#1
|
|||
|
|||
Inline patching a packed dll
I am trying to inline patch a dll packed with pecompact v?1.84.
the first step would be finding the OEP isnt it? when tried to load the dll into symbol loader - SICE DS 2.7(win XP no sp1) patched nmtrans.dll, siwvid.sys & ntice.sys it doesnot load. the section characteristics of the first section ie pec1 is already E0000020. then i tried to preload the dll adding line to winice.dat but when i start SICE and give any command like d A90000 or BPX A90000 or (any command a*) * = anything. SICE CRASHES with the message Int0E Fault at address ****** offset 00006D78. If i dont load the dll and run the app then above faults dont occur but obviously I cannot set any memory breakpoints on the address I mentioned - they will be ignored. After Unloading SICE by reboot I tried Ollydbg 1.09b loaded the exe and started a wild "trace over" (F8) once i felt i was near the call for the dll. Oops there occurs an exception in kernel32.dll; Ok i pass it to the app using Shift+F7 or F8 but then app runs without pausing - dll gets loaded up unpacking routine is already over . Tried Using a plugin olly dump 2.20 to find OEP by tracing - immediately there is an exception and an error message is displayed and the process is terminated, Sh**t. I tried BPX ISDEBUGGERPRESENT - Response is it breaks 60 times. How do i find and disable the antidebugging routines used by the dll bcoz it is packed?. SICE detection tools say it is detected only by INT 01 Plz help. Last edited by drasd_20002; 04-25-2003 at 10:10. |
#2
|
|||
|
|||
Hi!
Open a DLL in the HIEW and replace the first byte on CCh. Start the SoftICE and give a command "i3here on". Start the program and when will stop give a command "r eip eip-1". Then replace the first byte on original. Then give a command "i3here off". I am sorry for my horrible english. |
#3
|
|||
|
|||
In the meanwhile i used iceext extension for sice.
It is not detected mostly even by Int1. I tried Ur suggestion. works well. One culd use a macro too: MACRO a= "r eip eip-1; eb eip %1" At the entry i have PUSHFD PUSHAD CALL abcd here reisters are saved. and these should be restored to just before OEP jump. so i looked for the register value loaction in data window and set break on text then bpx / bpm at address. but it doesnot stop there. Where am I going wrong |
#4
|
|||
|
|||
I badly understand you. You can not find OEP?
Try to make something such as it. -It is necessary to remember value ESP on EP in DLL. -Then to put "bpx GetProcAddress" or "bpx (GetProcAddress+3)"(on especially spiteful protectors) and press "F5". -When will stop do it "bc *" -Then to put "bpr esp-4 esp+4"(if you in win98) or bpm esp-4 bpm esp-3 bpm esp-2 bpm esp-1 (if you in win2k/XP). |
#5
|
|||
|
|||
Yes I was unable to find OEP.
