Académique Documents
Professionnel Documents
Culture Documents
If you did not find any files accompanying th is paper you can dow nload th em at:
h ttp://w w w .yates2k.net/lad_files.rar
or h ttp://w w w .w oodmann.net/yates/lad_files.rar
Introd uction
So you w ant to unpack a program, aspack? asprotect? even safedisc? To accomplish such a
task a degree of know ledge is needed in many, many different areas, over th e years I h ave
been w riting small tutorials on th ese areas b efore I ever w rite a compreh ensive tutorial on a
single sub ject.
Ok, so one th ing th at I’ve noticed is th at 'new bies' h ave no sense of h ow th ey're going to
carry out all th e tasks needed to repair a exe, most plan to just d ump an exe image and try
and fix bits as th ey go along, but a much more structured w ay can be taken and th is is to
create a 'dumper' w h ich effectively launch es your target exe and h alts it in certain places so
you can read some memory areas and save data, and eventually end up at OE P w h en you
can dump th e sections to disk and make your necessary ch anges.
emon
H ow th e d emo n stration w ill h appen
E xaming th e target
Ok before I explain th e process of controlling th e program flow let’s look at our target and
find w h at w e h ave to do. I've protected my notepad w ith upx and took 5mins to study h ow
it w orks. I'll now briefly explain:
U PX entry point looks like th is,
As you can see by my comments th e structure is pointer to name, th unk location and th en a
list of functions for th at dll. Th e dll pointer is fixed up and read and U PX loads th e library
h ere,
It th en reads th e 80h and add s th e section base to it and puts it in E B X th is w ill be th e th unk
for th e current dll and w h ere all th e resolved address for th e api list w ill be placed, if you
understand import tables th en you know th is is th e point you sh ould replace th e api address
w ith a pointer to th e name. Anyw ay, so th en furth er dow n it reads th e api name th en
performs getprocad dress
Ok so for fun w e w ill stop th e program at 010 117 82 , output th e current function th en
continue to 01011 78D and output th e api ad dress :-)
Ob jectives
* Start E xecutable
* place a stop point at oep - 010117 9E
* stop at 010 117 6C print th e dll name
* stop at 010 117 80 print th e ascii name
* stop at 010 117 96 print th e api address
* loop th ese stop points until w e get to oep
I’m going to be sh ow ing my examples in ASM using th e compiler TASM , I w ill also try and
include C + + source codes in th e final source for you new generation coders ;-)
Th eory
R esumeTh read / Suspend Th read - U sed to stop and start th e process th read in its current
state
h ttp://msdn.microsoft.com/library/default.asp?url= /library/en-
us/dllproc/base/resumeth read.asp
h ttp://msdn.microsoft.com/library/default.asp?url= /library/en-
us/dllproc/base/suspendth read.asp
W riteProcessM emory / R eadProcessM emory - U sed to insert our JM P -2 and read process
memory
h ttp://msdn.microsoft.com/library/default.asp?url= /library/en-
us/d ebug/b ase/w riteprocessmemory.asp
h ttp://msdn.microsoft.com/library/default.asp?url= /library/en-
us/d ebug/b ase/read processmemory.asp
G etTh readC ontext / SetTh read C ontext - U sed to get th e R egister values from th e running
process.
h ttp://msdn.microsoft.com/library/default.asp?url= /library/en-
us/d ebug/b ase/getth readcontext.asp
h ttp://msdn.microsoft.com/library/default.asp?url= /library/en-
us/d ebug/b ase/setth readcontext.asp
Pratice
In th is case w e are inserting E B F E into th e exe, but w e are inserting th em inside a loop th at
resolves imports. W h en w e place th e E B F E w e are destroying data, so it’s a good idea to
find a suitable place to put th em. F or example, over a 2 byte instruction w e can emulate.
Let’s now look for good places to put our h ooks.
1 . OE P.
2 . D LLNAM E
0101 176 C is a good place because w e can read E AX to get th e dll, and also grab ebx, esi
Ad d th em and insert th e result b ack into ebx, ok get th e idea?
3 . ASC II NAM E
4 . API AD D R E SS
Th e address goes into eax after getprocad dress so I’m going to ch oose
0101 179 6 E B E 1 jmp sh ort B U ILD _TH U NK for my h ook and update eip w ith th e
address of B U ILD _TH U NK to simulate th e jump w h en I’m done.
C od ing th e program
Ok I th ink th e important bit is over, now w e need to code th is idea, now I’m no coding
teach er, but perh aps for some of you coding is new , and it’s important to find a language
your going to be h appy learning and using, w h ilst coding th e program you w ould normally
code small sections first and test th em but since its going to be h ard to put th is dow n on
paper, I’m now going to paste my source cod e file in sections and explain it as much as I
can, you may learn to cod e in a similar style to try port th e idea to anoth er language, or
perh aps your an excellent coder anyw ay, b ut I never assume anyth ing :-)
Ok th e source file is upx_d ump.asm you sh ould open th is as I go th rough it, th e first top bit
is just th e defining of some APIS and C onstants, th en th e .data section sets up some
variables w e need, w e w ill see th em in use as w e go along.
