Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Help unpacking old malware - Malware attached

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
Locked
JimmerRobber
Junior Member
Posts: 2
Joined: Tue Feb 05, 2013 10:49 am

Help unpacking old malware - Malware attached

Post by JimmerRobber »

I'm been trying for a while to unpack an older piece of malware. I've been reversing key gens and crackmes for a while and I've never really had to manually unpack anything. I've tried a few automatic unpackers but didn't have any luck so I thought I would try to learn how to manually unpack something. I've tried using ollydump->Find OEP by section (trace into) and (trace over), dump the process and then using Import REContructor. After I tried this and looked at it in PEView, the text section doesn't have anything in it still. Also when I tried to open the dumped executable in IDA it has trouble running from the new EP. I've also tried using the "find POPAD" method to reveal the OEP address. I've also opened it in IDA, step into what I thought was the unpacking function, but when it seemed to unpack some code the imports that IDA saw still didn't show up any where in the code. I've been working on this for a while so any help is appreciated. I'm not necessarily looking to have someone to unpack the malware for me (but I would download it and look at it :>) I'd like some guidance to help me get over the hump. I've been trying different approaches that I've found during my research but can't seem to get any where.

The password for the zip file is "infected" and I changed the extension to .xex

Thanks in advance and any help is greatly appreciated.
Attachments
malware.zip
(161.82 KiB) Downloaded 122 times
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Hi

This is not "packed" in the classical sense. It has obfuscation in the form of garbage instructions designed to confuse, encrypted sections, and perhaps other tricks further along. Forget the automagic solutions at this point, your best bet would be to just single step everything and try to understand what it's doing (use of LoadLibrary/GetProcAddress, VirtualAlloc, import addresses stored on the stack, obfuscation/encryption tricks, etc.)

As a suggestion, you might want to try for this one the x86 Emulator plugin for IDA

http://www.idabook.com/x86emu/

What that will allow you to do is step through the initial decryption routine for example, in emulation mode, and will update the IDA disassembly with the decrypted changes. Makes it handy for later analysis.

For example, you should be able to recognize a decryption routine that begins about here:

:00401011 mov eax, offset StartDecrypt ; 041FE54

and the decryption loop proper from 401077 -> 40169B

If you step through that a time or two you should be able to find and name the variables used for the loop counter, the size to be decrypted, the encrypted dword(s), and the decrypted result which will replace it.

You should also be able to spot the garbage code that accomplishes nothing (i.e. registers used but soon overwritten for naught, variables that are never used, etc.), and soon be able to ignore that. For a fun challenge you might even want to try to pull out the real decryption algorithm from all that and create an IDC script to automate the decryption. That way you make your own 'automagic' solution.


Anyway, you probably already saw that after this first decryption there is a call into the decrypted code and is the start of the next layer where the imports are resolved:

4016D9 call [ebp+var_14] ; 42026C

With x86emu, once you get bored of stepping through the decryption loop, you can use Run To Cursor to 4016D9 and the IDB will now have the decrypted code stored.


I think the point I'm trying to make is that there is no "easy" solution to this, you won't get a perfect disassembly (nor "unpacked" PE) with all imports defined without a variety of tricks, and even then...

One of the first imports to be resolved is VirtualAlloc, I didn't go that far but I wouldn't be surprised if it decrypted and ran code from memory. That you will have to dump as a bin file and work with it as best you can.

You can also note down interesting imports as they are resolved with a break on GetProcAddress and set further breaks on them for when they are used, i.e. VirtualAlloc/Protect, lstrcmp, etc. and that will give some idea of what the malware does with them. In fact, x86emu will log the imports for you as they are resolved.

Hope this gives you some new ideas at least.

Kayaker
esther
Posts: 748
Joined: Fri Mar 16, 2001 12:00 pm

Post by esther »

As for using Import REContructor,you need to be on the OEP.Import REContructor only will able to get the imports on the correct OEP
If you really want to learn unpacking,lena151's tutorials are really a good start.
esther


Reverse the code,Reverse Your Minds First
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

well the first layer as posted already isnt a packer per se more of a obfuscation crap blah blah
the second layer seems to be upx though upx -d errs with some check sum error
ollydbg and ollydump does a neat job
to be on upx oep after popad
dumped raw
ida seem to load it after a few hiccups reloc is probably corrupt still
a dialer it seems

Code: Select all

004019C8  Hardware breakpoint 1 at Malware.004019C8
          Analysing Malware
            3 heuristical procedures
            24 calls to known functions
            2 loops
004019C2  CALL to memcpy from Malware.0040136C
            dest = 10000000
            src = Malware.00403044
            n = 1120 (4384.)
004019C2  Breakpoint at Malware.004019C2
004019C2  CALL to memcpy from Malware.00401466
            dest = 10036000
            src = Malware.00403444
            n = 14400 (82944.)
004019C2  Breakpoint at Malware.004019C2
004019C2  CALL to memcpy from Malware.00401466
            dest = 1004B000
            src = Malware.00417844
            n = 1000 (4096.)
004019C2  Breakpoint at Malware.004019C2
76B20000  Module C:\WINDOWS\system32\ATL.DLL
76D60000  Module C:\WINDOWS\system32\iphlpapi.dll
71AB0000  Module C:\WINDOWS\system32\WS2_32.dll
71AA0000  Module C:\WINDOWS\system32\WS2HELP.dll
774E0000  Module C:\WINDOWS\system32\ole32.dll
77120000  Module C:\WINDOWS\system32\OLEAUT32.dll
7C9C0000  Module C:\WINDOWS\system32\SHELL32.dll
77F60000  Module C:\WINDOWS\system32\SHLWAPI.dll
773D0000  Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
76EB0000  Module C:\WINDOWS\system32\TAPI32.dll
76E80000  Module C:\WINDOWS\system32\rtutils.dll
76B40000  Module C:\WINDOWS\system32\WINMM.dll
7E1E0000  Module C:\WINDOWS\system32\urlmon.dll
77C00000  Module C:\WINDOWS\system32\VERSION.dll
771B0000  Module C:\WINDOWS\system32\WININET.dll
77A80000  Module C:\WINDOWS\system32\CRYPT32.dll
004019A2  Hardware breakpoint 2 at Malware.004019A2
10025D27  Hardware breakpoint 3 at 10025D27
          OllyDump -- Start "JMP [Thunk]"(0x25FF) and "CALL [Thunk]"(0x15FF) search