I tried your advise. I ultimately reached 00B65C58. Is this the OEP. I have marked in the code below(Soft Ice) How to confirm that. i also didnot understand the principle behind the breakpoints. ___________________________________________________________ EAX=0012F750 EBX=00CFC000 ECX=0012F798 EDX=00050001 ESI=0012F6F0 EDI=00000001 EBP=0012F6FC ESP=0012F6E0 EIP=00CFD550 CS=001B DS=0023 SS=0023 o d I a z a p c ES=0023 FS=0030 GS=0000 __________Mydll!.pec______________________________________ 001B:00CFBFF9 FFFF INVALID 001B:00CFBFFB FFFF INVALID 001B:00CFBFFD FFFF INVALID 001B:00CFBFFF FFEB JMP EBX //BREAK DUE TO EMBEDDED INT3 001B:00CFC001 06 PUSH ES 001B:00CFC002 68505C0D00 PUSH 000D5C58 001B:00CFC007 C3 MET 001B:00CFC000 9C PUSHFD //SAVE REGISTERS 001B:00CFC009 60 PUSHAD //SAVE REGISTERS 001B:00CFC00A E802000000 CALL 00CFC011 001B:00CFC00F 33CO XOR EAX , AH 001B:00CFC011 8BC4 MOV EAX, ESP 001B:00CFC013 83C004 ADD EAX , 04 001B:00CFC016 93 XCHG EAX, EBB 001B:00CFC017 8BE3 MOV ESP, EBB ________________________________________________________________ //snipped Break due to Getprocaddress [after F5] 001B:77E7A5D9 50 PUSH EAX 001B:77E7A5DA FF15AC1ZE677 CALL [ntdll!RtlImageNtHeader] 001B:77E7A5E0 05C0 TEST "EAX , EAX" 001B:77E7A5E2 0F04170FFFFF JZ 77E734FF 001B:77E7A5E0 6603705C03 CMP "WORD PTR [EAX+5C],03" 001B:77E7A5ED 0F050C0FFFFF JNZ 77E734FF 001B:77E7A5F3 33C0 XOR "EAX , EAX" 001B:77E7A5F5 40 INC EAX 001B:77E7A5F6 C3 RET 001B:77E7A5F7 FFZ57C13E677 JMP [ntdll!LdrGetProcedure Address] KERNEL32!GetProc Address 001B:77E7A5FD 55 PUSH EBP //Break due to Getprocaddress 001B:77E7A5FE 8BEC MOV "EBP, ESP" 001B:77E7A600 51 PUSH ECX 001B:77E7A601 51 PUSH ECX 001B:77E7A602 53 PUSH EBX ------------------------------------------------------------------- //snipped I put bpm 0012F6E0-4 bpm 0012F6E0-3 bpm 0012F6E0-2 bpm 0012F6E0-1 then pressed F5 Break due to BP 04: BPMB #001B:0012F6DF RW DR0 301B:00CFD52C 0D956BA14000 LEA "EDX, [EBP+0040A16B]" 301B:00CFD532 6A40 PUSH 40 301B:00CFD534 52 PUSH EDX 301B:00CFD535 FFB53D974000 PUSH DW0RD PTR [EBP+0040973D] 301B:00CFD53B FFB539974000 PUSH DW0RD PTR [EBP +00409739] 301B:00CFD541 E0F40A0000 CALL 00CFE03A 301B:00CFD546 05C0 TEST "EAX , EAX" 301B:00CFD540 0F059DFDFFFF JNZ 00CFD2EB 301B:00CFD54E 61 POPAD 301B:00CFD54F 9D POPFD ///Restore registers 301B:00CFD550 50 PUSH EAX 301B:00CFD551 60505CB600 PUSH 00B65C50 301B:00CFD556 C20400 RET 4 301B:00CFD559 0BB55B974000 MOV "ESI,[EBP+0040975B]" ---------------------------------------Mydll.pec+152C----------------------- //snipped Traced with F8 after that reaches here: 001B:00B65C58 55 PUSH EBP //??? OEP 001B:00B65C59 8BEC MOV "EBP, ESP" 001B:00B65C5B 03C4C4 ADD "ESP,-3C" 001B:00B65C5E B0B059B600 MOV "EAX,00B659B0" 001B:00B65C63 E0CC0CF3FF CALL 00A96934 001B:00B65C60 A1F47FB600 MOV "EAX,[00B67FF4]" 001B:00B65C6D 0B00 MOV "EAX, [EAX]" 001B:00B65C6F E05CCBF9FF CALL 00B027D0 001B:00B65C74 A1F47FB6GG MOV "EAX,[00B67FF4]" 001B:00B65C79 8B00 MOV "EAX, [EAX]" 001B:00B65C7B 33D2 XOR "EDX,EDX" 001B:00B65C7D EG46C7F9FF CALL 00B023C0 001B:00B65C02 GBGDDC7CB6GG MOV "ECX,[00B67CDC]" 001B:00B65C00 A1F47FB6GG MOV "EAX,[00B67FF4]" 001B:00B65C0D GB00 MOV "EAX, [EAX]" 001B:00B65C0F 0B151C7FB400 MOV "EDX,[00B47F1C]" 001B:00B65C95 E04ECBF9FF CALL 00B027E0 001B:00B65C9A E091E0F2FF CALL 00A94530 001B:00B65C9F 90 NOP 001B:00B65CA0 0 ADD "[EAX],AL" 001B:00B65CA2 0 ADD "[EAX],AL" 001B:00B65CA4 0 ADD "[EAX],AL" ------------------------------------------------------------------- Last edited by drasd_20002; 04-30-2003 at 12:59. |
#6
|
|||
|
|||
__________________________________________________
001B:00B65C50 55 PUSH EBP //??? OEP __________________________________________________ Probably. It is very similar on the OEP. edited: I congratulate you! Really, it is OEP. Last edited by asterix; 04-29-2003 at 06:02. |
#7
|
|||
|
|||
thank you very much.
