Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-24-2003, 17:00
drasd_20002
 
Posts: n/a
Inline patching a packed dll

I am trying to inline patch a dll packed with pecompact v?1.84.

the first step would be finding the OEP isnt it?

when tried to load the dll into symbol loader - SICE DS 2.7(win XP no sp1) patched nmtrans.dll, siwvid.sys & ntice.sys it doesnot load.

the section characteristics of the first section ie pec1 is already E0000020.

then i tried to preload the dll adding line to winice.dat but when i

start SICE and give any command like d A90000 or BPX A90000 or

(any command a*) * = anything. SICE CRASHES with the

message Int0E Fault at address ****** offset 00006D78. If i dont load the dll and run the app then above faults dont occur but obviously I cannot set any memory breakpoints on the address I mentioned - they will be ignored.


After Unloading SICE by reboot I tried Ollydbg 1.09b loaded the exe and started a wild "trace over" (F8) once i felt i was near the call for the dll. Oops there occurs an exception in

kernel32.dll; Ok i pass it to the app using Shift+F7 or F8 but then app runs without pausing -

dll gets loaded up unpacking routine is already over . Tried

Using a plugin olly dump 2.20 to find OEP by tracing - immediately

there is an exception and an error message is displayed and the

process is terminated, Sh**t.

I tried BPX ISDEBUGGERPRESENT - Response is it breaks 60 times.

How do i find and disable the antidebugging routines used by the dll bcoz it is packed?.
SICE detection tools say it is detected only by INT 01

Plz help.

Last edited by drasd_20002; 04-25-2003 at 10:10.
Reply With Quote
  #2  
Old 04-25-2003, 07:15
asterix asterix is offline
Friend
 
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
Hi!
Open a DLL in the HIEW and replace the first byte on CCh.
Start the SoftICE and give a command "i3here on".
Start the program and when will stop give a command "r eip eip-1".
Then replace the first byte on original.
Then give a command "i3here off".

I am sorry for my horrible english.
Reply With Quote
  #3  
Old 04-27-2003, 10:45
drasd_20002
 
Posts: n/a
In the meanwhile i used iceext extension for sice.
It is not detected mostly even by Int1.

I tried Ur suggestion. works well.

One culd use a macro too:
MACRO a= "r eip eip-1; eb eip %1"

At the entry i have
PUSHFD
PUSHAD
CALL abcd
here reisters are saved.
and these should be restored to just before OEP jump.

so i looked for the register value loaction in data window and

set break on text then bpx / bpm at address. but it doesnot stop there.

Where am I going wrong
Reply With Quote
  #4  
Old 04-27-2003, 19:17
asterix asterix is offline
Friend
 
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
I badly understand you. You can not find OEP?
Try to make something such as it.

-It is necessary to remember value ESP on EP in DLL.
-Then to put "bpx GetProcAddress"
or "bpx (GetProcAddress+3)"(on especially spiteful protectors)
and press "F5".
-When will stop do it "bc *"

-Then to put "bpr esp-4 esp+4"(if you in win98) or
bpm esp-4
bpm esp-3
bpm esp-2
bpm esp-1 (if you in win2k/XP).
Reply With Quote
  #5  
Old 04-28-2003, 23:05
drasd_20002
 
Posts: n/a
Yes I was unable to find OEP.
I tried your advise.
I ultimately reached 00B65C58.
Is this the OEP. I have marked in the code below(Soft Ice)
How to confirm that.
i also didnot understand the principle behind the breakpoints.

___________________________________________________________
EAX=0012F750 EBX=00CFC000 ECX=0012F798 EDX=00050001 ESI=0012F6F0
EDI=00000001 EBP=0012F6FC ESP=0012F6E0 EIP=00CFD550 CS=001B DS=0023
SS=0023 o d I a z a p c
ES=0023 FS=0030 GS=0000
__________Mydll!.pec______________________________________