          OllyDump -- Import Table
10027000  DLL:ADVAPI32.dll  FirstThunkRVA:27000
            DLL Name      Address   Ordinal   API Name
10027000    ADVAPI32.dll  77DDECD5   01D4     RegDeleteValueA
10027004    ADVAPI32.dll  77DD6C17   01CB     RegCloseKey
10027008    ADVAPI32.dll  77DDE9E4   01CF     RegCreateKeyExA
1002700C    ADVAPI32.dll  77DD797B   01AB     OpenProcessToken
10027010    ADVAPI32.dll  77DD7842   01E5     RegOpenKeyExA
10027014    ADVAPI32.dll  77DD7AAB   01EF     RegQueryValueExA
10027018    ADVAPI32.dll  77DDEAD7   01FC     RegSetValueExA
1002701C    ADVAPI32.dll  77DE4280   01D2     RegDeleteKeyA
10027020    ADVAPI32.dll  77DE5196   01D9     RegEnumKeyExA
10027024    ADVAPI32.dll  77DE4312   01EA     RegQueryInfoKeyA
10027028    ADVAPI32.dll  77DDEFFC   001E     AdjustTokenPrivileges
1002702C    ADVAPI32.dll  77DFC208   014E     LookupPrivilegeValueA
10027034  DLL:ATL.DLL  FirstThunkRVA:27034
            DLL Name      Address   Ordinal   API Name
10027034    ATL.DLL       76B2376F   002F     AtlAxGetControl
10027038    ATL.DLL       76B299D0   002A     AtlAxWinInit
10027040  DLL:COMCTL32.dll  FirstThunkRVA:27040
            DLL Name      Address   Ordinal   API Name
10027040    COMCTL32.dll  5D0965CF   0011     InitCommonControls
10027048  DLL:GDI32.dll  FirstThunkRVA:27048
            DLL Name      Address   Ordinal   API Name
10027048    GDI32.dll     77F3BC60   003A     CreateFontA
1002704C    GDI32.dll     77F1D3EA   00DE     ExtTextOutA
10027050    GDI32.dll     77F15E29   0217     SetBkColor
10027054    GDI32.dll     77F15D77   023E     SetTextColor
10027058    GDI32.dll     77F16BFA   0090     DeleteObject
1002705C    GDI32.dll     77F161A5   0051     CreateSolidBrush
10027064  DLL:kernel32.dll  FirstThunkRVA:27064
            DLL Name      Address   Ordinal   API Name
10027064    kernel32.dll  7C810C1E   030A     SetFilePointer
10027068    kernel32.dll  7C80A045   024A     LoadResource
1002706C    kernel32.dll  7C80BCF9   0342     SizeofResource
10027070    kernel32.dll  7C80CD27   0258     LockResource
10027074    kernel32.dll  7C80BF19   00E0     FindResourceA
10027078    kernel32.dll  7C813869   00D1     FindFirstFileA
1002707C    kernel32.dll  7C834EC9   00DA     FindNextFileA
10027080    kernel32.dll  7C865B1F   0070     CreateToolhelp32Snapshot
10027084    kernel32.dll  7C864DF5   0288     Process32First
10027088    kernel32.dll  7C864F68   028A     Process32Next
1002708C    kernel32.dll  7C8099B0   013D     GetCurrentProcessId
10027090    kernel32.dll  7C8104BC   0068     CreateRemoteThread
10027094    kernel32.dll  7C8021D0   02AA     ReadProcessMemory
10027098    kernel32.dll  7C802213   0399     WriteProcessMemory
1002709C    kernel32.dll  7C802530   037F     WaitForSingleObject
100270A0    kernel32.dll  7C82141D   0154     GetExitCodeThread
100270A4    kernel32.dll  7C809B74   0372     VirtualFree
100270A8    kernel32.dll  7C809AE1   036F     VirtualAlloc
100270AC    kernel32.dll  7C835EA7   0261     MoveFileA
100270B0    kernel32.dll  7C835DE2   01CC     GetTempPathA
100270B4    kernel32.dll  7C861807   01CA     GetTempFileNameA
100270B8    kernel32.dll  7C812B6E   01DF     GetVersionExA
100270BC    kernel32.dll  7C80BB31   03AE     lstrcmpi
100270C0    kernel32.dll  7C8309D1   0278     OpenProcess
100270C4    kernel32.dll  7C830BAB   01F0     GlobalDeleteAtom
100270C8    kernel32.dll  7C8360DB   01F1     GlobalFindAtomA
100270CC    kernel32.dll  7C8360C1   01EC     GlobalAddAtomA
100270D0    kernel32.dll  7C85AC7C   027F     OutputDebugStringA
100270D4    kernel32.dll  7C80FDBD   01EE     GlobalAlloc
100270D8    kernel32.dll  7C80FCBF   01F5     GlobalFree
100270DC    kernel32.dll  7C8325D4   0254     LocalSize
100270E0    kernel32.dll  7C809A1D   024B     LocalAlloc
100270E4    kernel32.dll  7C830917   0252     LocalReAlloc
100270E8    kernel32.dll  7C81CAFA   00B7     ExitProcess
100270EC    kernel32.dll  7C901000   0097     EnterCriticalSection
100270F0    kernel32.dll  7C9010E0   0244     LeaveCriticalSection
100270F4    kernel32.dll  7C91135A   0080     DeleteCriticalSection
100270F8    kernel32.dll  7C809F81   0219     InitializeCriticalSection
100270FC    kernel32.dll  7C8099BF   024F     LocalFree
10027100    kernel32.dll  7C80A164   0383     WideCharToMultiByte
10027104    kernel32.dll  7C809E91   0228     IsBadReadPtr
10027108    kernel32.dll  7C8286D6   0040     CopyFileA
1002710C    kernel32.dll  7C831EC5   0082     DeleteFileA
10027110    kernel32.dll  7C80E9CF   005D     CreateMutexA
10027114    kernel32.dll  7C8024B7   02B4     ReleaseMutex
10027118    kernel32.dll  7C821794   0048     CreateDirectoryA
1002711C    kernel32.dll  7C814F7A   01BA     GetSystemDirectoryA
10027120    kernel32.dll  7C82134B   01E9     GetWindowsDirectoryA
10027124    kernel32.dll  7C90FE01   0169     GetLastError
10027128    kernel32.dll  7C80B55F   0175     GetModuleFileNameA
1002712C    kernel32.dll  7C8106C7   006D     CreateThread
10027130    kernel32.dll  7C80236B   0063     CreateProcessA
10027134    kernel32.dll  7C801A28   0050     CreateFileA
10027138    kernel32.dll  7C810B07   015C     GetFileSize
1002713C    kernel32.dll  7C801812   02A7     ReadFile
10027140    kernel32.dll  7C80BE91   03B1     lstrcpy
10027144    kernel32.dll  7C834D59   03A8     lstrcat
10027148    kernel32.dll  7C8101A1   03B4     lstrcpyn
1002714C    kernel32.dll  7C80BE46   03B7     lstrlen
10027150    kernel32.dll  7C802446   0343     Sleep
10027154    kernel32.dll  7C809C88   0268     MultiByteToWideChar