Now I try to inline patch/unpack it. Are there any tutorials on pecompact dll unpacking? there are lots on exe unpacking, but could not find one on dll . |
#8
|
|||
|
|||
Unpacking of the DLL by nothing differs from unpacking a EXE !
But it is necessary to remember: 1) About reloc's; 2) About image base with which it dumped. |
#9
|
|||
|
|||
You may note that there was a OCR (optical charcter recogntion software ) error I used to get the softice screen dump.
OEP is 00B65C58 & not 00B65C50. I dumped the dll after giving jmp eip at OEP using Lord PE. I opened the original(unpacked) dll process in Revirgin. entered the OEP clicked fetch IAT- it says "found nothing" . Image base as shown by Lord PE is 00A90000 at dumping Anyway I will try to find more on the revirgin and try meanwhile inline patching... seems easier than unpacking bcoz pecompact fuses all the sections and what not thank U for Ur valuable help Last edited by drasd_20002; 04-30-2003 at 13:39. |
#10
|
|||
|
|||
I do not know as you there copied it from SoftICE, but OEP it:
301B:00CFD54E 61 POPAD 301B:00CFD54F 9D POPFD ///Restore registers 301B:00CFD550 50 PUSH EAX 301B:00CFD551 60505CB600 PUSH 00B65C50 <---put OEP on the stack 301B:00CFD556 C20400 RET 4 If you are on eip=00CFD551 PUSH 00B65C50, give command a eip jmp eip but it is necessary to remember about "nop". Or to use command !SUSPEND with IceExt. Then open LordPE and dump it and to restore import!!! I do not know that there for problems with import. May be to use ImpRec? Last edited by asterix; 04-30-2003 at 20:29. |
#11
|
|||
|
|||
My First PEInfo
#include "ProcessPeFile.h"
#include "stdafx.h" #include "Richedit.h" #include "RavToFileOffset.h" char szMsg[190]="文件名:%s\x0d\x0a----------------------------------------------------------\x0d\x0a运行平台: 0x%04X\x0d\x0a节区数量: %d\x0d\x0a文件标记: 0x%04X\x0d\x0a建议装入地址: 0x%08X\x0d\x0a\x0a"; char szMsg1[100]="\x0d\x0a\x0d\x0a----------------------------------------------------------\x0d\x0a导入表所处的节:%s\x0d\x0a"; char szMsgSection[190]="----------------------------------------------------------\x0d\x0a节区名称 节区大小 虚拟地址 Raw_尺寸 Raw_偏移 节区属性\x0d\x0a----------------------------------------------------------\x0d\x0a"; char szFmtSection[40]="%s %08X %08X %08X %08X %08X\xd\xa"; char szMsgImport[400]="\x0d\x0a------------------------------------------------\x0d\x0a导入库: %s\x0d\x0a------------------------------------------------\x0d\x0a OriginalFirstThunk %08X\x0d\x0a TimeDateStamp %08X\x0d\x0a ForwarderChain %08X\x0d\x0a FirstThunk %08X\x0d\x0a------------------------------------------------\x0d\x0a导入序号 导入函数名称\x0d\x0a------------------------------------------------\x0d\x0a"; char szMsgOrdinal[30]="%8u (按序号导入)\x0d\x0a"; char szErrNoImport[40]="这个文件不使用任何导入函数"; char szMsgName[10]="%8u %s\x0d\x0a"; extern char szFileName[MAX_PATH]; extern HINSTANCE hInst; // current