#1
|
|||
|
|||
Safengine Olly scripts
Safengine_OEP_finder.txt and SafeEngine_ThunksFixer.txt: two Olly scripts;
First load the target and run Safengine_OEP_finder.txt - this will lead to OEP; After that load SafeEngine_ThunksFixer.txt script: this will fix instructions involving import table thunks; Currently I have no way to fix emulated imports (the import table). SafeEngine_ThunksFixer.txt still has a bug: it randomly crashes when executing some SafeEngine code: NOT always crashes! |
The Following 3 Users Gave Reputation+1 to CodeCracker For This Useful Post: | ||
The Following 14 Users Say Thank You to CodeCracker For This Useful Post: | ||
ahmadmansoor (03-13-2019), Apuromafo (03-13-2019), ARUBA (03-18-2019), cachito (03-14-2019), deepzero (03-13-2019), Indigo (07-19-2019), niculaita (03-14-2019), p4r4d0x (03-14-2019), sh3dow (06-19-2020), Stingered (03-14-2019), user1 (03-14-2019), wilson bibe (03-14-2019), yoza (03-14-2019) |
#2
|
|||
|
|||
CodeCracker could be possible external link please?
|
#3
|
|||
|
|||
External download link
https://www49.zippyshare.com/v/z6MIRlQe/file.html
|
#4
|
|||
|
|||
Interesting. I ask for an external link (not this specific thread) and my post gets flagged and deleted...
|
The Following User Says Thank You to Stingered For This Useful Post: | ||
Indigo (07-19-2019) |
#5
|
|||
|
|||
Quote:
BR, Apuromafo |
#6
|
|||
|
|||
I found a way to kill import table redirection!
Breakpoint on write to code section (.text section) doesn't work on some cases At this point we can watch how imports are restored! Next will check for Import Redirection magic jump: that jump should jump The script may log more then one jump location: obviously only one location is right First that sheet gets the kernel32.GetModuleHandleA RVA = B741 (41B70000) Export table address: 7C802C2C 41 B7 00 00 So set breakpoint on read to 7C802C2C, after breakpoint and continue execution (step in) you will see that will compare ndll base address with kernel32.GetModuleHandleA The jump after should jump and imports will be no more redirected (clean import table)! |
#7
|
||||
|
||||
My friend, Can you provide us with a sample(unpackme)?
Thanks for nice work.
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
The Following User Says Thank You to ahmadmansoor For This Useful Post: | ||
Indigo (07-19-2019) |
#8
|
|||
|
|||
Can't find any unpackme on this board; only on tuts4you:
https://forum.tuts4you.com/topic/39325-quick-unpacking-safengine-shielden-239 https://forum.tuts4you.com/topic/30998-unpackme-safengine-shielden-2190 https://forum.tuts4you.com/topic/34639-unpackme-safengine-shielden-2260 https://forum.tuts4you.com/topic/37946-safengine-shielden-v2380/ |
The Following 3 Users Say Thank You to CodeCracker For This Useful Post: | ||
#9
|
|||
|
|||
Target:
https://forum.tuts4you.com/topic/39325-quick-unpacking-safengine-shielden-239 magicjump5: 004D30FB magicjump5 may be wrong! magicjump2: 004D28E4 JumpDestination: 004D28C8 | Entry address magicjump2: 004D3349 JumpDestination: 004D3308 | Entry address magicjump2: 004D80BB JumpDestination: 004D80D7 | Entry address magicjump2: 004D81DC JumpDestination: 004D81F8 | Entry address magicjump2: 004DA58A JumpDestination: 004DA54C | Entry address magicjump2: 004DB025 JumpDestination: 004DB056 | Entry address magicjump2: 004DB9C9 JumpDestination: 004DB9AE | Entry address magicjump2: 0054A8FD JumpDestination: 0054A903 Unfortunately none of those address are not the magic jump (sorry)! Log data, item 1 Message=ImportTableAddress: 00464000 First time gets the kernel32.GetModuleHandleA RVA = B741 (41B70000) Export table address: 7C802C2C 41 B7 00 00 so set breakpoint on read to address 7C802C2C You will should lead here: 004FDA27 . 8B3E MOV EDI, DWORD PTR DS:[ESI] 004FDA29 . 5E POP ESI ; kernel32.7C80262C 004FDA2A . 9C PUSHFD 004FDA2B .^ EB DD JMP SHORT 004FDA0A // Step in needed: 004FDBF3 > \3BFE CMP EDI, ESI ; kernel32.7C80262C 004FDBF5 . 8D6424 04 LEA ESP, DWORD PTR SS:[ESP+0x4] 004FDBF9 ^ 0F82 00F9FFFF JB 004FD4FF // No, is not this magic jump since is not the ntdll base address! After step in a lot: 004A5D18 > \4A DEC EDX ; kernel32.7C807C3B 004A5D19 . 8B11 MOV EDX, DWORD PTR DS:[ECX] 004A5D1B . 3BD0 CMP EDX, EAX 004A5D1D . 60 PUSHAD 004A5D1E . E9 B5760500 JMP 004FD3D8 At 004A5D19 get the ntdll base address in edx 004FD3D8 > \8D6424 20 LEA ESP, DWORD PTR SS:[ESP+0x20] 004FD3DC .^ 0F83 C088FAFF JNB 004A5CA2 This is the magic jump which should be changed to jump! And now we have clean import table! Is still hard for me to automatize things! |
#10
|
|||
|
|||
MagicJump finder (IAT redirection Finder)
A nice update:
I was able to code a good MagicJump finder (IAT redirection Finder) - attached. Now the problem is that the old script Safengine_OEP_finder.txt won't be able to reach OEP since the IAT fixing stuff is done late! So you still got to patch that address (MagicJump) manually. |
The Following 3 Users Say Thank You to CodeCracker For This Useful Post: | ||
#11
|
|||
|
|||
CodeCracker possibility of external link?
possibility you check my dll and give me any clue? tx |
The Following User Says Thank You to carlitos For This Useful Post: | ||
Indigo (07-19-2019) |
#12
|
|||
|
|||
@carlitos:
Dll unpacking is a bit harder since you got to rebuild relocations: you got to unpack the dll twice. As for your dll: it seems I am even unable to load it on Olly, from where you got this dll anyway? |
The Following User Says Thank You to CodeCracker For This Useful Post: | ||
Indigo (07-19-2019) |
#14
|
|||
|
|||
you can patch the dll to load at fixed base address that way after the dump, relocation wont be loaded and the dll will be loaded at the same address!
|
The Following User Says Thank You to 0xall0c For This Useful Post: | ||
Indigo (07-19-2019) |
#15
|
|||
|
|||
You can also use windows xp in a virtual box. Unless you need a newer os or x64, the base address usually loads at the same spot each time with xp. Makes it easier that way to keep dlls at same base address.
|
The Following User Says Thank You to Chuck954 For This Useful Post: | ||
Indigo (07-19-2019) |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Obsidium Olly Scripts | CodeCracker | Community Tools | 1 | 04-09-2019 18:20 |