10027158    kernel32.dll  7C8097F6   0221     InterlockedIncrement
1002715C    kernel32.dll  7C80980A   021D     InterlockedDecrement
10027160    kernel32.dll  7C90FE10   02C2     RestoreLastError
10027164    kernel32.dll  7C801AD4   0375     VirtualProtect
10027168    kernel32.dll  7C80DE85   013C     GetCurrentProcess
1002716C    kernel32.dll  7C80AC6E   00F1     FreeLibrary
10027170    kernel32.dll  7C80AE30   0199     GetProcAddress
10027174    kernel32.dll  7C801D7B   0245     LoadLibraryA
10027178    kernel32.dll  7C80B731   0177     GetModuleHandleA
1002717C    kernel32.dll  7C830D64   03AB     lstrcmp
10027180    kernel32.dll  7C80932E   01D5     GetTickCount
10027184    kernel32.dll  7C809BD7   0032     CloseHandle
10027188    kernel32.dll  7C81CB23   034C     TerminateThread
1002718C    kernel32.dll  7C810E17   0390     WriteFile
10027190    kernel32.dll  7C801E1A   034B     TerminateProcess
10027198  DLL:MSVCRT.dll  FirstThunkRVA:27198
            DLL Name      Address   Ordinal   API Name
10027198    MSVCRT.dll    77C623D8   00B7     _adjust_fdiv
1002719C    MSVCRT.dll    77C2C407   02D9     malloc
100271A0    MSVCRT.dll    77C39D67   013C     _initterm
100271A4    MSVCRT.dll    77C34DF8   01B5     _onexit
100271A8    MSVCRT.dll    77C34E51   006C     __dllonexit
100271AC    MSVCRT.dll    77C2C0C3   0288     calloc
100271B0    MSVCRT.dll    77C4FA30   0119     _ftol
100271B4    MSVCRT.dll    77C4D1C0   02E5     pow
100271B8    MSVCRT.dll    77C47660   02FF     strchr
100271BC    MSVCRT.dll    77C47BE0   030B     strrchr
100271C0    MSVCRT.dll    77C41B72   02FD     sscanf
100271C4    MSVCRT.dll    77C4139C   02AA     fseek
100271C8    MSVCRT.dll    77C41574   02AC     ftell
100271CC    MSVCRT.dll    77C40BB1   029A     fgets
100271D0    MSVCRT.dll    77C46320   01FB     _strlwr
100271D4    MSVCRT.dll    77C3F010   029F     fopen
100271D8    MSVCRT.dll    77C411FB   02A5     fread
100271DC    MSVCRT.dll    77C40AB1   0294     fclose
100271E0    MSVCRT.dll    77C4173B   02AE     fwrite
100271E4    MSVCRT.dll    77C36D02   02B2     getenv
100271E8    MSVCRT.dll    77C1CF90   0284     atof
100271EC    MSVCRT.dll    77C315E8   017D     _mbclen
100271F0    MSVCRT.dll    77C31E1D   0193     _mbsnbcmp
100271F4    MSVCRT.dll    77C30C6B   0150     _ismbcdigit
100271F8    MSVCRT.dll    77C3FE49   0324     vsprintf
100271FC    MSVCRT.dll    77C32903   01A5     _mbsrchr
10027200    MSVCRT.dll    77C32BB0   01AA     _mbsstr
10027204    MSVCRT.dll    77C21868   0010     [email protected]@[email protected]
10027208    MSVCRT.dll    77C31C3E   018F     _mbsinc
1002720C    MSVCRT.dll    77C317FF   0186     _mbschr
10027210    MSVCRT.dll    77C472B0   02E0     memmove
10027214    MSVCRT.dll    77C2C21B   02A6     free
10027218    MSVCRT.dll    77C2C437   02EF     realloc
1002721C    MSVCRT.dll    77C1BE7B   0286     atol
10027220    MSVCRT.dll    77C47A50   0308     strncmp
10027224    MSVCRT.dll    77C31881   0187     _mbscmp
10027228    MSVCRT.dll    77C47A90   0309     strncpy
1002722C    MSVCRT.dll    77C4AECF   0318     time
10027230    MSVCRT.dll    77C371BC   02FC     srand
10027234    MSVCRT.dll    77C371D3   02EE     rand
10027238    MSVCRT.dll    77C3F931   02FA     sprintf
1002723C    MSVCRT.dll    77C31CBA   0191     _mbslwr
10027240    MSVCRT.dll    77C1BF18   0285     atoi
10027244    MSVCRT.dll    77C36BD0   027D     abs
10027248    MSVCRT.dll    77C478A0   0306     strlen
1002724C    MSVCRT.dll    77C3FA76   01E3     _snprintf
10027250    MSVCRT.dll    77C35F0D   01C2     _purecall
10027254    MSVCRT.dll    77C46EB0   02DE     memcmp
10027258    MSVCRT.dll    77C47730   0300     strcmp
1002725C    MSVCRT.dll    77C35C94   00EE     _except_handler3
10027260    MSVCRT.dll    77C46030   0189     _mbscpy
10027264    MSVCRT.dll    77C46040   0185     _mbscat
10027268    MSVCRT.dll    77C46F70   02DF     memcpy
1002726C    MSVCRT.dll    77C47C60   030D     strstr
10027270    MSVCRT.dll    77C29CC5   0011     [email protected]@Z
10027274    MSVCRT.dll    77C47FCC   032E     wcslen
10027278    MSVCRT.dll    77C29CDD   0012     [email protected]@Z
1002727C    MSVCRT.dll    77C226F6   0049     _CxxThrowException
10027280    MSVCRT.dll    77C3EC4B   0102     _fileno
10027284    MSVCRT.dll    77C2D8E2   0100     _filelength
10027288    MSVCRT.dll    77C1C222   0174     _ltoa
1002728C    MSVCRT.dll    77C46665   0205     _strupr
10027290    MSVCRT.dll    77C4624E   01F5     _strcmpi
10027294    MSVCRT.dll    77C1C1F3   0161     _itoa
10027298    MSVCRT.dll    77C475F0   02E1     memset
100272A0  DLL:OLEAUT32.dll  FirstThunkRVA:272A0
            DLL Name      Address   Ordinal   API Name
100272A0    OLEAUT32.dll  77124880   0006     SysFreeString
100272A4    OLEAUT32.dll  771248F0   0009     VariantClear
100272A8    OLEAUT32.dll  77124BA2   0002     SysAllocString
100272AC    OLEAUT32.dll  77124C35   0096     SysAllocStringByteLen
100272B0    OLEAUT32.dll  77124C1B   0007     SysStringLen
100272B4    OLEAUT32.dll  77124950   0008     VariantInit
100272B8    OLEAUT32.dll  77124CFD   000A     VariantCopy
100272BC    OLEAUT32.dll  77126BBB   000C     VariantChangeType
100272C0    OLEAUT32.dll  77124B39   0004     SysAllocStringLen
100272C8  DLL:SHELL32.dll  FirstThunkRVA:272C8
            DLL Name      Address   Ordinal   API Name
100272C8    SHELL32.dll   7CA24909   0113     SHChangeNotify
100272CC    SHELL32.dll   7CA221D6   016D     Shell_NotifyIcon
100272D0    SHELL32.dll   7CA41150   0167     ShellExecuteA
100272D8  DLL:SHLWAPI.dll  FirstThunkRVA:272D8
