   0254     SetDlgItemTextA
    10027338    USER32.dll    7E46B05E   0114     GetDlgItemTextA
    1002733C    USER32.dll    7E429313   01AC     IsWindow
    10027340    USER32.dll    7E42C7F9   0267     SetParent
    10027344    USER32.dll    7E418F9C   015E     GetSystemMetrics
    10027348    USER32.dll    7E42436E   0112     GetDlgItem
    1002734C    USER32.dll    7E4290B4   0175     GetWindowRect
    10027350    USER32.dll    7E42E8F6   01BC     LoadIconA
    10027354    USER32.dll    7E42F3C2   023C     SendMessageA
    10027358    USER32.dll    7E43B144   009F     DialogBoxParamA
    1002735C    USER32.dll    7E424A4E   00C7     EndDialog
    10027360    USER32.dll    7E41945D   016F     GetWindowLongA
    10027364    USER32.dll    7E42C29D   0281     SetWindowLongA
    10027368    USER32.dll    7E42B29E   01EA     MoveWindow
    1002736C    USER32.dll    7E42A340   01FE     PeekMessageA
    10027370    USER32.dll    7E418BF6   02AB     TranslateMessage
    10027374    USER32.dll    7E429849   00C5     EnableWindow
    10027378    USER32.dll    7E42F56B   0287     SetWindowTextA
    1002737C    USER32.dll    7E43E940   00B6     DrawFrameControl
    10027380    USER32.dll    7E43216B   0178     GetWindowTextA
    10027384    USER32.dll    7E43C702   00BD     DrawTextA
    10027388    USER32.dll    7E42908E   0100     GetClientRect
    1002738C    USER32.dll    7E429C2F   00E3     FillRect
    10027390    USER32.dll    7E428717   0027     CharLowerA
    10027394    USER32.dll    7E4196B8   00A2     DispatchMessageA
    10027398    USER32.dll    7E41AE3F   0036     CharUpperBuffA
    1002739C    USER32.dll    7E42B222   015D     GetSystemMenu
    100273A0    USER32.dll    7E42D2C4   00C3     EnableMenuItem
    100273A4    USER32.dll    7E44F69C   00B9     DrawMenuBar
    100273A8    USER32.dll    7E418C2E   027B     SetTimer
    100273AC    USER32.dll    7E418C42   01B3     KillTimer
    100273B0    USER32.dll    7E429823   0118     GetForegroundWindow
    100273B4    USER32.dll    7E4507EA   01DD     MessageBoxA
    100273B8    USER32.dll    7E428845   0028     CharLowerBuffA
    100273BC    USER32.dll    7E4299F3   0284     SetWindowPos
    100273C0    USER32.dll    7E42772B   013B     GetMessageA
    100273C4    USER32.dll    7E42B3C6   001B     CallNextHookEx
    100273C8    USER32.dll    7E42F45F   00FD     GetClassNameA
    100273CC    USER32.dll    7E42A5AE   00DF     EnumWindows
    100273D0    USER32.dll    7E42D5F3   02AF     UnhookWindowsHookEx
    100273D4    USER32.dll    7E4282E1   00E4     FindWindowA
    100273DC  DLL:WININET.dll  FirstThunkRVA:273DC
                DLL Name      Address   Ordinal   API Name
    100273DC    WININET.dll   771D5C4E   00F6     InternetGetConnectedState
    100273E0    WININET.dll   771D1AF9   00B5     GetUrlCacheEntryInfoA
    100273E4    WININET.dll   771C33BE   00DA     InternetCanonicalizeUrlA
    100273EC  DLL:iphlpapi.dll  FirstThunkRVA:273EC
                DLL Name      Address   Ordinal   API Name
    100273EC    iphlpapi.dll  76D663EF   0029     GetIfEntry
    100273F0    iphlpapi.dll  76D66051   001C     GetAdaptersInfo
    100273F8  DLL:ole32.dll  FirstThunkRVA:273F8
                DLL Name      Address   Ordinal   API Name
    100273F8    ole32.dll     77556EC6   0047     CoMarshalInterThreadInterfaceInStream
    100273FC    ole32.dll     774FEE46   006A     CoUninitialize
    10027400    ole32.dll     7750057E   0012     CoCreateInstance
    10027404    ole32.dll     77517E90   0051     CoRegisterClassObject
    10027408    ole32.dll     7752A2F3   005D     CoRevokeClassObject
    1002740C    ole32.dll     77502A53   003C     CoInitialize
    10027410    ole32.dll     77556DD6   002F     CoGetInterfaceAndReleaseStream
    10027418  DLL:urlmon.dll  FirstThunkRVA:27418
                DLL Name      Address   Ordinal   API Name
    10027418    urlmon.dll    7E1ED381   0081     CreateURLMoniker
    1002741C    urlmon.dll    7E23BED5   00B0     URLOpenBlockingStreamA
              OllyDump -- Calculating New File Size...
              New Import Section Size:1400  New File Size:44E00
              OllyDump -- Making New Import Table...
              OllyDump -- Dump and Rebuild Finish!!
    End of session
    Attached Files Attached Files

  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Good old Olly logging The dll you attached is actually created by a completely distinct EXE file (attached, "infected") which overwrites the original PE memory space during that first decrypted layer.

