Flag: Tornado!
Hurricane!
|
|
| PECompact 2.x |
Jeremy Collake |
Compressor |
quig |
June 15 2005 |
|
| VirtualAlloc() + PE Header |
yes |
yes |
.text, .rsrc |
N/A
|
|
adds own err handler
throws error
patchs code
passes exception unhandled
next block is top level fx, allocates buffer
decodes next function block to low mem buffer
have to dump this block seperate, contains all loadlibrary stuff
frees buffer
jumps back to original entrypoint which was same as EP in PE header
Easy wat to get to the OEP:
Set a hardware breakpoint on the EP and wait to get back there after all the tricks.
|
|
jmp eax ;Back to original entry point defined in PE header |
|
|
.text:00401219 start:
.text:00401219 mov eax, 426B64h ;err handler address
.text:0040121E push eax ;place on stack
.text:0040121F push large dword ptr fs:0 ;prev err handler
.text:00401226 mov large fs:0, esp ;active err handler = struc to stack
.text:0040122D xor eax, eax
.text:0040122F mov [eax], ecx ;throw error
.rsrc:00426B64 start proc near
.rsrc:00426B64
.rsrc:00426B64 arg_0 = dword ptr 4
.rsrc:00426B64
.rsrc:00426B64 mov eax, 0FFBA5B0Dh
.rsrc:00426B69 lea ecx, [eax+88107Ah]
.rsrc:00426B6F mov [ecx+1], eax ; ecx = 426B87
.rsrc:00426B72 mov edx, [esp+arg_0] ; patchs inst below ret
.rsrc:00426B76 mov edx, [edx+0Ch]
.rsrc:00426B79 mov byte ptr [edx], 0E9h
.rsrc:00426B7C add edx, 5
.rsrc:00426B7F sub ecx, edx
.rsrc:00426B81 mov [edx-4], ecx
.rsrc:00426B84 xor eax, eax
.rsrc:00426B86 retn ; returns to ntdll.77f92538
.rsrc:00426B86 start endp ; did not process error passes
.rsrc:00426B86 ; to next handler which was changed
.rsrc:00426B86 ; now i think
.rsrc:00426B87 ; ---------------------------------------------------------------------------
.rsrc:00426B87 mov eax, 12345678h ; patched above to mov eax, FFBA5B0D
.rsrc:00426B87 ; zwcontinue then searchs for next error
.rsrc:00426B87 ; handler and ends up here. (after int 2e)
.rsrc:00426B8C pop large dword ptr fs:0
.rsrc:00426B93 add esp, 4
.rsrc:00426B96 push ebp
.rsrc:00426B97 push ebx
.rsrc:00426B98 push ecx
.rsrc:00426B99 push edi
.rsrc:00426B9A push esi
.rsrc:00426B9B push edx
....Some Stuff....
.rsrc:00426BBB call eax ; VirtualAlloc
.rsrc:00426BBD pop edx
.rsrc:00426BBE mov edi, eax
....Some Stuff....
.rsrc:00426BE5 call ecx ; ecx = 426A92
....Some Stuff....
.rsrc:00426C09 call edi ; edi = 2F01D0 (see region dump idb)
.rsrc:00426C09 ; (loads all libraries and pointer table)
....Some Stuff....
rsrc:00426C1F call dword ptr [ecx] ; Virtual Free
.rsrc:00426C21 mov eax, esi
.rsrc:00426C23 pop edx
.rsrc:00426C24 pop esi
.rsrc:00426C25 pop edi
.rsrc:00426C26 pop ecx
.rsrc:00426C27 pop ebx
.rsrc:00426C28 pop ebp
.rsrc:00426C29 jmp eax ; OEP (same EP as in PE header but now to real exe)
|
|
|
// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com
;--------------
/*
//////////////////////////////////////////////////////////////
// PECompact 2.xx (Support all ver) OEP finder
// Author: hacnho/VCT2k4
// Email : [email protected]
// Website: http://nhandan.info/hacnho
// OS : WinXP Pro, OllyDbg 1.10 Final, OllyScript v0.85
// Date ReLeAsE: 14 July 2004
/////////////////////////////////////////////////////////////
*/
var CS
var CB
var Temp
sto
findop eax, #C3#
bp $RESULT
esto
esto
gmi eip, CODEBASE
mov CB, $RESULT
log CB
gmi eip, CODESIZE
mov CS, $RESULT
log CS
bpwm CB, CS
esto
sto
bpmc
findop eip, #FFE0#
mov Temp, $RESULT
bp $RESULT
esto
jmp exit
Return:
esto
jmp exit
exit:
cmp eip, Temp
jne Return
sto
log eip
cmt eip, "This is the OEP! Found by hacnho/VCT2k4"
MSG "Dumped and fix IAT now! Thanx for using my Script...!"
ret
;---
|
|
|
|
|
There are 31,320 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}