            DLL Name      Address   Ordinal   API Name
100272D8    SHLWAPI.dll   77FA4980   033B     StrTrimA
100272E0  DLL:TAPI32.dll  FirstThunkRVA:272E0
            DLL Name      Address   Ordinal   API Name
100272E0    TAPI32.dll    76EBFF3D   008C     lineInitialize
100272E4    TAPI32.dll    76EBA378   0095     lineNegotiateAPIVersion
100272E8    TAPI32.dll    76EBA600   0098     lineOpenA
100272EC    TAPI32.dll    76EB9765   0078     lineGetNewCalls
100272F0    TAPI32.dll    76EB874C   005F     lineGetCallInfoA
100272F4    TAPI32.dll    76EC013F   00D1     lineShutdown
100272FC  DLL:USER32.dll  FirstThunkRVA:272FC
            DLL Name      Address   Ordinal   API Name
100272FC    USER32.dll    7E4242ED   0258     SetForegroundWindow
10027300    USER32.dll    7E42AF56   0293     ShowWindow
10027304    USER32.dll    7E42D1D2   010F     GetDesktopWindow
10027308    USER32.dll    7E42E4A9   0061     CreateWindowExA
1002730C    USER32.dll    7E418A80   017C     GetWindowThreadProcessId
10027310    USER32.dll    7E42AAFD   0200     PostMessageA
10027314    USER32.dll    7E431211   028B     SetWindowsHookExA
10027318    USER32.dll    7E46670B   0276     SetSystemCursor
1002731C    USER32.dll    7E42DC14   004A     CopyImage
10027320    USER32.dll    7E41DE72   0049     CopyIcon
10027324    USER32.dll    7E42D33E   01B8     LoadCursorA
10027328    USER32.dll    7E42F25B   0164     GetTopWindow
1002732C    USER32.dll    7E455F7F   0045     CloseWindow
10027330    USER32.dll    7E419689   01EB     MsgWaitForMultipleObjects
10027334    USER32.dll    7E43C972   0254     SetDlgItemTextA
10027338    USER32.dll    7E46B05E   0114     GetDlgItemTextA
1002733C    USER32.dll    7E429313   01AC     IsWindow
10027340    USER32.dll    7E42C7F9   0267     SetParent
10027344    USER32.dll    7E418F9C   015E     GetSystemMetrics
10027348    USER32.dll    7E42436E   0112     GetDlgItem
1002734C    USER32.dll    7E4290B4   0175     GetWindowRect
10027350    USER32.dll    7E42E8F6   01BC     LoadIconA
10027354    USER32.dll    7E42F3C2   023C     SendMessageA
10027358    USER32.dll    7E43B144   009F     DialogBoxParamA
1002735C    USER32.dll    7E424A4E   00C7     EndDialog
10027360    USER32.dll    7E41945D   016F     GetWindowLongA
10027364    USER32.dll    7E42C29D   0281     SetWindowLongA
10027368    USER32.dll    7E42B29E   01EA     MoveWindow
1002736C    USER32.dll    7E42A340   01FE     PeekMessageA
10027370    USER32.dll    7E418BF6   02AB     TranslateMessage
10027374    USER32.dll    7E429849   00C5     EnableWindow
10027378    USER32.dll    7E42F56B   0287     SetWindowTextA
1002737C    USER32.dll    7E43E940   00B6     DrawFrameControl
10027380    USER32.dll    7E43216B   0178     GetWindowTextA
10027384    USER32.dll    7E43C702   00BD     DrawTextA
10027388    USER32.dll    7E42908E   0100     GetClientRect
1002738C    USER32.dll    7E429C2F   00E3     FillRect
10027390    USER32.dll    7E428717   0027     CharLowerA
10027394    USER32.dll    7E4196B8   00A2     DispatchMessageA
10027398    USER32.dll    7E41AE3F   0036     CharUpperBuffA
1002739C    USER32.dll    7E42B222   015D     GetSystemMenu
100273A0    USER32.dll    7E42D2C4   00C3     EnableMenuItem
100273A4    USER32.dll    7E44F69C   00B9     DrawMenuBar
100273A8    USER32.dll    7E418C2E   027B     SetTimer
100273AC    USER32.dll    7E418C42   01B3     KillTimer
100273B0    USER32.dll    7E429823   0118     GetForegroundWindow
100273B4    USER32.dll    7E4507EA   01DD     MessageBoxA
100273B8    USER32.dll    7E428845   0028     CharLowerBuffA
100273BC    USER32.dll    7E4299F3   0284     SetWindowPos
100273C0    USER32.dll    7E42772B   013B     GetMessageA
100273C4    USER32.dll    7E42B3C6   001B     CallNextHookEx
100273C8    USER32.dll    7E42F45F   00FD     GetClassNameA
100273CC    USER32.dll    7E42A5AE   00DF     EnumWindows
100273D0    USER32.dll    7E42D5F3   02AF     UnhookWindowsHookEx
100273D4    USER32.dll    7E4282E1   00E4     FindWindowA
100273DC  DLL:WININET.dll  FirstThunkRVA:273DC
            DLL Name      Address   Ordinal   API Name
100273DC    WININET.dll   771D5C4E   00F6     InternetGetConnectedState
100273E0    WININET.dll   771D1AF9   00B5     GetUrlCacheEntryInfoA
100273E4    WININET.dll   771C33BE   00DA     InternetCanonicalizeUrlA
100273EC  DLL:iphlpapi.dll  FirstThunkRVA:273EC
            DLL Name      Address   Ordinal   API Name
100273EC    iphlpapi.dll  76D663EF   0029     GetIfEntry
100273F0    iphlpapi.dll  76D66051   001C     GetAdaptersInfo
100273F8  DLL :o le32.dll  FirstThunkRVA:273F8
            DLL Name      Address   Ordinal   API Name
100273F8    ole32.dll     77556EC6   0047     CoMarshalInterThreadInterfaceInStream
100273FC    ole32.dll     774FEE46   006A     CoUninitialize
10027400    ole32.dll     7750057E   0012     CoCreateInstance
10027404    ole32.dll     77517E90   0051     CoRegisterClassObject
10027408    ole32.dll     7752A2F3   005D     CoRevokeClassObject
1002740C    ole32.dll     77502A53   003C     CoInitialize
10027410    ole32.dll     77556DD6   002F     CoGetInterfaceAndReleaseStream
10027418  DLL:urlmon.dll  FirstThunkRVA:27418
            DLL Name      Address   Ordinal   API Name
10027418    urlmon.dll    7E1ED381   0081     CreateURLMoniker
1002741C    urlmon.dll    7E23BED5   00B0     URLOpenBlockingStreamA
          OllyDump -- Calculating New File Size...
          New Import Section Size:1400  New File Size:44E00
          OllyDump -- Making New Import Table...
          OllyDump -- Dump and Rebuild Finish!!

