OllyDbg « KOrUPt

December 22, 2008

Unpacking UPX

Filed under: Reversing — Tags: OllyDbg, Unpacking, UPX — KOrUPt @ 19:22

Previously I wrote a post about unpacking ASPack, before I move on to unpacking some of the commonly used protectors(and the uncommon ones), I wanted to mention how to unpack UPX as it is considered one of the easiest packers to unpack.
You can download UPX from its official site at http://upx.sourceforge.net.

Tools we’ll need:
1. PEiD.
2. OllyDbg.
3. OllyDump plugin.

Let’s get started, firstly we should scan our file with PEiD to check it’s actually packed with UPX…

UPX 0.89.6 – 1.02 / 1.05 – 1.24 -> Markus & Laszlo

And it is.

UPX’s entrypoint looks similar to this:

PUSHAD
MOV ESI, Server.00408000
LEA EDI, DWORD PTR DS:[ESI+FFFF9000]
PUSH EDI
OR EBP, FFFFFFFF
JMP SHORT Server.0040BA82

The PUSHAD instruction is of interest to us in this case, it does the following:

PUSHAD – Push All General Purpose Registers.

We can use what is known as the ESP trick to find OEP(Original-Entry-Point)… Step over(F8) the PUSHAD instruction and you’ll notice the ESP register’s contents changes, proceed by following its contents in the dump, set a hardware breakpoint(Size: dword. Type: on access) on followed byte.

Run(F9) until you hit the hardware breakpoint, you should land on a JMP instruction which leads to our OEP, step over it(F8).

You should now be at OEP. The IAT(Import Address Table) is basically intact so there’s no need to launch ImpRec and attempt to rebuild it(Most protectors tend to destroy the IAT to complicate our job).

All that’s left to do is dumping, launch the OllyDump plugin, leave the rebuild imports option on (method 1) and continue dumping the file.

You’ve now unpacked a UPX compressed file, I bet that was easier than you imagined?

Don’t forget to test your dumped file, if you did everything correctly it should execute without problems.

KOrUPt.

Comments (12)

Unpacking ASPack

Filed under: Reversing — Tags: 2.12, Alexey Solodovnikov, ASPack, Beginner, OllyDbg, Reversing, Unpacking — KOrUPt @ 07:25

ASPack 2.12 is a fairly good packer, be it a good one, that’s all it really is… thus its level of protection isn’t that good… This packer is a good starting point for those looking to further their knowledge in reversing.

Packer: ASPack 2.12 -> Alexey Solodovnikov.
Level: Beginner.

Tools:
1. PEiD.
2. ImpRec.
3. OllyDbg.
4. OllyDump plugin.
5. Brain.

Open your target in OllyDbg, you should see a warning about the entrypoint being outside of the executable’s code section… Olly’s twigged that our target maybe packed and has decided to warn us… We know what we’re doing so we’ll be brave and continue.

There’s no point analysing the code as it’s compressed.

If you take a look at the instructions around ASPack’s entrypoint you should see something similar to this:

PUSHAD
CALL 005F300A
JMP 45BC34F7
PUSH EBP
RETN

We can get to OEP(Original-Entry-Point) using the ESP trick…

Step over the PUSHAD instruction(F8), notice the ESP register’s contents has now changed. Follow the ESP register in the dump window and set a hardware breakpoint(Size: dword. Type: on access) at the address you’ve just followed in the dump and press F9 to continue execution.

You should end up somewhere that looks similar to this:
JNZ L003
MOV EAX, 1
RETN 0×0C
L003:
PUSH 0×0040C2E4
RETN

ASPack uses a PUSH + RETN instruction as a jump to OEP(PUSH + RETN = JMP), so step through the loop until you hit the RETN instruction. Step into it(F7) and you’ll land at OEP.

I’m debugging a VB application so my OEP looks like the following:

PUSH 0×0040C8A0 ; Push “VB****” string
CALL 0×0040C2DC ; Call ThunRTMain

We can now continue by dumping the the application in its uncompressed form from memory using the OllyDump plugin, uncheck the rebuild imports option.

We now need to rebuild our dumped executable’s IAT if we want it to function correctly… IAT stands for Import-Address-Table, more info can be found about it here: An in-depth look inside Windows PE files.

Most protectors and some packers destroy the IAT to prevent beginners from obtaining a working dump, ASPack is one of those packers.

Launch ImpRec and fill in the OEP field with the OEP you got from OllyDump(RVA(Realative-Virtual-Address) – ImageBase), now hit Auto-Search and then “Get Imports”… Most of the time(with ASPack) you wont have any invalid pointers and you can continue by just adding the IAT to your dump and saving changes…

In my case I had 2 invalid thunks, I proceeded by using ImpRec’s Trace Level 1 feature, this fixed one of the functions in the thunk table, but the other remained invalid, after disassembling it wasn’t too hard to notice the function was garbage(a trained eye helps in this case), I simply cut the invalid pointers away and contiued by attaching the IAT to my dump.

If all was done correctly your dump should execute fine.

As always, if you’ve any questions, please let me know.

KOrUPt.

Comments (12)

December 21, 2008

Unpacking DLL’s without LoadDLL

Filed under: Reversing — Tags: DLL, executable, LoadDll, OllyDbg, Unpacking — KOrUPt @ 23:34

If like me you’re an OllyDbg user, I’m sure you’ve heard of the LoadDLL utility… This is just a utility that loads a DLL file within OllyDbg using the LoadLibrary() function.

For some reason I’ve never really liked this utility, at times it can be problematic.

Wouldn’t it be easier to be able to load the DLL file into OllyDbg as if it were a normal PE file? If like me, you answered yes, then continue reading.

To do this you’ll need a PE editor, I recommend PE Tools or something similar.

If we check the IMAGE_FILE_HEADER structure, we see the following:

ushort	Machine
	Identifies the target machine of the object file.
ushort	NumberOfSections
	Number of sections in the section table.
uint	TimeDateStamp
	The low 32-bits of the number of seconds since 00:00 January 1, 1970 that indicates when the file was created.
uint	PointerToSymbolTable
	The file offset of the COFF symbol table.
uint	NumberOfSymbols
	The number of entries in the symbol table.
ushort	SizeOfOptionalHeader
	The size of the optional header.
ushort	Characteristics
	Set of flags, that indicate the attributes of the object file.

The Characteristics member of the structure is what interests us, we can modify its value to force OllyDbg to load the DLL as if it were a “normal” executable simply by zeroing the IMAGE_FILE_DLL bit.

In PETools you can make this change via loading up your DLL into the PETools PE editor then navigating to “File Header>Characteristics” and unticking the checked “DLL” check box.

You may want to note that a DLL may check its arguments to see if its attaching to a process or not and only continue execution if it’s being attached… In order to circumvent this behaviour you can push 3 DWORDS onto the stack before execution, where the second one is set to 1.

That just about covers it for the moment.

As always, any questions, feel free to leave a comment.

KOrUPt.

Comments (1)