    At .data:42279D of the original decrypted code, it calls the EP of the memory PE file you see logged at 4019C8. Your traps to memcpy are directly from that memory PE file, after it further decrypts an embedded dll into memory, i.e. the one at 40136C:

    :00401350                 call    ds:VirtualAlloc
    :00401356                 mov     [ebp+Dst], eax
    :00401359                 mov     eax, [ebp+Src]
    :0040135C                 mov     eax, [eax+IMAGE_DOS_HEADER.e_lfanew]
    :0040135F                 mov     ecx, [ebp+PEHeader]
    :00401362                 add     eax, [ecx+IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders]
    :00401365                 push    eax             ; Size
    :00401366                 push    [ebp+Src]       ; Src
    :00401369                 push    [ebp+Dst]       ; Dst
    :0040136C                 call    memcpy
    Also attached is an IDC file which will decrypt that first layer, resolve it as code and create a function out of it. You should see a new proc in the Functions window at 42026C. Tracing this section will create the attached PE file. I don't really see the UPX or any unpacker analogy here.

    For general interest here is the IDC file, simply because it shows the silly decryption algorithm that first layer uses. Does anyone see any rational with that algo, or is just a bunch of random SHR/SHL/NOT sequences dreamed up during a drug-induced stupor by some skiddie?

    PHP Code:
    #include <idc.idc>

    // Decryption IDC for first encrypted section in malware

    /* As per The IDA Pro Book:
    IDA uses signed comparisons, which means that the right-shift operator (>>)
    always performs an arithmetic shift (SAR instead of SHR)

    If you require logical right shifts, you must implement them
    yourself by masking off the top bit of the result, as shown here:

    result = (x  1) & OX7fffffff; // set most significant bit to zero

    // Therefore, we can make our own SHR replacement
    static SHR(xn)
    auto i;
       for (
    >> 1;

    auto decdword;
    auto x1x2x3x4x5x6x7x8x9x10x11x12x13x14x15;
    auto x16x17x18x19x20x21x22x23x24x25x26x27x28;
    // individual algorithm elements extracted from decryption loop,
        // with instruction addresses and result example from first time through loop
    x1 SHR(dword0x1B) | (dword << 0x05);    // 401106 - 401112  // 0xEC21860B
    x2 SHR(x10x15) | (x1 << 0x0B);          // 401117 - 40111F  // 0x0C305F61
    x3 = (~ x2) + 1;                            // 40115E, 401178   // 0xF3CFA09F
    x4 = (x3 << 0x1B) | SHR(x35);             // 40118E - 401196  // 0xFF9E7D04    
    x5 = ~(x4 2);                             // 4011C2, 4011DA   // 0x006182F9
    x6 SHR(x50x13) | (x5 << 0x0D);          // 4011F1 - 4011F9  // 0x305F200C
    x7 SHR(x60x19) | (x6 << 0x07);          // 401210 - 401218  // 0x2F900618
    x8 = ~(x7) + 1;                             // 40122F, 401246   // 0xD06FF9E8
    x9 SHR(x80x1B) | (x8 << 0x05);          // 40128C - 401294  // 0x0DFF3D1A
    x10 = (x9 << 0x14) | SHR(x90x0C);         // 4012AD - 4012B3  // 0xD1A0DFF3
    x11 = (x10 << 0x1D) | SHR(x100x03);       // 4012CC - 4012D2  // 0x7A341BFE
    x12 = (x11 << 0x16) | SHR(x110x0A);       // 401319 - 40131F  // 0xFF9E8D06
    x13 SHR(x120x1C) | (x12 << 0x04);       // 401338 - 40133E  // 0xF9E8D06F
    x14 = ~((x13 1) + 3);                     // 401383, 4013ED, 401402   // 0x06172F8C
    x15 = (x14 << 0x1C) | SHR(x140x04);       // 401416 - 40141E  // 0xC06172F8
    x16 = ~(x15);                               // 40142F, 401434   // 0x3F9E8D07    
    x17 = (x16 << 0x18) | SHR(x160x08);       // 401448 - 401450  // 0x073F9E8D
    x18 = (x17 << 0x1B) | SHR(x170x05);       // 401464 - 40146C  // 0x6839FCF4
    x19 = ~((x18 1) + 1);                     // 401480, 4014BD, 4014D5   // 0x97C60309
    x20 SHR(x190x17) | (x19 << 0x09);       // 4014EE - 4014F6  // 0x8C06132F
    x21 SHR(x200x14) | (x20 << 0x0C);       // 401510 - 401518  // 0x6132F8C0
    x22 SHR(x210x1D) | (x21 << 0x03);       // 401534 - 40153A  // 0x0997C603
    x23 = ~(x22 1);                           // 401554, 40156F   // 0xF66839FB
    x24 = (x23 << 0x1F) | SHR(x230x01);       // 40158B - 401590  // 0xFB341CFD
    x25 = ~(x24);                               // 4015A4, 4015AC   // 0x04CBE302
    x26 SHR(x250x16) | (x25 << 0x0A);       // 4015C6 - 4015D0  // 0x2F8C0813
    x27 = ~(x26) + 1;                           // 4015E8, 401602   // 0xD073F7ED
    x28 SHR(x270x1E) | (x27 << 0x02);       // 401650 - 401658  // 0x41CFDFB7    

