Wednesday, December 18, 2013

Manual Unpacking of UPX Packed Binary File

FileName: calc.exe
MD5: 829e4805b0e12b383ee09abdc9e2dc3c
File Size: 114688
Source: C:\WINDOWS\system32
OS Used: Windows XP Pro SP3 (English)

Create UPX Packed binary using below command
upx -9 -o calc_upx9.exe calc.exe
File Size after packing is 57856 bytes

Packer Info

Lets start unpacking, load the file to OllyDBG. OllyDBG detects and warns about the Packer, ignore the message (click NO).

0x01020250  is the current Entry Point
01020250  60               PUSHAD

Real OEP = OEP find in Olly - Image Base
Real OEP = 0x01020250 - 0x01000000

After ignoring the warning, step over (F8) POPAD, right click on ESP(0x0006FFA4) and follow in dump.
POPAD will push all the REGISTERs values onto Stack.

In the dump window select first 2/4 bytes and go for a hardware breakpoint on access as shown below. First 4 bytes selected is the value of EDI Register on Stack in little endian format.

Run the binary (F9) after setting the breakpoint, will stop execution when hits a break point (0x010203CE). When breakpoint is hit the CPU is
010203CD   61               POPAD
010203CE   8D4424 80        LEA EAX,DWORD PTR SS:[ESP-80]
010203D2   6A 00            PUSH 0
010203D4   39C4             CMP ESP,EAX
010203D6  ^75 FA            JNZ SHORT calc_upx.010203D2
010203D8   83EC 80          SUB ESP,-80
010203DB  -E9 9520FFFF      JMP calc_upx.01012475

Put a breakpoint at 0x010203DB (first JUMP instruction after POPAD), press F9 and when we hit the breakpoint single step (F8) one time from JUMP, will land at
01012475   6A 70            PUSH 70
01012477   68 E0150001      PUSH calc_upx.010015E0

Right click on 0x01012475 and "Dump debugged process", copy the value in Modify text box which will be our OEP and  click on Dump button which will create a new binary (dump_test.exe here).

dump_test.exe is not executable since it doesn't have proper Import Address Table (IAT). Executing the binary will throw below error

Load the original binary (calc.exe) into ImportREC, paste the OEP copied from Modify text field when creating dump file. Click on AutoSearch to automatically search IAT's. Will give below log message
Original IAT RVA found at: 0000120C in Section RVA: 00001000 Size:00018000

Now click on GetImports which will throw below log if everything goes fine.
IAT read successfully.
Current imports:
6 (decimal:6) valid module(s) (added: +6 (decimal:+6))
84 (decimal:132) imported function(s). (added: +84 (decimal:+132))

Now click on FixDump and select  dump_test.exe, ImportREC will fix dump_test.exe and creata a new file dump_test_.exe, see below logs
*** New section added successfully. RVA:00029000 SIZE:00001000
Image Import Descriptor size: 78; Total length: 908
C:\Documents and Settings\praveen\Desktop\UnpackMe\upx_calc\dump_test_.exe saved successfully.

To cross verify load the newly created file into PEiD

Done :-) !!! 

Manual unpacking of AHpack can be found at

Tuesday, December 17, 2013

Manual Unpacking of AHpack(0.1) Packed Binary File

File Information
FileName: UnPackMe_!EP(EXE Pack)1.2.exe
MD5: c39d13643796db07eb9c3c90b3db71d0
File Size: 281088
Source: tuts4u
OS Used: Windows XP Pro SP3 (English)

Packer Information
Packer details can be found using tool "Detect It Easy".

Packed Binary Entry Point
Launch the binary in Debugger, I am using Immunity Debugger v1.85. Immunity will alert you stating that the binary might be Compressed, ignore the error message(click NO) and proceed further. We can see the Entry Point as
Address        Opcode       Instruction
0046B0FF    60               PUSHAD

Step Into(F7) or Step Over(F8) PUSHAD instruction. PUSHAD willl push the values of all the General Purpose Registers to Stack, except EIP.

Hardware Breakpoint On Access
Right click on ESP(0x0012FFA4) register and click on "Follow in Dump", in the dump window select initial 2 or 4 bytes, right click "Breakpoint-> Hardware, on access->;Dword (click on it)". Will create a Hardware breakpoint.
We can also execute "hr esp-4" and command bar to set Breakpoint.
"Follow in Dump" will show little endian style register values (EDI might be the first value) on top of the stack.

0046B299   61                          POPAD
0046B29A   BA B0714200      MOV EDX,UnPackMe.004271B0
0046B29F  -FFE2                    JMP EDX                                  ; UnPackMe.004271B0

Hits Breakpoint
Execute the binary i.e. hit F9 key. This should break at one instruction after POPAD. Why break here? Because a POPAD was executed before, this will try to access the memory marked with a breakpoint. Single step (F7) till you execute first jump instruction (at 0x0046B29F) which will actually take us to OEP and continue single stepping till we see below instructions which shows the creation of stack frame.
004271B0   55               PUSH EBP
004271B1   8BEC             MOV EBP,ESP
0x004271B0 is the Original Entry Point. Long jump from 0x0046B29F to 0x004271B0, it's fairly tellable that we have reached OEP.

Dump the process by right clicking at 0x004271B0   (PUSH EBP).

Dump Process
Will pop up a window as shown, click on Dump and save it as dump.exe. Executing this file might throw "...not a valid Win32 Application" error because it doesn't have valid Import Address Table(IAT).

Fix Dumped Process
Image Base + OEP = Start Offset
Let's fix the IAT, fire "Import REC" tool and select the original binary which we are trying to Unpack. Modify the OEP to 0x000271B0 and click on AutoSearch tab, ignore the pop warning (click OK).
IAT AutoSearch feature is used to find right references to the API calls. Click on "Get Imports" to get Imports, should not have any errors(see below snapshot).

Now click on "Fix Dump" and provide dump.exe created from one of the steps above. If successful, will create an unpacked binary dump_.exe.

Execute the binary by double clicking it, if it executes without error; boom, our unpacking is done !!

The steps can be summarized as

  • Execution starts from new Original Entry Point (OEP) newly added code section located at the end of binary)
  • Saves the current Registers Status using PUSHAD (Opcode 60) instruction
  • All the Packed Sections are Unpacked in memory
  • Resolve the import table of original executable file.
  • Restore the original Register Status using POPAD (Opcode 61) instruction
  • Finally Jumps to Original Entry point to begin the actual execution

Thursday, December 12, 2013

Most Helpful and Frequently used Linux Commands

getconf LONG_BIT


CPU information and Memory Information
cat /proc/cpuinfo
cat /proc/meminfo

Open ports and associated processes/services
netstat -anp (on Windows netstat -anb)
lsof command can also be used to do same work

Search for files only which contains log string in file from root directory recursively
find / -name log -type f  *
Search for directories only which contains log string in directory from current directory recursively  and move the found directory to /tmp directory
find . -name log -type d  * | xargs cp /tmp/

perl command to generate buffer

Name of the Operating System
lsb_release -a

Knowing 32-bit or 64bit Operating System
getconf LONG_BIT

Linux Kernel details
uname -a

ps -aef

SNMP Enumeration

Simple Network Management Protocol (SNMP) is used for remote monitoring and managing of hosts, routers, switches or any device connected to network. SNMP works on 161/UDP, SNMP Trap on 162/UDP. By default SNMP comes with two community (username) strings
            public (read only access)
            private (read write access)

We will discuss about SNScan from to Scan for Devices which are running SNMP service. You can mention a particular IP Address or range of IP Addresses to scan.

Management Information Base (MIB) describes all network objects that can be monitored and managed using SNMP. MIB’s are accessed using Object Identifiers (OID’s)

net-snmp utilities on Linux distributions already have few snmp commands.

We need to provide password list file which contains  expected passwords. SNScan tried thos passwords against public and private community strings, successful hit will give the community string-password for a particular host.