Inline Patching a PE-Compact packed file (PE-Compact v2.66)
Required Knowledge
Basic assembly knowledge and
knowledge of OllyDbg will prove useful.
Inline Patching a PE-Compact packed file (PE-Compact v2.66)
Level : Beginner / Intermediate
Author : minderbinder
Target : dhx.cme.1.exe
Tools :
OllyDbg with
CommandBar Plugin
The crackme file∞
Ok, i packed this crackme (dihux's n2c crackme #1) with PE-Compact v2.66 (the latest version as of this writing).
When we first load the file in olly, wee see this:
00401000 > $ B8 2C5A4000 MOV EAX,dhx_cme_.00405A2C
00401005 . 50 PUSH EAX
00401006 . 64:FF35 000000>PUSH DWORD PTR FS:[0]
0040100D . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00401014 . 33C0 XOR EAX,EAX
00401016 . 8908 MOV DWORD PTR DS:[EAX],ECX
00401018 . 50 PUSH EAX
00401019 . 45 INC EBP
0040101A . 43 INC EBX
0040101B . 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command
0040101C . 6D INS DWORD PTR ES:[EDI],DX ; I/O command
0040101D . 70 61 JO SHORT dhx_cme_.00401080
0040101F . 637432 00 ARPL WORD PTR DS:[EDX+ESI],SI
00401023 . 55 PUSH EBP
00401024 . 50 PUSH EAX
00401025 . 6D INS DWORD PTR ES:[EDI],DX ; I/O command
00401026 . 55 PUSH EBP
00401027 . 8BEC MOV EBP,ESP
00401029 . 817D 0C 110100>CMP DWORD PTR SS:[EBP+C],62000111
00401030 . C1B2 0F85DA00 >SAL DWORD PTR DS:[EDX+DA850F],8B ; Shift constant out of range 1..31
00401037 . 45 INC EBP
00401038 . 1083 01E8C02C ADC BYTE PTR DS:[EBX+2CC0E801],AL
0040103E . 7D 14 JGE SHORT dhx_cme_.00401054
Here is the interesting part:
00401014 . 33C0 XOR EAX,EAX
00401016 . 8908 MOV DWORD PTR DS:[EAX],ECX
eax is 0, so this instruction will thow an exception (access violation), which is our gatway to the OEP ;)
Step until you get to this instruction (F8), step one more time to execute the instruction and we will be inside the exception handler.
77F5109C 8B1C24 MOV EBX,DWORD PTR SS:[ESP]
77F5109F 51 PUSH ECX
77F510A0 53 PUSH EBX
77F510A1 E8 BD060100 CALL ntdll.77F61763
77F510A6 0AC0 OR AL,AL
77F510A8 74 0C JE SHORT ntdll.77F510B6
77F510AA 5B POP EBX
77F510AB 59 POP ECX
77F510AC 6A 00 PUSH 0
77F510AE 51 PUSH ECX
77F510AF E8 FFD40200 CALL ntdll.ZwContinue
Step until we get to the
77F510AF E8 FFD40200 CALL ntdll.ZwContinue instruction.
Press F7 to step into this call and we will be here:
77F7E5B3 > B8 20000000 MOV EAX,20
77F7E5B8 BA 0003FE7F MOV EDX,7FFE0300
77F7E5BD FFD2 CALL EDX
77F7E5BF C2 0800 RETN 8
Step into the
77F7E5BD FFD2 CALL EDX instruction.
Inside the call we will see this code:
7FFE0300 8BD4 MOV EDX,ESP
7FFE0302 0F34 SYSENTER
7FFE0304 C3 RETN
Single-step (F8) to execute the
7FFE0302 0F34 SYSENTER instruction and we will be where we want to be.
00405A4F B8 23480700 MOV EAX,74823
Now press control+F and search for 'jmp eax' instruction, or simply scroll down until you find it (will be at the end of the code), and this is the jump to OEP. Set a breakpoint on this instruction so that you wont have to do all of this again ;)
00405AEE -FFE0 JMP EAX ; dhx_cme_.<ModuleEntryPoint>
Now run the program (F9) and it will break on the jmp eax instruction.
Ok, this is the hard way to find the OEP, the easy way is to press alt+m to view memory once the PE-Compacted file is loaded on olly, select the .rsrc section of the file that is packed, press ctrl+b to binary search, and enter the binary code that represent the instructions immediately before the jmp to OEP.
00405AE8 5A POP EDX
00405AE9 5E POP ESI
00405AEA 5F POP EDI
00405AEB 59 POP ECX
00405AEC 5B POP EBX
00405AED 5D POP EBP
00405AEE FFE0 JMP EAX
(
5A 5E 5F 59 5B 5D FF E0 are the bytes we want to search for)
Write down the offset that is found, then close the memory dump window and module window and go to the jmp oep offset (press ctrl+g and enter the offset) and you will be there, but i find the other way just as fast ;)
Either way you choose to do it, once you get to the jmp OEP, single step over it to execute the jmp and you will be at the OEP of the packed application ;) Now press ctrl+a to analyse the code and start looking for the offsets you need to patch. This crackme is for beginners, so its pretty easy to figure out that this instruction needs to be nop'ed.
004010FA |. 75 26 JNZ SHORT dhx_cme_.00401122
Write down the offset and restart olly (ctrl+F2).
Now run the program again (with the breakpoint on jmp to OEP).
The few bytes after the jmp are written over upon execution with this instruction:
00405ACC 8985 CD123900 MOV DWORD PTR SS:[EBP+3912CD],EAX
NOP this instruction so that our inline patch can be placed immediately after the jmp eax instruction. This could be the few bytes saved that means you don't have to add a new section to the PE in some compacted files, but this one has enough room either way.
NOP the jmp eax, and in its place assemble 'mov word ptr [004010FA], 09090h'.
Set the next instruction to 'jmp eax'
The code should now look like the following:
00405ACA FFD7 CALL EDI
00405ACC 90 NOP
00405ACD 90 NOP
00405ACE 90 NOP
00405ACF 90 NOP
00405AD0 90 NOP
00405AD1 90 NOP
00405AD2 8BF0 MOV ESI,EAX ; dhx_cme_.<ModuleEntryPoint>
00405AD4 8B4B 14 MOV ECX,DWORD PTR DS:[EBX+14]
00405AD7 5A POP EDX
00405AD8 EB 0C JMP SHORT dhx_cme_.00405AE6
00405ADA 03CA ADD ECX,EDX
00405ADC 68 00800000 PUSH 8000
00405AE1 6A 00 PUSH 0
00405AE3 57 PUSH EDI
00405AE4 FF11 CALL DWORD PTR DS:[ECX]
00405AE6 8BC6 MOV EAX,ESI
00405AE8 5A POP EDX
00405AE9 5E POP ESI
00405AEA 5F POP EDI
00405AEB 59 POP ECX
00405AEC 5B POP EBX
00405AED 5D POP EBP
00405AEE 66:C705 FA104000 >MOV WORD PTR DS:[4010FA],9090
00405AF7 FFE0 JMP EAX
Now save the file and run it and you will have a cracked crackme ;)
Note : Sometimes more bytes will be written after the OEP, you can either patch the instructions that write to these offsets, or make the jmp eax instruction jump over these bytes to your own code (inline patch).
Related pages
|
|
Attachment
|
Size
|
Date Added
|
|
|
dhx.cme.1.zip
|
3.4 KB
|
11/17/2005 6:08 am
|
| |
Categories
CategoryTutorialsIntermediate
There are no comments on this page. [Add comment]