instance extern HWND hWinEdit;//richedit 窗口句柄 extern HWND hWinMain;//主窗口句柄 void _AppendInfo(char * szMsgSection); void ProcessPeFile(void * lpFile, IMAGE_NT_HEADERS * lpPEHead, unsigned long dwSize) { char szBuffer[1024]; char szSectionName[16]; IMAGE_SECTION_HEADER * pSECTIONHead; IMAGE_IMPORT_DESCRIPTOR * pIMPORTDES; unsigned long visualadd; unsigned long FileOffset; wsprintf(szBuffer,szMsg,szFileName,lpPEHead->FileHeader.Machine, lpPEHead->FileHeader.NumberOfSections, lpPEHead->FileHeader.Characteristics, lpPEHead->OptionalHeader.ImageBase); SetWindowText(hWinEdit,szBuffer);//显示 PE 文件头中的一些信息 _AppendInfo(szMsgSection); int numberOfSections; numberOfSections=lpPEHead->FileHeader.NumberOfSections; pSECTIONHead=(IMAGE_SECTION_HEADER *)((int)lpPEHead+sizeof(IMAGE_NT_HEADERS)); while(numberOfSections)//裚环显示每个节区的信息 { RtlZeroMemory(szSectionName,sizeof(szSectionName)); wsprintf(szBuffer,szFmtSection, (char *)pSECTIONHead,pSECTIONHead->Misc.VirtualSize, pSECTIONHead->VirtualAddress,pSECTIONHead->SizeOfRawData, pSECTIONHead->PointerToRawData,pSECTIONHead->Characteristics); _AppendInfo(szBuffer); pSECTIONHead=(IMAGE_SECTION_HEADER *)((int)pSECTIONHead+sizeof(IMAGE_SECTION_HEADER)); numberOfSections--; } ///////////////////////显示导入表信息 IMAGE_DATA_DIRECTORY derectory; derectory=lpPEHead->OptionalHeader.DataDirectory[1]; visualadd=derectory.VirtualAddress; FileOffset=_RVAToOffset(lpFile,visualadd); pIMPORTDES=(IMAGE_IMPORT_DESCRIPTOR *)((int)lpFile+FileOffset); wsprintf(szBuffer,szMsg1, _GetRVASection(lpFile,pIMPORTDES->OriginalFirstThunk)); _AppendInfo(szBuffer); while(pIMPORTDES->OriginalFirstThunk||pIMPORTDES->TimeDateStamp|| pIMPORTDES->ForwarderChain||pIMPORTDES->Name||pIMPORTDES->FirstThunk) { FileOffset=_RVAToOffset(lpFile,pIMPORTDES->Name); FileOffset=(int)lpFile+FileOffset; wsprintf(szBuffer,szMsgImport,(char *)FileOffset, pIMPORTDES->OriginalFirstThunk,pIMPORTDES->TimeDateStamp, pIMPORTDES->ForwarderChain,pIMPORTDES->FirstThunk); _AppendInfo(szBuffer); if(pIMPORTDES->OriginalFirstThunk) visualadd=pIMPORTDES->OriginalFirstThunk; else visualadd=pIMPORTDES->FirstThunk; FileOffset=_RVAToOffset(lpFile,visualadd); FileOffset=(int)lpFile+FileOffset; DWORD THUNKDATA; THUNKDATA=*((DWORD *)FileOffset); while(THUNKDATA) { if (THUNKDATA & IMAGE_ORDINAL_FLAG32) { THUNKDATA=THUNKDATA & 0xFFFF; wsprintf(szBuffer,szMsgOrdinal,THUNKDATA); } else { unsigned long Offset; Offset=_RVAToOffset(lpFile,THUNKDATA); Offset=(int)lpFile+Offset; IMAGE_IMPORT_BY_NAME * pImportByName; pImportByName=(IMAGE_IMPORT_BY_NAME *)Offset; wsprintf(szBuffer, szMsgName,pImportByName->Hint,pImportByName->Name); } _AppendInfo(szBuffer); FileOffset=(int)FileOffset+4; THUNKDATA=*((DWORD *)FileOffset); } pIMPORTDES=(IMAGE_IMPORT_DESCRIPTOR *)((int)pIMPORTDES+sizeof(IMAGE_IMPORT_DESCRIPTOR)); } /////////////////////////导入表信息显示完毕 } void _AppendInfo(char * szMsgSection) { CHARRANGE stCR; SendMessage(hWinEdit,EM_EXSETSEL,0,(LPARAM)&stCR); SendMessage(hWinEdit,EM_REPLACESEL,FALSE,(LPARAM)szMsgSection); } /*But, first you should build a project(In VC workspace) And you should map a openned file.Get the handle of the file, get the IMAGE_NT_HEADER of the file. If you really want the whole project, you can mail me. huangyingchang@21cn.com.*/ |