End of session

Attachments
malware.xex.upx.oep.dumb.raw1.zip
(107.81 KiB) Downloaded 86 times
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Good old Olly logging :p The dll you attached is actually created by a completely distinct EXE file (attached, "infected") which overwrites the original PE memory space during that first decrypted layer.

At .data:42279D of the original decrypted code, it calls the EP of the memory PE file you see logged at 4019C8. Your traps to memcpy are directly from that memory PE file, after it further decrypts an embedded dll into memory, i.e. the one at 40136C:

Code: Select all

:00401350                 call    ds:VirtualAlloc
:00401356                 mov     [ebp+Dst], eax
:00401359                 mov     eax, [ebp+Src]
:0040135C                 mov     eax, [eax+IMAGE_DOS_HEADER.e_lfanew]
:0040135F                 mov     ecx, [ebp+PEHeader]
:00401362                 add     eax, [ecx+IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders]
:00401365                 push    eax             ; Size
:00401366                 push    [ebp+Src]       ; Src
:00401369                 push    [ebp+Dst]       ; Dst
:0040136C                 call    memcpy
Also attached is an IDC file which will decrypt that first layer, resolve it as code and create a function out of it. You should see a new proc in the Functions window at 42026C. Tracing this section will create the attached PE file. I don't really see the UPX or any unpacker analogy here.

For general interest here is the IDC file, simply because it shows the silly decryption algorithm that first layer uses. Does anyone see any rational with that algo, or is just a bunch of random SHR/SHL/NOT sequences dreamed up during a drug-induced stupor by some skiddie?