001B:00CFBFF9 FFFF INVALID
001B:00CFBFFB FFFF INVALID
001B:00CFBFFD FFFF INVALID
001B:00CFBFFF FFEB JMP EBX //BREAK DUE TO EMBEDDED INT3
001B:00CFC001 06 PUSH ES
001B:00CFC002 68505C0D00 PUSH 000D5C58
001B:00CFC007 C3 MET
001B:00CFC000 9C PUSHFD //SAVE REGISTERS
001B:00CFC009 60 PUSHAD //SAVE REGISTERS
001B:00CFC00A E802000000 CALL 00CFC011
001B:00CFC00F 33CO XOR EAX , AH
001B:00CFC011 8BC4 MOV EAX, ESP
001B:00CFC013 83C004 ADD EAX , 04
001B:00CFC016 93 XCHG EAX, EBB
001B:00CFC017 8BE3 MOV ESP, EBB
________________________________________________________________

//snipped

Break due to Getprocaddress [after F5]

001B:77E7A5D9 50 PUSH EAX
001B:77E7A5DA FF15AC1ZE677 CALL [ntdll!RtlImageNtHeader]
001B:77E7A5E0 05C0 TEST "EAX , EAX"
001B:77E7A5E2 0F04170FFFFF JZ 77E734FF
001B:77E7A5E0 6603705C03 CMP "WORD PTR [EAX+5C],03"
001B:77E7A5ED 0F050C0FFFFF JNZ 77E734FF
001B:77E7A5F3 33C0 XOR "EAX , EAX"
001B:77E7A5F5 40 INC EAX
001B:77E7A5F6 C3 RET
001B:77E7A5F7 FFZ57C13E677 JMP [ntdll!LdrGetProcedure Address]
KERNEL32!GetProc Address
001B:77E7A5FD 55 PUSH EBP //Break due to Getprocaddress
001B:77E7A5FE 8BEC MOV "EBP, ESP"
001B:77E7A600 51 PUSH ECX
001B:77E7A601 51 PUSH ECX
001B:77E7A602 53 PUSH EBX
-------------------------------------------------------------------
//snipped
I put
bpm 0012F6E0-4
bpm 0012F6E0-3
bpm 0012F6E0-2
bpm 0012F6E0-1
then pressed F5
Break due to BP 04: BPMB #001B:0012F6DF RW DR0


301B:00CFD52C 0D956BA14000 LEA "EDX, [EBP+0040A16B]"
301B:00CFD532 6A40 PUSH 40
301B:00CFD534 52 PUSH EDX
301B:00CFD535 FFB53D974000 PUSH DW0RD PTR [EBP+0040973D]
301B:00CFD53B FFB539974000 PUSH DW0RD PTR [EBP +00409739]
301B:00CFD541 E0F40A0000 CALL 00CFE03A
301B:00CFD546 05C0 TEST "EAX , EAX"
301B:00CFD540 0F059DFDFFFF JNZ 00CFD2EB
301B:00CFD54E 61 POPAD
301B:00CFD54F 9D POPFD ///Restore registers
301B:00CFD550 50 PUSH EAX
301B:00CFD551 60505CB600 PUSH 00B65C50
301B:00CFD556 C20400 RET 4
301B:00CFD559 0BB55B974000 MOV "ESI,[EBP+0040975B]"
---------------------------------------Mydll.pec+152C-----------------------
//snipped

Traced with F8 after that reaches here:
001B:00B65C58 55 PUSH EBP //??? OEP
001B:00B65C59 8BEC MOV "EBP, ESP"
001B:00B65C5B 03C4C4 ADD "ESP,-3C"
001B:00B65C5E B0B059B600 MOV "EAX,00B659B0"
001B:00B65C63 E0CC0CF3FF CALL 00A96934
001B:00B65C60 A1F47FB600 MOV "EAX,[00B67FF4]"
001B:00B65C6D 0B00 MOV "EAX, [EAX]"
001B:00B65C6F E05CCBF9FF CALL 00B027D0
001B:00B65C74 A1F47FB6GG MOV "EAX,[00B67FF4]"
001B:00B65C79 8B00 MOV "EAX, [EAX]"
001B:00B65C7B 33D2 XOR "EDX,EDX"
001B:00B65C7D EG46C7F9FF CALL 00B023C0
001B:00B65C02 GBGDDC7CB6GG MOV "ECX,[00B67CDC]"
001B:00B65C00 A1F47FB6GG MOV "EAX,[00B67FF4]"
001B:00B65C0D GB00 MOV "EAX, [EAX]"
001B:00B65C0F 0B151C7FB400 MOV "EDX,[00B47F1C]"
001B:00B65C95 E04ECBF9FF CALL 00B027E0
001B:00B65C9A E091E0F2FF CALL 00A94530
001B:00B65C9F 90 NOP
001B:00B65CA0 0 ADD "[EAX],AL"
001B:00B65CA2 0 ADD "[EAX],AL"
001B:00B65CA4 0 ADD "[EAX],AL"
-------------------------------------------------------------------