#12
|
|||
|
|||
I here have looked this PECompact 1.84 and have unpacked him.
I can tell, that a code of a kind: :XXXXXXXX POPAD :XXXXXXXX POPFD :XXXXXXXX PUSH EAX :XXXXXXXX PUSH XXXXXXXX :XXXXXXXX RET 4 I observed many times in a code of the PECompact. After bpm esp-4... etc. needed press F5(So much time - how many it is necessary to find OEP). So probably it was necessary still pressed F5. May be this (001B:00B65C58 55 PUSH EBP) not OEP! If it is possible give the link to your program. I am sorry for my horrible english. |
#13
|
|||
|
|||
I think the OEP is right becuase I tried the same method on a crackme(PEcompact 1.84) and two other targets(exe) after Unpack+IAT rebuild(Imprec) all are working fine .
But with dll no sucess getting IAT.Also with "XP notepad" i packed with pecompact imprec wont work. I have a few doubts: In Unpacked(original) notepad/exe/dll entry point in PE header(PEP) is OEP, Is it Correct? Is OEP hard coded(present in the file on disk) in PECompacted file? I tried getting IAT info in Imprec for Notepad98 it gives values but for notepad XP says : "Could Not Find anything good at this OEP". I tried changing max recursion & buffer size in options but no use. I think i have to find IAT manually and fix it. I am sending U the target while I try confirming the OEP myself because that would give me real confidence. Last edited by drasd_20002; 05-02-2003 at 01:58. |
#14
|
|||
|
|||
I tried to rebuild the import table with Imprec.
Since it fails even with correct oep i used another delphi dll initially & then this one; sort of partial grafting work. Now the dll is working perfectly in certain environment like if it is the first dll called from the prog. It doesnot work on different comptuer or diff OS(win 98) or its 3rdc alled dll etc.. I worked in Xp. what could be cause. Relocs ? Plz help me with suggestions. |
#15
|
|||
|
|||
Hi!
Yes, vdsrun40.dll is necessary for me. What size of this DLL? But I tried to unpack it having picked up on another .exe(my small .exe). Strange: esp=12f8ec(in winXP) oep=D1160(without image base) import (rva: 2681CC size: 7D8)<- I'm used Revirgin(in winXP). I can nothing tell certain about relocs. But, vdsrun40.dll is necessary for me!!! |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Inline Patching | MaRKuS-DJM | General Discussion | 1 | 01-24-2004 23:03 |
Inline patching for armadillo | annibal | General Discussion | 1 | 09-04-2003 14:24 |