[php]
#include <idc.idc>

// Decryption IDC for first encrypted section in malware
// http://www.woodmann.com/forum/showthrea ... e-attached

/* As per The IDA Pro Book:
IDA uses signed comparisons, which means that the right-shift operator (>>)
always performs an arithmetic shift (SAR instead of SHR)

If you require logical right shifts, you must implement them
yourself by masking off the top bit of the result, as shown here:

result = (x » 1) & OX7fffffff; // set most significant bit to zero
*/

// Therefore, we can make our own SHR replacement
static SHR(x, n)
{
auto i;

for (i=0; i<n; i++)
{
x = x >> 1;
x = x & 0x7FFFFFFF;
}
return x;
}

static decryptdword(dword)
{
auto decdword;
auto x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
auto x16, x17, x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28;

// individual algorithm elements extracted from decryption loop,
// with instruction addresses and result example from first time through loop

x1 = SHR(dword, 0x1B) | (dword << 0x05); // 401106 - 401112 // 0xEC21860B
x2 = SHR(x1, 0x15) | (x1 << 0x0B); // 401117 - 40111F // 0x0C305F61
x3 = (~ x2) + 1; // 40115E, 401178 // 0xF3CFA09F
x4 = (x3 << 0x1B) | SHR(x3, 5); // 40118E - 401196 // 0xFF9E7D04
x5 = ~(x4 + 2); // 4011C2, 4011DA // 0x006182F9
x6 = SHR(x5, 0x13) | (x5 << 0x0D); // 4011F1 - 4011F9 // 0x305F200C
x7 = SHR(x6, 0x19) | (x6 << 0x07); // 401210 - 401218 // 0x2F900618
x8 = ~(x7) + 1; // 40122F, 401246 // 0xD06FF9E8
x9 = SHR(x8, 0x1B) | (x8 << 0x05); // 40128C - 401294 // 0x0DFF3D1A
x10 = (x9 << 0x14) | SHR(x9, 0x0C); // 4012AD - 4012B3 // 0xD1A0DFF3
x11 = (x10 << 0x1D) | SHR(x10, 0x03); // 4012CC - 4012D2 // 0x7A341BFE
x12 = (x11 << 0x16) | SHR(x11, 0x0A); // 401319 - 40131F // 0xFF9E8D06
x13 = SHR(x12, 0x1C) | (x12 << 0x04); // 401338 - 40133E // 0xF9E8D06F
x14 = ~((x13 + 1) + 3); // 401383, 4013ED, 401402 // 0x06172F8C
x15 = (x14 << 0x1C) | SHR(x14, 0x04); // 401416 - 40141E // 0xC06172F8
x16 = ~(x15); // 40142F, 401434 // 0x3F9E8D07
x17 = (x16 << 0x18) | SHR(x16, 0x08); // 401448 - 401450 // 0x073F9E8D
x18 = (x17 << 0x1B) | SHR(x17, 0x05); // 401464 - 40146C // 0x6839FCF4
x19 = ~((x18 + 1) + 1); // 401480, 4014BD, 4014D5 // 0x97C60309
x20 = SHR(x19, 0x17) | (x19 << 0x09); // 4014EE - 4014F6 // 0x8C06132F
x21 = SHR(x20, 0x14) | (x20 << 0x0C); // 401510 - 401518 // 0x6132F8C0
x22 = SHR(x21, 0x1D) | (x21 << 0x03); // 401534 - 40153A // 0x0997C603
x23 = ~(x22 + 1); // 401554, 40156F // 0xF66839FB
x24 = (x23 << 0x1F) | SHR(x23, 0x01); // 40158B - 401590 // 0xFB341CFD
x25 = ~(x24); // 4015A4, 4015AC // 0x04CBE302
x26 = SHR(x25, 0x16) | (x25 << 0x0A); // 4015C6 - 4015D0 // 0x2F8C0813
x27 = ~(x26) + 1; // 4015E8, 401602 // 0xD073F7ED
x28 = SHR(x27, 0x1E) | (x27 << 0x02); // 401650 - 401658 // 0x41CFDFB7

decdword = x28;

return decdword;
}

static main()
{
auto startdecrypt, size, enddecrypt, ea, x, entrycall;

startdecrypt = 0x41FE54;
size = 0x0A5A * 4; // dword size replacement
enddecrypt = (startdecrypt + size); // = 0x4227BC

ea = startdecrypt;

Message("\nDecrypting... \n");

while (ea < enddecrypt)
{
Message("%x \n", ea);
x = Dword(ea); // fetch the dword
x = decryptdword(x); // decrypt it
PatchDword(ea, x); // put it back
ea = ea + 4;
}

// Analyze decrypted code and make function

Message("\nResolving code... \n");

entrycall = 0x42026c; // where code calls to after decryption

MakeUnknown (entrycall, (enddecrypt-entrycall), DOUNK_EXPAND);

ea = entrycall;

while(ea < enddecrypt)
{
MakeCode(ea);
Message("ea %x \n", ea);
ea = ItemEnd(ea);
}

MakeFunction(entrycall, enddecrypt);

Message("...Done \n");
}
[/php]
Attachments
Mal2ndlayerEXE.zip
(89.4 KiB) Downloaded 83 times
reverser
Senior Member
Posts: 104
Joined: Tue May 23, 2006 11:36 am

Post by reverser »

Kayaker wrote:Tracing this section will create the attached PE file. I don't really see the UPX or any unpacker analogy here.
This is because it's not the final stage yet. It again decrypts a payload DLL and calls an export ("sds"). Here's the final DLL, I unpacked it with upx -d without issues and IDA loads it just fine.

[ATTACH]2733[/ATTACH]
Attachments
egaccess4.zip
(181.21 KiB) Downloaded 120 times
JimmerRobber
Junior Member
Posts: 2
Joined: Tue Feb 05, 2013 10:49 am

Post by JimmerRobber »

Thanks all for the help! I've been working (slowly) through this. I have a couple of questions that I hope you all could please help me out with. After doing some research about packing (LoadLibrary, GetProcAddress, etc) and reading Kayaker's post I tried to set the break point in IDA on getprocaddress but it's not listed in the import section. I now understand how that function is called by dereferencing through the PE data structures to find it's address within the Kernl32.dll file (mov eax,fs:[30h], mov eax,[eax+0ch], etc). I was able to set a breakpoint in Ollydbg -> search for -> names in all modules -> loadlibrary(), getprocaddress(), etc. Is there a way to accomplish this in IDA since loadlibrary() and getprocaddress() are not listed in the imports section? Once I figured out in IDA how getprocaddress was called I set a breakpoint on that address so I could see what function getprocaddress was returning an address for. I've been googling and can't seem to find out how to do that in IDA. I'm also looking through the unofficial IDA pro book that I have.

