NTU_MR
Malware Reverse Engineering and Analysis
NTU
Name | 何秉學 | StuID | R11921A16 |
---|
OEP
),最後跳回去的動作叫做Tail Jump
或Long Jump
,另外,多長的jump才是長,可能要依照經驗值判斷,或是直接跳過去後分析程式在幹嘛OEP
的重建外,還需要重建Imports
,這兩者都處理好後才算是脫殼完成jmp
的地址離目前的程式很遠,且之後的程式有很多空指令或垃圾byte
,此為UXP
殼的特徵PEiD
這個工具(或是用Entropy
之類的,但是不一定準確)判斷樣本有沒有加殼,或是加了甚麼殼,上圖是沒有加殼的一般程式,下圖是加了UPX
的加殼程式Import Table Reconstruction
,可以用OllyDump
、ImpRec
或是Scylla
這些工具來進行,在Practice
中是用Scylla
演示(且可以搭配x32dbg
或x64dbg
進行)Long Jump
之前會搭配pop
instruction,這可能可以當作解析OEP
的線索Tail Jump
,不一定是用jmp
,也可以是call
instruction;另外,跳轉的地址也不一定是一個明確的地址,也可能用暫存器存起來,這部分可以注意一下upx_exercise.exe
CTF
key by analyzing.IDA Pro
UPX
. Therefore, our objective is to unpack it and try to analyze it original code to get the CTF Flag
.x32dbg
UPX-based
packing, it has a feature that in order to not let the data be flushed during unpacking, it must store all data to the stack by using pushad
instruction.jmp
instruction to unpack the original code.popad
instruction at 0x0134AEDE
, a jmp
instruction at 0x010EAEEC
, and a lots of null
instruction which all three are satisfied all features that UPX-based
packing method has.upx_exercise.134244D
.run
button in x32dbg
, then press step into
button to observe the code.Scylla
to do Import Reconstruction
.IAT Autosearch
(Import Address Table) button to search and then press Get Imports
button. Finally, you will get all imports that this file used, and Scylla
will help you to rebuild it.Dump
button to get IAT
file.Fix Dump
and choose the file what we dump to reconnect the IAT
and this file. You'll see the log said Import Rebuild success
and you'll get a new file named upx_exercise_dump_SCY.exe
that repaired by Scylla
.IDA Pro
IDA
to reanalyze the unpacking file.nope
that appear in your cmd
.v96
to v105
, it stored 40 bytes and it seems do something in while loop 40 times. In addition, v67 = v66[v65] ^ 0x87;
this line used xor
instruction that seems a encrypt part. And then it compared &v96 + v65
and v67
that encrypt the string what you input.xor
to 0x87
are strictly the same with v96
to v105
, then it'll print Congratz?!
, otherwise, print Nope
.v96
to v105
encrypted strings.CTF Flag
.**CTF{YOU_goT_7hE_F4kE_fl49_tRY_h4RdEr_QQ}**
, though it is not a real answer.
upx_Revil.exe
IDA
to analyze this sample and obviously packed samplecustom_packer_Revil.exe
DetectItEasy
Though I used the tool, DetectItEasy
to check if this sample was packed or not, the answer is not quite explicit.
Through the write up made by Security Joe, it's not a simple UPX
sample.
This packer can be classified as a hybrid packer because during its execution it injects several pieces of
shellcode
to finally replace the complete memory image of the PE. A diagram that explains this kind of packer is shown below.
Basically, it's going to read the encrypted content, and gonna save or gonna copy that to the new section(the yellow block)
OEP
shellcode
(LocalAlloc
)0x00404DB6
and step into this linekernel32.dll
.Execute till return
) to skip this module.shellcode
to memory section, just as the same what we talked about before.0x00404E38
.Follow in Memory Map
, and then right click again then choose Dump memory to File
shellcode
. How to know?shellcode
(VirtualAlloc
)Ctrl+G
and type VirtualAlloc
.Execute till return
and check the memory by right click EAX
and choose Follow in Dump
.step into
to return0x02B95269
.shellcode
that can check in disassembler.0x02B9527D
is the 2nd tail jump that will jump to blue shellcode
block from yellow shellcode
block.VirtualAlloc
)VirtualAlloc
again. So, we just press Run
button to get in there. And follow the instruction above.EAX
address in dump → Step into → You'll see 3 nested loop again → Set break point → Run → The memory changed in dump again(this is our payload in memory)VirtualProtect
)In this section, it'll use VirtualProtect
API
, so that we just follow the instruction above.
Find VirtualProtect
by Ctrl+G
→ Set break point and press Run
button
Interesting things
Check out the page talking about VirtualProtect
.
Changes the protection on a region of committed pages in the virtual address space of the calling process.
To change the access protection of any process, use the VirtualProtectEx function.
And you can especiallly take a look at
[in] flNewProtect
The memory protection option. This parameter can be one of the memory protection constants.
Follow the page, you can notice that 0x40 is PAGE_EXECUTE_READWRITE
You can see the whole parameters about VirtualProtect
in stdcall
.
They want to modify the original section(replace)
Continue the instruction mentioned above: go back → step into
0x001C091E
and step into.OEP
0x00404161
is your OEP
Analyze the malware found in the file workshop_samples.zip
-> upx_REvil.exe
, generate 'yourself' writeups
(with screenshots) and answer the follow questions:
1.1 Where is the memory address of the tail jump?
Ans:
When you see the machine instruction popad
, the tail jump address is 0x00283F8C
1.2 Where is the OEP
of the packed sample?
Ans:
The OEP
address is 0x00264161
Analyze the malware found in the file workshop_samples.zip
-> custom_packer_REvil.exe
, generate 'yourself' writeups
(with screenshots) and answer the follow questions:
2.1 Where is the memory address of the tail jump?
Ans:
Scrolling~~ down and find a looooog jump at 0x001C091E
and step into.
2.2 Where is the OEP
of the packed sample?
Ans:
0x00404161
is your OEP