Last edited by drasd_20002; 04-30-2003 at 12:59.
Reply With Quote
  #6  
Old 04-29-2003, 04:24
asterix asterix is offline
Friend
 
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
__________________________________________________

001B:00B65C50 55 PUSH EBP //??? OEP
__________________________________________________

Probably. It is very similar on the OEP.

edited:

I congratulate you! Really, it is OEP.

Last edited by asterix; 04-29-2003 at 06:02.
Reply With Quote
  #7  
Old 04-29-2003, 11:55
drasd_20002
 
Posts: n/a
thank you very much.
Now I try to inline patch/unpack it.

Are there any tutorials on pecompact dll unpacking? there are

lots on exe unpacking, but could not find one on dll .
Reply With Quote
  #8  
Old 04-29-2003, 23:50
asterix asterix is offline
Friend
 
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
Unpacking of the DLL by nothing differs from unpacking a EXE !

But it is necessary to remember:

1) About reloc's;

2) About image base with which it dumped.
Reply With Quote
  #9  
Old 04-30-2003, 13:32
drasd_20002
 
Posts: n/a
You may note that there was a OCR (optical charcter recogntion software ) error I used to get the softice screen dump.

OEP is 00B65C58 & not 00B65C50.

I dumped the dll after giving jmp eip at OEP using Lord PE.

I opened the original(unpacked) dll process in Revirgin.

entered the OEP clicked fetch IAT- it says "found nothing" .

Image base as shown by Lord PE is 00A90000 at dumping


Anyway I will try to find more on the revirgin and try meanwhile inline patching... seems easier than unpacking
bcoz pecompact fuses all the sections and what not

thank U for Ur valuable help

Last edited by drasd_20002; 04-30-2003 at 13:39.
Reply With Quote
  #10  
Old 04-30-2003, 20:19
asterix asterix is offline
Friend
 
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
I do not know as you there copied it from SoftICE, but OEP it:

301B:00CFD54E 61 POPAD
301B:00CFD54F 9D POPFD ///Restore registers
301B:00CFD550 50 PUSH EAX
301B:00CFD551 60505CB600 PUSH 00B65C50 <---put OEP on the stack
301B:00CFD556 C20400 RET 4

If you are on eip=00CFD551 PUSH 00B65C50, give command
a eip
jmp eip

but it is necessary to remember about "nop".
Or to use command !SUSPEND with IceExt.
Then open LordPE and dump it and to restore import!!!

I do not know that there for problems with import.
May be to use ImpRec?

Last edited by asterix; 04-30-2003 at 20:29.
Reply With Quote
  #11  
Old 05-01-2003, 00:38
HYC
 
Posts: n/a
Wink My First PEInfo

#include "ProcessPeFile.h"
#include "stdafx.h"
#include "Richedit.h"
#include "RavToFileOffset.h"

char szMsg[190]="文件名:%s\x0d\x0a----------------------------------------------------------\x0d\x0a运行平台: 0x%04X\x0d\x0a节区数量: %d\x0d\x0a文件标记: 0x%04X\x0d\x0a建议装入地址: 0x%08X\x0d\x0a\x0a";
char szMsg1[100]="\x0d\x0a\x0d\x0a----------------------------------------------------------\x0d\x0a导入表所处的节:%s\x0d\x0a";
char szMsgSection[190]="----------------------------------------------------------\x0d\x0a节区名称 节区大小 虚拟地址 Raw_尺寸 Raw_偏移 节区属性\x0d\x0a----------------------------------------------------------\x0d\x0a";
char szFmtSection[40]="%s %08X %08X %08X %08X %08X\xd\xa";
char szMsgImport[400]="\x0d\x0a------------------------------------------------\x0d\x0a导入库: %s\x0d\x0a------------------------------------------------\x0d\x0a OriginalFirstThunk %08X\x0d\x0a TimeDateStamp %08X\x0d\x0a ForwarderChain %08X\x0d\x0a FirstThunk %08X\x0d\x0a------------------------------------------------\x0d\x0a导入序号 导入函数名称\x0d\x0a------------------------------------------------\x0d\x0a";
char szMsgOrdinal[30]="%8u (按序号导入)\x0d\x0a";
char szErrNoImport[40]="这个文件不使用任何导入函数";
char szMsgName[10]="%8u %s\x0d\x0a";
extern char szFileName[MAX_PATH];
extern HINSTANCE hInst; // current instance
extern HWND hWinEdit;//richedit 窗口句柄
extern HWND hWinMain;//主窗口句柄