Ok so now our process is loaded and w e our h ooks patch ed in. Th e next stage is let th e
process run, th en code a M AIN B OD Y w h ich w ill be a loop w h ere G etTh read C ontext is
constantly called, G etTh readC ontext w ill retrieve all th e running processes registers, so if w e
are calling th is in a loop w e can monitor w h en E IP h its one of our h ooks th en take action,
easy eh ? Ok h ere it is:
Now w e h ave a main bod y, now run th rough th e process in your h ead, th e first th ing th at
w ill h appen is w e w ill get a h ooked detected at th e D LLNAM E , since if you ch ecked th e upx
code snipped at th e start th e first th ing upx does is load a dll, so let’s cod e th e
D LLNAM E _H OOK E D procedure.
D LLNAM E _H OOK E D :
; skip instruction
mov eax, [my_context+ R E G _E IP]
add eax, 2
mov [my_context+ R E G _E IP], eax
; set context
call SetTh readC ontext, [tProcessInfo+ 4], o my_context
call dll1
db 13,1 0,13,10,'-> Loading D LL ',0
dll1:
call dbg_string
call dbg_string, o myB uffer
call dbg_string, o new line
jmp C ontextLoop
Ok h ere w e stop th e process w ith suspendth read so w e stop th e cpu going crazy, th en w e get
th e context so h ave all th e current registers, now th e dll name is stored in E AX , so w e read
th is value from th e context structure, now w e h ave a pointer to th e dllname in th e oth er
process, so w e read from th is address into a buffer.
Next w e need to fix th e instruction w e destroyed w h ich w as AD D E B X , E SI, now if you never
needed to h ook th is point again you could patch th e instruction back but since w e w ant to
break h ere again w e must emulate it, so I grab ebx and esi from th e context struct add th em
and insert it back into ebx, th en I also get th e eip value and ad d 2, th is is so w e skip th e E B
F E and start at th e PU SH , th en i use SetTh readC ontext to update th e process's memory,
R esumeTh read th en sets it back on its w ay, i've th en used my ow n internal functions dbg_xx
to w rite out text and th e contents of th e buffer into a file called deb ug.txt. Now w e jump back
to our main context ch ecking loop.
Th e next th ing th at w ill h appen is w e'll break on th e ASC IINAM E _H OOK E D , so let’s code
th at, you can almost copy paste th e ab ove function and make minor tw eaks.
; skip instruction
mov eax, [my_context+ R E G _E IP]
add eax, 2
mov [my_context+ R E G _E IP], eax
; set context
call SetTh readC ontext, [tProcessInfo+ 4], o my_context
call dll2
db ' F U NC : ',0
dll2:
call dbg_string
call dbg_string, o myB uffer
jmp C ontextLoop
APIAD D R _H OOK :
call SuspendTh read, [tProcessInfo+ 4 ]
call G etTh readC ontext, [tProcessInfo+ 4], o my_context
call dll3
db 9,9,9,'AD D R : ',0
dll3:
call dbg_string
call dbg_dw ord,eax,0
call dbg_string, o new line
; set context
call SetTh readC ontext, [tProcessInfo+ 4], o my_context
Since th e api address is E AX all I need do is get th e value from th e context structure, th en
w e h ad our h ook at 0101 1796, so I emulate th e 'jmp sh ort B U ILD _TH U NK ' by placing th e
address of B U ILD _TH U NK into E IP and continue.
OE P_R E AC H E D :
Just a simple messagebox to say h ello :) and th e end of th e code looks like,
CE RR:
call M essageB oxA,0,o msgcontext,o msgerr, 0
E nd_Process:
call exitprocess, 0
end main
Ta da! Th at’s it, now since w e are messing around w ith a program during a small loop th at
resolves th e imports it considerably slow s th e app d ow n, if you test th e example it w ill take
about 1 minute until th e message b ox appears, click ok th en view debug.txt
I've provided ASM and C PP code, and b oth compiled exes for you to test, th e C PP one seems
to run much faster, it also screen output, reading th e C PP code is probably easier to
understand th an th e ASM as you can see th e program structure much b etter.
Now don’t take th is tutorial as a literal w ay of cracking someth ing, it merely d escribes a
common tech nique used my dumpers, you sh ould reverse your target application and find
good h ook points, like after some decryption, th en make use of your d umper to run th rough
th e target collecting information needed for a final unpacked target, so h ave fun and w atch
out for C R C s ;-)
regards,
yates.
yates@ reverse-engineering.info