I'm able to step into the function_0042026C and have IDA create a function of it and the rest of the code that goes along with it. My question is, is this the section that is packed with UPX? Also how would one know that? I'm just wondering because every time I've run into UPX stuff the .UPX "tag" is present in the disassembly. I've tried to dump this section in IDA using the x86emu dump option to see if I could uncompress it using the UPX utility. I've stepped into that function in Ollydbg and dumped the process as well. But I haven't had success with either approach.

Looking at the Ollydbg logs that Blabberer posted I understand why a breakpoint would be set when memcpy is called but what is the significance with the first breakpoint at 004019C8? As of yet I haven't made my way through the end of the code starting at 0042026c. I imagine that there is more unpacking to do because at the point I'm at there is still nothing at that address. Also Blabberer posted "to be on upx oep after popad", I'm not sure how to get to that point. From the research I've done (on manually unpacking), the address that will be popped off the stack will be the OEP. So I've set a few break points on popad but can't get an address that gets me to what seems like the OEP.

Thanks again for all the help. I'm doing research to learn as I try to work my way through this. Any help is greatly appreciated.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

Code: Select all

the binaries ep is at 401700

glancing at the disassembly and evaluating the expression with 
command line plugin you can simply deduce that ecx would be 401000 

00401732  |.  FFD1          CALL ECX                                 ;  ? 3f3727 + 0d8d9 = 401000

all other instructions are waste 

now you use ctrl+g goto 401000 
just seeing so much register flipping you can deduce that this might be a boring obfuscation

plainly look for exit from this crap

first ja goes to 40109b 
and ollydbg will show a small arrow on 401077

if you select it 
you can immediately see 
ECX=00401000 (Malware.00401000)
Jump from 0040169B

so only place to jump here is at 40169b

if you follow you will see if it is true you have to enter a call and then exit process

and another small arrow on 4016ae coming from 4010c7

scroll down and select each conditional jump and unconditional jump none of them goes beyond 4016ae 

so 4016ae is the exit 

that means we would enter the call 

004016D9  |.  FF55 EC       CALL DWORD PTR SS:[EBP-14]

yes set a hwbp and f9 
004016D9  |.  FF55 EC       CALL DWORD PTR SS:[EBP-14]               ;  Malware.0042026C

we see again the same bs pattern of registry flips

and if you scroll around you notice 402681 as an exit from several places
0042067A   /EB 05           JMP SHORT Malware.00420681
00420636   /EB 49           JMP SHORT Malware.00420681
00420584   /0F83 F7000000   JNB Malware.00420681

so we would probably enter the indirect call below  420681 here 
00420740    FF55 DC         CALL DWORD PTR SS:[EBP-24]

setting a bp and f9 we see it is load lib

00420740    FF55 DC         CALL DWORD PTR SS:[EBP-24]               ; kernel32.LoadLibraryA

scrolling down we see [ebp-ec] resolved to GetProcAddress

004207DE    FF95 14FFFFFF   CALL DWORD PTR SS:[EBP-EC]               ; kernel32.GetProcAddress

a nd scrolling down we see the first unresolved is at [ebp-f0]

00420E41    FF95 10FFFFFF   CALL DWORD PTR SS:[EBP-F0]

right click follow in dump memory address
0012FDD0       FFFFFFFF  ÿÿÿÿ

or alt+f1 and evaluate
Log data, item 0
 Message=[ebp - 0f0] = ffffffff

looking aroung the disassembly we see
00420D21    FF95 14FFFFFF   CALL DWORD PTR SS:[EBP-EC]               ; kernel32.GetProcAddress
00420D27    8985 10FFFFFF   MOV DWORD PTR SS:[EBP-F0],EAX


so some api is called here 

set a conditional loggin bp on kernel32!GetprocAddress with no pause and log args

shift+f4

you see all these apis are resolved

Log data
Address    Message
           [ebp - 0f0] = ffffffff
7C80AE30   CALL to GetProcAddress from Malware.004207DE
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "ExitProcess"
7C80AE30   CALL to GetProcAddress from Malware.00420899
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "VirtualAlloc"
7C80AE30   CALL to GetProcAddress from Malware.00420903
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "VirtualProtect"
7C80AE30   CALL to GetProcAddress from Malware.0042094E
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "VirtualFree"
7C80AE30   CALL to GetProcAddress from Malware.004209CA
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "lstrcmp"
7C80AE30   CALL to GetProcAddress from Malware.00420A5D
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "GetVersionExA"
7C80AE30   CALL to GetProcAddress from Malware.00420ABD
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "lstrlen"
7C80AE30   CALL to GetProcAddress from Malware.00420B23
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "lstrcatA"
7C80AE30   CALL to GetProcAddress from Malware.00420C2A
             hModule = 7E410000 (USER32)
             ProcNameOrOrdinal = "MessageBoxA"
00420D21   Breakpoint at Malware.00420D21
7C80AE30   CALL to GetProcAddress from Malware.00420D21
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "memcpy"


so memcpy is going to be called several times 

00420D27    8985 10FFFFFF   MOV DWORD PTR SS:[EBP-F0],EAX            ; MSVCRT.memcpy

if you want you can set a shift+f4 log bp on msvcrt!memcpy to log the args

skip all further memcpy and set a bp on the first conditional at 4210eb

if you had set a log you will see memcpy done 

Log data
Address    Message
77C46F70   CALL to memcpy from Malware.00420E41
             dest = 0012FCA8
             src = Malware.0041FE58
             n = A9 (169.)
77C46F70   CALL to memcpy from Malware.00420E7E
             dest = 0012FBA4
             src = Malware.0041FF01
             n = F3 (243.)
77C46F70   CALL to memcpy from Malware.00420EBB
             dest = 0012FA9C
             src = Malware.0041FFF4
             n = EB (235.)
77C46F70   CALL to memcpy from Malware.00420EF9
             dest = 0012F994
             src = Malware.004200DF
             n = B9 (185.)
77C46F70   CALL to memcpy from Malware.00420F21
             dest = 0012FCA4
             src = Malware.00420254
             n = 4
77C46F70   CALL to memcpy from Malware.00420F49
             dest = 0012FDA8
             src = Malware.00420258
             n = 4
77C46F70   CALL to memcpy from Malware.00420F71
             dest = 0012F98C
             src = Malware.0042025C
             n = 8
77C46F70   CALL to memcpy from Malware.00420F99
             dest = 0012FA94
             src = Malware.00420264

now the next calls are protected by exitprocess so we can sfely skip them if we exitprocess we messed up long long before not now
need to restart

the next unknown is at

004212B9    FF95 B0FAFFFF   CALL DWORD PTR SS:[EBP-550]