void _AppendInfo(char * szMsgSection);

void ProcessPeFile(void * lpFile, IMAGE_NT_HEADERS * lpPEHead, unsigned long dwSize)
{
char szBuffer[1024];
char szSectionName[16];
IMAGE_SECTION_HEADER * pSECTIONHead;
IMAGE_IMPORT_DESCRIPTOR * pIMPORTDES;
unsigned long visualadd;
unsigned long FileOffset;

wsprintf(szBuffer,szMsg,szFileName,lpPEHead->FileHeader.Machine,
lpPEHead->FileHeader.NumberOfSections,
lpPEHead->FileHeader.Characteristics,
lpPEHead->OptionalHeader.ImageBase);
SetWindowText(hWinEdit,szBuffer);//显示 PE 文件头中的一些信息

_AppendInfo(szMsgSection);
int numberOfSections;
numberOfSections=lpPEHead->FileHeader.NumberOfSections;
pSECTIONHead=(IMAGE_SECTION_HEADER *)((int)lpPEHead+sizeof(IMAGE_NT_HEADERS));
while(numberOfSections)//裚环显示每个节区的信息
{
RtlZeroMemory(szSectionName,sizeof(szSectionName));
wsprintf(szBuffer,szFmtSection,
(char *)pSECTIONHead,pSECTIONHead->Misc.VirtualSize,
pSECTIONHead->VirtualAddress,pSECTIONHead->SizeOfRawData,
pSECTIONHead->PointerToRawData,pSECTIONHead->Characteristics);
_AppendInfo(szBuffer);
pSECTIONHead=(IMAGE_SECTION_HEADER *)((int)pSECTIONHead+sizeof(IMAGE_SECTION_HEADER));
numberOfSections--;
}

///////////////////////显示导入表信息
IMAGE_DATA_DIRECTORY derectory;
derectory=lpPEHead->OptionalHeader.DataDirectory[1];
visualadd=derectory.VirtualAddress;
FileOffset=_RVAToOffset(lpFile,visualadd);

pIMPORTDES=(IMAGE_IMPORT_DESCRIPTOR *)((int)lpFile+FileOffset);
wsprintf(szBuffer,szMsg1,
_GetRVASection(lpFile,pIMPORTDES->OriginalFirstThunk));
_AppendInfo(szBuffer);

while(pIMPORTDES->OriginalFirstThunk||pIMPORTDES->TimeDateStamp||
pIMPORTDES->ForwarderChain||pIMPORTDES->Name||pIMPORTDES->FirstThunk)
{
FileOffset=_RVAToOffset(lpFile,pIMPORTDES->Name);
FileOffset=(int)lpFile+FileOffset;
wsprintf(szBuffer,szMsgImport,(char *)FileOffset,
pIMPORTDES->OriginalFirstThunk,pIMPORTDES->TimeDateStamp,
pIMPORTDES->ForwarderChain,pIMPORTDES->FirstThunk);
_AppendInfo(szBuffer);

if(pIMPORTDES->OriginalFirstThunk)
visualadd=pIMPORTDES->OriginalFirstThunk;
else
visualadd=pIMPORTDES->FirstThunk;

FileOffset=_RVAToOffset(lpFile,visualadd);
FileOffset=(int)lpFile+FileOffset;

