MD5: DCE1A5B487E91DD1FD761C2EEFD307C9
SHA-1: 68F71350636CDF76B0E9A59F6FED0A4F20D86005
First thing to note is the RWX permissions and malformed names in the segments. We can infer that the packer doesn't use VirtualAlloc or other dynamic memory allocation functions to store the decrypted PE.
Furthermore, we notice incorrect RVAs in the OptionalHeader. Since there is no dedicated IAT segment, a valid virtual address of 0x0001c1ee is used to point to the function imports.
The IAT at that offset is mangled, implying that the packer handles its own function resolution (nothing new here). Always nice to see packers push the limits of the Windows loader.
Olly gives us a bad image error, but fixing the header is unnecessary. Place a BP on OEP and run. The packer first decrypts its own internal subroutines which are used as a loader for the packed file. We can see from the analysis errors that this is a polymorphic crypter.
Now to keep a long story short: the main decryption loop is at 0x00414ad3, so place a BP there. Everything up to the BP decrypts the packer's process loader. The jb instruction grouping at 0x00414c69 tests the length of the decrypted loop.
The decryption loop exits once edi is less than [esi + 0x34]. The routine right below the jb is the process loader. So place a BP and return from the function. 0x00401678 is the packed file's OEP. Furthermore, we can see what appears to be a VB jump table beginning at 0x00401400. The function list confirms our assumption that the sample was written in VB. Also at 0x401000, we can see the runtime API function addresses for the VM P-Code binary.
Now let's dump the process using OllyDump. Set the OEP to 0x1678 and deselect IAT reconstruction. Realign the segments as well.
In ImpRec, choose 0x1678 as the OEP. Select 0x1400 as the IAT RVA (Since we know the IAT is in the same segment). Now perform an IAT autosearch and get the imports. Remove the faulty thunk consisting of invalid pointers and rebuild the PE.
No comments:
Post a Comment