Log data
Address    Message
77C46F70   CALL to memcpy from Malware.00421175
             dest = 0012F928
             src = 0012F918
             n = 8
77C46F70   CALL to memcpy from Malware.004211DA
             dest = 0012F968
             src = 0012F920
             n = 8
7C80AE30   CALL to GetProcAddress from Malware.0042122B
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "log"
7C80AE30   CALL to GetProcAddress from Malware.00421281
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "ceil"
004212B9   Breakpoint at Malware.004212B9

so some decryption using log is done let it do we will trap when it exits

004212B9    FF95 B0FAFFFF   CALL DWORD PTR SS:[EBP-550]              ; MSVCRT.log


             n = 8
004210EB   Breakpoint at Malware.004210EB

so it is now checking the signature of a pe file
00421993    81F9 4D5A0000   CMP ECX,5A4D              MZ
00421999   /74 15           JE SHORT Malware.004219B0
0042199B   |68 04000100     PUSH 10004
004219A0   |FF95 78FFFFFF   CALL DWORD PTR SS:[EBP-88]        Exit
004219A6   |B8 04000100     MOV EAX,10004
004219AB   |E9 030E0000     JMP Malware.004227B3
004219B0   \8B95 20FAFFFF   MOV EDX,DWORD PTR SS:[EBP-5E0]
004219B6    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
004219B9    0342 3C         ADD EAX,DWORD PTR DS:[EDX+3C]
004219BC    8985 18FAFFFF   MOV DWORD PTR SS:[EBP-5E8],EAX
004219C2    8B8D 18FAFFFF   MOV ECX,DWORD PTR SS:[EBP-5E8]
004219C8    8139 50450000   CMP DWORD PTR DS:[ECX],4550        < PE
004219CE    74 15           JE SHORT Malware.004219E5
004219D0    68 05000100     PUSH 10005
004219D5    FF95 78FFFFFF   CALL DWORD PTR SS:[EBP-88]

by now you should be clear the next unknown must most probably be at 

0042279D    FF95 CCF7FFFF   CALL DWORD PTR SS:[EBP-834]

Log data
Address    Message
77C46F70   CALL to memcpy from Malware.004217AF
             dest = Malware.004228F0
             src = 003A0000
             n = 1B000 (110592.)
004217B5   Breakpoint at Malware.004217B5
77C46F70   CALL to memcpy from Malware.00421A9B
             dest = Malware.00400000
             src = Malware.004228F0
             n = 10F0 (4336.)
00421AA1   Breakpoint at Malware.00421AA1
77C46F70   CALL to memcpy from Malware.00421B99
             dest = Malware.00401000
             src = Malware.004238F0
             n = 1000 (4096.)
77C46F70   CALL to memcpy from Malware.00421B99
             dest = Malware.00402000
             src = Malware.004248F0
             n = 1000 (4096.)
77C46F70   CALL to memcpy from Malware.00421B99
             dest = Malware.00403000
             src = Malware.004258F0
             n = 16000 (90112.)
77C46F70   CALL to memcpy from Malware.00421B99
             dest = Malware.00419000
             src = Malware.0043B8F0
             n = 1000 (4096.)
77C46F70   CALL to memcpy from Malware.00421B99
             dest = Malware.0041A000
             src = Malware.0043C8F0
             n = 1000 (4096.)
00421BA7   Breakpoint at Malware.00421BA7
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "__set_app_type"
0042272D   Breakpoint at Malware.0042272D
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "_except_handler3"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "__p__fmode"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "_controlfp"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "__p__commode"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "_adjust_fdiv"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "__setusermatherr"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "_initterm"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "__getmainargs"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "_acmdln"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "exit"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "_XcptFilter"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "_exit"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "memcpy"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "memset"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "realloc"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 77C10000 (MSVCRT)
             ProcNameOrOrdinal = "_stricmp"
00422751   Breakpoint at Malware.00422751
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "GetModuleHandleA"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "lstrlenA"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "VirtualAlloc"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "GetProcessHeap"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "HeapAlloc"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "IsBadReadPtr"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "LoadLibraryA"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "GetProcAddress"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "VirtualFree"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "VirtualProtect"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "GetLastError"
7C80AE30   CALL to GetProcAddress from Malware.00422727
             hModule = 7C800000 (kernel32)
             ProcNameOrOrdinal = "GetStartupInfoA"
00422761   Breakpoint at Malware.00422761


that is why bp at 4019c8 :)

0042279D    FF95 CCF7FFFF   CALL DWORD PTR SS:[EBP-834]              ; Malware.004019C8

which is a winmaincrtStartup of the newly written pe 

so winmain is at 

00401AF7                 |.  E8 A2F5FFFF   CALL Malware.0040109E

and you can easily see few otehr memcpy from 4019c2

and scrolling down you can identify that 
4019a2 is where you will diverge with an unknown entity

Stack SS:[0012F550]=1004A090
004019A2                 |.  FF55 D8       CALL DWORD PTR SS:[EBP-28]

Log data, item 0
 Message=[ebp - 028] = 1004a090
0012F550       1004A090  *

thsi is upx

1004A090                   807C24 08 01    CMP BYTE PTR SS:[ESP+8],1
1004A095                   0F85 E2010000   JNZ 1004A27D
1004A09B                   60              PUSHAD

lets see the header
ctrl+g 10000000

Log data, item 0
 Message=STRING [[1000003c] + 10000000 + 0f8] = UPX0

so scroll down to popad jmp oep

Log data, item 0
 Address=10025D27
 Message=Hardware breakpoint 3 at 10025D27

dump done 

but as reverser posted you still have a third layer

Locked