DWORD THUNKDATA;
THUNKDATA=*((DWORD *)FileOffset);
while(THUNKDATA)
{
if (THUNKDATA
& IMAGE_ORDINAL_FLAG32)
{
THUNKDATA=THUNKDATA & 0xFFFF;
wsprintf(szBuffer,szMsgOrdinal,THUNKDATA);
}
else
{
unsigned long Offset;
Offset=_RVAToOffset(lpFile,THUNKDATA);
Offset=(int)lpFile+Offset;
IMAGE_IMPORT_BY_NAME * pImportByName;
pImportByName=(IMAGE_IMPORT_BY_NAME *)Offset;
wsprintf(szBuffer,
szMsgName,pImportByName->Hint,pImportByName->Name);
}
_AppendInfo(szBuffer);
FileOffset=(int)FileOffset+4;
THUNKDATA=*((DWORD *)FileOffset);
}
pIMPORTDES=(IMAGE_IMPORT_DESCRIPTOR *)((int)pIMPORTDES+sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
/////////////////////////导入表信息显示完毕
}

void _AppendInfo(char * szMsgSection)
{
CHARRANGE stCR;
SendMessage(hWinEdit,EM_EXSETSEL,0,(LPARAM)&stCR);
SendMessage(hWinEdit,EM_REPLACESEL,FALSE,(LPARAM)szMsgSection);
}

/*But, first you should build a project(In VC workspace)
And you should map a openned file.Get the handle of the file,
get the IMAGE_NT_HEADER of the file.
If you really want the whole project, you can mail me.
huangyingchang@21cn.com.*/
Reply With Quote
  #12  
Old 05-01-2003, 07:05
asterix asterix is offline
Friend
 
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
I here have looked this PECompact 1.84 and have unpacked him.
I can tell, that a code of a kind:

:XXXXXXXX POPAD
:XXXXXXXX POPFD
:XXXXXXXX PUSH EAX
:XXXXXXXX PUSH XXXXXXXX
:XXXXXXXX RET 4
I observed many times in a code of the PECompact.

After bpm esp-4... etc. needed press F5(So much time - how many it is necessary to find OEP).

So probably it was necessary still pressed F5.

May be this (001B:00B65C58 55 PUSH EBP) not OEP!

If it is possible give the link to your program.

I am sorry for my horrible english.
Reply With Quote
  #13  
Old 05-02-2003, 01:49
drasd_20002
 
Posts: n/a
I think the OEP is right becuase I tried the same method on a crackme(PEcompact 1.84) and two other targets(exe) after Unpack+IAT rebuild(Imprec) all are working fine .

But with dll no sucess getting IAT.Also with "XP notepad" i packed with pecompact imprec wont work.

I have a few doubts:

In Unpacked(original) notepad/exe/dll entry point in PE header(PEP) is OEP, Is it Correct?

Is OEP hard coded(present in the file on disk) in PECompacted file?

I tried getting IAT info in Imprec for Notepad98 it gives values but for notepad XP says :

"Could Not Find anything good at this OEP".

I tried changing max recursion & buffer size in options but no use. I think i have to

find IAT manually and fix it.

I am sending U the target while I try confirming the OEP myself because that would give me real confidence.
Attached Files
File Type: zip trial.zip (7.3 KB, 29 views)

Last edited by drasd_20002; 05-02-2003 at 01:58.
Reply With Quote
  #14  
Old 05-03-2003, 11:05
drasd_20002
 
Posts: n/a
I tried to rebuild the import table with Imprec.
Since it fails even with correct oep i used another delphi dll initially & then this one; sort of partial grafting work.

Now the dll is working perfectly in certain environment like if it is the first dll called from the prog. It doesnot work on different comptuer or diff OS(win 98) or its 3rdc alled dll etc.. I worked in Xp.

what could be cause. Relocs ?

Plz help me with suggestions.
Reply With Quote
  #15  
Old 05-03-2003, 19:35
asterix asterix is offline
Friend
 
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
Hi!
Yes, vdsrun40.dll is necessary for me.
What size of this DLL?

But I tried to unpack it having picked up on another .exe(my small .exe).
Strange:
esp=12f8ec(in winXP)
oep=D1160(without image base)
import (rva: 2681CC size: 7D8)<- I'm used Revirgin(in winXP).

I can nothing tell certain about relocs.

But, vdsrun40.dll is necessary for me!!!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Inline Patching MaRKuS-DJM General Discussion 1 01-24-2004 23:03
Inline patching for armadillo annibal General Discussion 1 09-04-2003 14:24


All times are GMT +8. The time now is 17:48.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )