Our first assumption will be that every user-land PE process ends with the ExitProcess() function. Again, we need to make some assumptions to start. This feature can be used for unpacking as well. This is a form of specialized debugger that allows the execution flow to be recorded.
What is more important is that the demonstrated method is generic and can be applied not only to different decompression/obfuscation schemes but to other executable file formats, processors and system platforms as well.Ī new feature called ‘trace replayer’ was introduced in IDA 6.3. Further analysis will reveal that this is in fact a jump to the original entry point. Put a breakpoint at the jump and execute the process again (F9). Let us examine the second red node – if you trace its caller ( Figure 7) you will find that it is the short procedure which restores general registers from the stack and that it ends with a strange jump. Again, this is not our exit to the original entry point. The calls to GetModuleHandleA and GetProcAddress make this function’s purpose quite obvious – although note that this is not the IAT rebuilding loop yet. If you fix the call address, changing it from loc_401AC+1 to loc_401AD, the proper disassembly of the called function will look like this. Inspection of loc_40108C reveals a strange near call and some garbage code after the call instruction. Therefore our theory could still be valid, and to prove it we need to inspect further functions which are bottom nodes on our graph.įigure 6. Zoom of bottom nodes from sub_40106F function. The bottom (exit) nodes from the entry point may lead to further parts of decompression routines. But before we come to any conclusion let’s get back to our imaginary flowchart in Figure 1. Further analysis reveals that this is not the original entry point. Those bytes could be the compressed image or some other data (including real garbage) but they are definitely not a valid code area. Note that this procedure is just a single JMP instruction and higher addresses (the lower part of the disassembly listing) are occupied by garbage bytes. Figure 4 shows the disassembly of this procedure. Jump to this subroutine (press ‘g’ and enter ‘sub_40441A’ as the address – IDA will resolve it correctly) and place a breakpoint on it. Now zoom in ( Figure 3) to reveal the bottom nodes and sub_40441A. A picture similar to Figure 2 should be displayed. Now, from the ‘Views’->‘Graphs’ menu, select the ‘Flowchart’ option (F12). MPRESS2:00000000004040C2 (in short form 0x04040C2) where the PUSH RDI instruction is located.
Run the target process (F9 – start process). Select the ‘Stop on entry point’ option in the ‘Debugger option’ menu. Select the ‘Local Bochs Debugger’ option from the ‘Choose debugger’ menu (don’t forget to configure the Bochs plug-in to handle 64-bit PE files). Accept all warnings regarding IAT table corruption and allow IDA to load the file and create the assumed IAT automatically.
0 kommentar(er)