    decdword x28;

    auto startdecryptsizeenddecrypteaxentrycall;    
    startdecrypt 0x41FE54;
    size 0x0A5A 4;                          // dword size replacement
    enddecrypt = (startdecrypt size);         // = 0x4227BC    
    ea startdecrypt;
    Message("\nDecrypting... \n");

        while (
    ea enddecrypt)
    Message("%x \n"ea); 
    Dword(ea);                          // fetch the dword
    decryptdword(x);                    // decrypt it
    PatchDword(eax);                      // put it back           
    ea ea 4
    // Analyze decrypted code and make function  

    Message("\nResolving code... \n");

    entrycall 0x42026c;   // where code calls to after decryption

    MakeUnknown (entrycall, (enddecrypt-entrycall), DOUNK_EXPAND);

    ea entrycall;
    ea enddecrypt)
    Message("ea %x \n"ea);
    ea ItemEnd(ea);        


    Message("...Done \n");

    Attached Files Attached Files

  6. #6
    Quote Originally Posted by Kayaker View Post
    Tracing this section will create the attached PE file. I don't really see the UPX or any unpacker analogy here.
    This is because it's not the final stage yet. It again decrypts a payload DLL and calls an export ("sds"). Here's the final DLL, I unpacked it with upx -d without issues and IDA loads it just fine.

  7. #7
    Thanks all for the help! I've been working (slowly) through this. I have a couple of questions that I hope you all could please help me out with. After doing some research about packing (LoadLibrary, GetProcAddress, etc) and reading Kayaker's post I tried to set the break point in IDA on getprocaddress but it's not listed in the import section. I now understand how that function is called by dereferencing through the PE data structures to find it's address within the Kernl32.dll file (mov eax,fs:[30h], mov eax,[eax+0ch], etc). I was able to set a breakpoint in Ollydbg -> search for -> names in all modules -> loadlibrary(), getprocaddress(), etc. Is there a way to accomplish this in IDA since loadlibrary() and getprocaddress() are not listed in the imports section? Once I figured out in IDA how getprocaddress was called I set a breakpoint on that address so I could see what function getprocaddress was returning an address for. I've been googling and can't seem to find out how to do that in IDA. I'm also looking through the unofficial IDA pro book that I have.

    I'm able to step into the function_0042026C and have IDA create a function of it and the rest of the code that goes along with it. My question is, is this the section that is packed with UPX? Also how would one know that? I'm just wondering because every time I've run into UPX stuff the .UPX "tag" is present in the disassembly. I've tried to dump this section in IDA using the x86emu dump option to see if I could uncompress it using the UPX utility. I've stepped into that function in Ollydbg and dumped the process as well. But I haven't had success with either approach.

    Looking at the Ollydbg logs that Blabberer posted I understand why a breakpoint would be set when memcpy is called but what is the significance with the first breakpoint at 004019C8? As of yet I haven't made my way through the end of the code starting at 0042026c. I imagine that there is more unpacking to do because at the point I'm at there is still nothing at that address. Also Blabberer posted "to be on upx oep after popad", I'm not sure how to get to that point. From the research I've done (on manually unpacking), the address that will be popped off the stack will be the OEP. So I've set a few break points on popad but can't get an address that gets me to what seems like the OEP.

    Thanks again for all the help. I'm doing research to learn as I try to work my way through this. Any help is greatly appreciated.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. some crushing malware unpacking
    By evaluator in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: September 21st, 2012, 22:43
  2. lil malware unpacking contest here!
    By evaluator in forum Malware Analysis and Unpacking Forum
    Replies: 20
    Last Post: December 29th, 2008, 13:59
  3. How to dump and fix section headers of attached processes?
    By klaymen in forum The Newbie Forum
    Replies: 1
    Last Post: April 7th, 2008, 07:23
  4. Can't resume attached process
    By TheBlasphemer in forum OllyDbg Support Forums
    Replies: 1
    Last Post: April 25th, 2004, 13:09

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts