Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-13-2019, 20:15
CodeCracker CodeCracker is offline
Family
 
Join Date: Jun 2011
Posts: 273
Rept. Given: 16
Rept. Rcvd 238 Times in 66 Posts
Thanks Given: 12
Thanks Rcvd at 903 Times in 203 Posts
CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299
Safengine Olly scripts

Safengine_OEP_finder.txt and SafeEngine_ThunksFixer.txt: two Olly scripts;
First load the target and run Safengine_OEP_finder.txt - this will lead to OEP;
After that load SafeEngine_ThunksFixer.txt script: this will fix instructions involving import table thunks;
Currently I have no way to fix emulated imports (the import table).
SafeEngine_ThunksFixer.txt still has a bug: it randomly crashes when executing some SafeEngine code: NOT always crashes!
Attached Files
File Type: zip SafeEngine_Scripts.zip (8.3 KB, 37 views)
Reply With Quote
The Following 3 Users Gave Reputation+1 to CodeCracker For This Useful Post:
ahmadmansoor (03-13-2019), user1 (03-14-2019), yoza (03-14-2019)
The Following 12 Users Say Thank You to CodeCracker For This Useful Post:
ahmadmansoor (03-13-2019), Apuromafo (03-13-2019), ARUBA (03-18-2019), cachito (03-14-2019), deepzero (03-13-2019), Indigo (07-19-2019), niculaita (03-14-2019), p4r4d0x (03-14-2019), Stingered (03-14-2019), user1 (03-14-2019), wilson bibe (03-14-2019), yoza (03-14-2019)
  #2  
Old 03-13-2019, 22:20
carlitos carlitos is offline
Friend
 
Join Date: Feb 2006
Posts: 26
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 6 Times in 5 Posts
carlitos Reputation: 0
CodeCracker could be possible external link please?
Reply With Quote
The Following 2 Users Say Thank You to carlitos For This Useful Post:
Indigo (07-19-2019), Stingered (03-14-2019)
  #3  
Old 03-13-2019, 23:31
CodeCracker CodeCracker is offline
Family
 
Join Date: Jun 2011
Posts: 273
Rept. Given: 16
Rept. Rcvd 238 Times in 66 Posts
Thanks Given: 12
Thanks Rcvd at 903 Times in 203 Posts
CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299
External download link

Quote:
Originally Posted by carlitos View Post
CodeCracker could be possible external link please?
https://www49.zippyshare.com/v/z6MIRlQe/file.html
Reply With Quote
The Following 5 Users Say Thank You to CodeCracker For This Useful Post:
ARUBA (03-18-2019), Indigo (07-19-2019), niculaita (03-14-2019), schrodyn (03-22-2019), Stingered (03-14-2019)
  #4  
Old 03-14-2019, 06:36
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 114
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 145
Thanks Rcvd at 73 Times in 38 Posts
Stingered Reputation: 2
Quote:
Originally Posted by CodeCracker View Post
https://www49.zippyshare.com/v/z6MIRlQe/file.html
Interesting. I ask for an external link (not this specific thread) and my post gets flagged and deleted...
Reply With Quote
The Following User Says Thank You to Stingered For This Useful Post:
Indigo (07-19-2019)
  #5  
Old 03-14-2019, 09:32
Apuromafo Apuromafo is offline
Family
 
Join Date: Nov 2010
Location: Chile
Posts: 94
Rept. Given: 11
Rept. Rcvd 19 Times in 11 Posts
Thanks Given: 119
Thanks Rcvd at 140 Times in 52 Posts
Apuromafo Reputation: 19
Quote:
Originally Posted by Stingered View Post
Interesting. I ask for an external link (not this specific thread) and my post gets flagged and deleted...
only if author of post say there is private, is the thing...

BR, Apuromafo
Reply With Quote
The Following 2 Users Say Thank You to Apuromafo For This Useful Post:
Indigo (07-19-2019), Stingered (04-04-2019)
  #6  
Old 04-03-2019, 20:17
CodeCracker CodeCracker is offline
Family
 
Join Date: Jun 2011
Posts: 273
Rept. Given: 16
Rept. Rcvd 238 Times in 66 Posts
Thanks Given: 12
Thanks Rcvd at 903 Times in 203 Posts
CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299
I found a way to kill import table redirection!

Breakpoint on write to code section (.text section) doesn't work on some cases
At this point we can watch how imports are restored!
Next will check for Import Redirection magic jump: that jump should jump
The script may log more then one jump location: obviously only one location is right
First that sheet gets the kernel32.GetModuleHandleA RVA = B741 (41B70000)
Export table address: 7C802C2C 41 B7 00 00
So set breakpoint on read to 7C802C2C, after breakpoint and continue execution (step in)
you will see that will compare ndll base address with kernel32.GetModuleHandleA
The jump after should jump and imports will be no more redirected (clean import table)!
Attached Files
File Type: txt Safengine_OEP_finder_&IAT.txt (5.8 KB, 20 views)
Reply With Quote
The Following 6 Users Say Thank You to CodeCracker For This Useful Post:
ahmadmansoor (04-03-2019), Indigo (07-19-2019), niculaita (04-03-2019), p4r4d0x (04-04-2019), RiRye (04-04-2019), Top10 (04-04-2019)
  #7  
Old 04-03-2019, 22:16
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 190
Thanks Rcvd at 277 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
My friend, Can you provide us with a sample(unpackme)?
Thanks for nice work.
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following User Says Thank You to ahmadmansoor For This Useful Post:
Indigo (07-19-2019)
  #8  
Old 04-06-2019, 16:36
CodeCracker CodeCracker is offline
Family
 
Join Date: Jun 2011
Posts: 273
Rept. Given: 16
Rept. Rcvd 238 Times in 66 Posts
Thanks Given: 12
Thanks Rcvd at 903 Times in 203 Posts
CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299
Can't find any unpackme on this board; only on tuts4you:
https://forum.tuts4you.com/topic/39325-quick-unpacking-safengine-shielden-239
https://forum.tuts4you.com/topic/30998-unpackme-safengine-shielden-2190
https://forum.tuts4you.com/topic/34639-unpackme-safengine-shielden-2260
https://forum.tuts4you.com/topic/37946-safengine-shielden-v2380/
Reply With Quote
The Following 3 Users Say Thank You to CodeCracker For This Useful Post:
ahmadmansoor (04-07-2019), Indigo (07-19-2019), Stingered (04-07-2019)
  #9  
Old 04-15-2019, 01:51
CodeCracker CodeCracker is offline
Family
 
Join Date: Jun 2011
Posts: 273
Rept. Given: 16
Rept. Rcvd 238 Times in 66 Posts
Thanks Given: 12
Thanks Rcvd at 903 Times in 203 Posts
CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299
Target:
https://forum.tuts4you.com/topic/39325-quick-unpacking-safengine-shielden-239

magicjump5: 004D30FB
magicjump5 may be wrong!
magicjump2: 004D28E4
JumpDestination: 004D28C8 | Entry address
magicjump2: 004D3349
JumpDestination: 004D3308 | Entry address
magicjump2: 004D80BB
JumpDestination: 004D80D7 | Entry address
magicjump2: 004D81DC
JumpDestination: 004D81F8 | Entry address
magicjump2: 004DA58A
JumpDestination: 004DA54C | Entry address
magicjump2: 004DB025
JumpDestination: 004DB056 | Entry address
magicjump2: 004DB9C9
JumpDestination: 004DB9AE | Entry address
magicjump2: 0054A8FD
JumpDestination: 0054A903

Unfortunately none of those address are not the magic jump (sorry)!

Log data, item 1
Message=ImportTableAddress: 00464000

First time gets the kernel32.GetModuleHandleA RVA = B741 (41B70000)
Export table address: 7C802C2C 41 B7 00 00
so set breakpoint on read to address 7C802C2C
You will should lead here:
004FDA27 . 8B3E MOV EDI, DWORD PTR DS:[ESI]
004FDA29 . 5E POP ESI ; kernel32.7C80262C
004FDA2A . 9C PUSHFD
004FDA2B .^ EB DD JMP SHORT 004FDA0A
// Step in needed:
004FDBF3 > \3BFE CMP EDI, ESI ; kernel32.7C80262C
004FDBF5 . 8D6424 04 LEA ESP, DWORD PTR SS:[ESP+0x4]
004FDBF9 ^ 0F82 00F9FFFF JB 004FD4FF
// No, is not this magic jump since is not the ntdll base address!

After step in a lot:
004A5D18 > \4A DEC EDX ; kernel32.7C807C3B
004A5D19 . 8B11 MOV EDX, DWORD PTR DS:[ECX]
004A5D1B . 3BD0 CMP EDX, EAX
004A5D1D . 60 PUSHAD
004A5D1E . E9 B5760500 JMP 004FD3D8

At 004A5D19 get the ntdll base address in edx

004FD3D8 > \8D6424 20 LEA ESP, DWORD PTR SS:[ESP+0x20]
004FD3DC .^ 0F83 C088FAFF JNB 004A5CA2
This is the magic jump which should be changed to jump! And now we have clean import table!

Is still hard for me to automatize things!
Reply With Quote
The Following 2 Users Say Thank You to CodeCracker For This Useful Post:
Indigo (07-19-2019), niculaita (04-15-2019)
  #10  
Old 04-15-2019, 20:42
CodeCracker CodeCracker is offline
Family
 
Join Date: Jun 2011
Posts: 273
Rept. Given: 16
Rept. Rcvd 238 Times in 66 Posts
Thanks Given: 12
Thanks Rcvd at 903 Times in 203 Posts
CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299
MagicJump finder (IAT redirection Finder)

A nice update:
I was able to code a good MagicJump finder (IAT redirection Finder) - attached.
Now the problem is that the old script Safengine_OEP_finder.txt won't be able to reach OEP
since the IAT fixing stuff is done late!
So you still got to patch that address (MagicJump) manually.
Attached Files
File Type: txt Safengine_MagicJump_IATFinder.txt (4.1 KB, 11 views)
Reply With Quote
The Following 3 Users Say Thank You to CodeCracker For This Useful Post:
Avi_RE (04-18-2019), Indigo (07-19-2019), wilson bibe (04-16-2019)
  #11  
Old 04-15-2019, 22:49
carlitos carlitos is offline
Friend
 
Join Date: Feb 2006
Posts: 26
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 6 Times in 5 Posts
carlitos Reputation: 0
CodeCracker possibility of external link?

possibility you check my dll and give me any clue?

tx
Reply With Quote
The Following User Says Thank You to carlitos For This Useful Post:
Indigo (07-19-2019)
  #12  
Old 04-16-2019, 17:05
CodeCracker CodeCracker is offline
Family
 
Join Date: Jun 2011
Posts: 273
Rept. Given: 16
Rept. Rcvd 238 Times in 66 Posts
Thanks Given: 12
Thanks Rcvd at 903 Times in 203 Posts
CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299
@carlitos:
Dll unpacking is a bit harder since you got to rebuild relocations: you got to unpack the dll twice.
As for your dll: it seems I am even unable to load it on Olly, from where you got this dll anyway?
Reply With Quote
The Following User Says Thank You to CodeCracker For This Useful Post:
Indigo (07-19-2019)
  #13  
Old 04-16-2019, 18:04
carlitos carlitos is offline
Friend
 
Join Date: Feb 2006
Posts: 26
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 6 Times in 5 Posts
carlitos Reputation: 0
@CodeCracker thanks for your reply.
How can I PM you?
Reply With Quote
The Following User Says Thank You to carlitos For This Useful Post:
Indigo (07-19-2019)
  #14  
Old 04-19-2019, 05:34
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 29
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 22
Thanks Rcvd at 35 Times in 23 Posts
0xall0c Reputation: 2
you can patch the dll to load at fixed base address that way after the dump, relocation wont be loaded and the dll will be loaded at the same address!
Reply With Quote
The Following User Says Thank You to 0xall0c For This Useful Post:
Indigo (07-19-2019)
  #15  
Old 04-19-2019, 09:50
Chuck954 Chuck954 is offline
Friend
 
Join Date: Jul 2018
Posts: 45
Rept. Given: 0
Rept. Rcvd 9 Times in 7 Posts
Thanks Given: 24
Thanks Rcvd at 54 Times in 32 Posts
Chuck954 Reputation: 9
You can also use windows xp in a virtual box. Unless you need a newer os or x64, the base address usually loads at the same spot each time with xp. Makes it easier that way to keep dlls at same base address.
Reply With Quote
The Following User Says Thank You to Chuck954 For This Useful Post:
Indigo (07-19-2019)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Obsidium Olly Scripts CodeCracker Community Tools 1 04-09-2019 18:20


All times are GMT +8. The time now is 21:14.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX