Exetools - Inline patching a packed dll

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Inline patching a packed dll (https://forum.exetools.com/showthread.php?t=2108)

Inline patching a packed dll

I am trying to inline patch a dll packed with pecompact v?1.84.

the first step would be finding the OEP isnt it?

when tried to load the dll into symbol loader - SICE DS 2.7(win XP no sp1) patched nmtrans.dll, siwvid.sys & ntice.sys it doesnot load.

the section characteristics of the first section ie pec1 is already E0000020.

then i tried to preload the dll adding line to winice.dat but when i

start SICE and give any command like d A90000 or BPX A90000 or

(any command a*) * = anything. SICE CRASHES with the

message Int0E Fault at address ****** offset 00006D78. If i dont load the dll and run the app then above faults dont occur but obviously I cannot set any memory breakpoints on the address I mentioned - they will be ignored.

After Unloading SICE by reboot I tried Ollydbg 1.09b loaded the exe and started a wild "trace over" (F8) once i felt i was near the call for the dll. Oops there occurs an exception in

kernel32.dll; Ok i pass it to the app using Shift+F7 or F8 but then app runs without pausing -

dll gets loaded up unpacking routine is already over :(:(. Tried

Using a plugin olly dump 2.20 to find OEP by tracing - immediately

there is an exception and an error message is displayed and the

process is terminated, Sh**t.

I tried BPX ISDEBUGGERPRESENT - Response is it breaks 60 times.

How do i find and disable the antidebugging routines used by the dll bcoz it is packed?.
SICE detection tools say it is detected only by INT 01

Plz help.

Hi!
Open a DLL in the HIEW and replace the first byte on CCh.
Start the SoftICE and give a command "i3here on".
Start the program and when will stop give a command "r eip eip-1".
Then replace the first byte on original.
Then give a command "i3here off". :)

I am sorry for my horrible english.

In the meanwhile i used iceext extension for sice.
It is not detected mostly even by Int1.

I tried Ur suggestion. works well.

One culd use a macro too:
MACRO a= "r eip eip-1; eb eip %1"

At the entry i have
PUSHFD
PUSHAD
CALL abcd
here reisters are saved.
and these should be restored to just before OEP jump.

so i looked for the register value loaction in data window and

set break on text then bpx / bpm at address. but it doesnot stop there.

Where am I going wrong :mad:

I badly understand you. You can not find OEP?
Try to make something such as it. :D

-It is necessary to remember value ESP on EP in DLL.
-Then to put "bpx GetProcAddress"
or "bpx (GetProcAddress+3)"(on especially spiteful protectors)
and press "F5".
-When will stop do it "bc *"

-Then to put "bpr esp-4 esp+4"(if you in win98) or
bpm esp-4
bpm esp-3
bpm esp-2
bpm esp-1 (if you in win2k/XP). :)

Yes I was unable to find OEP.
I tried your advise.
I ultimately reached 00B65C58.
Is this the OEP. I have marked in the code below(Soft Ice)
How to confirm that.
i also didnot understand the principle behind the breakpoints.

___________________________________________________________
EAX=0012F750 EBX=00CFC000 ECX=0012F798 EDX=00050001 ESI=0012F6F0
EDI=00000001 EBP=0012F6FC ESP=0012F6E0 EIP=00CFD550 CS=001B DS=0023
SS=0023 o d I a z a p c
ES=0023 FS=0030 GS=0000
__________Mydll!.pec______________________________________

001B:00CFBFF9 FFFF INVALID
001B:00CFBFFB FFFF INVALID
001B:00CFBFFD FFFF INVALID
001B:00CFBFFF FFEB JMP EBX //BREAK DUE TO EMBEDDED INT3
001B:00CFC001 06 PUSH ES
001B:00CFC002 68505C0D00 PUSH 000D5C58
001B:00CFC007 C3 MET
001B:00CFC000 9C PUSHFD //SAVE REGISTERS
001B:00CFC009 60 PUSHAD //SAVE REGISTERS
001B:00CFC00A E802000000 CALL 00CFC011
001B:00CFC00F 33CO XOR EAX , AH
001B:00CFC011 8BC4 MOV EAX, ESP
001B:00CFC013 83C004 ADD EAX , 04
001B:00CFC016 93 XCHG EAX, EBB
001B:00CFC017 8BE3 MOV ESP, EBB
________________________________________________________________

//snipped

Break due to Getprocaddress [after F5]

001B:77E7A5D9 50 PUSH EAX
001B:77E7A5DA FF15AC1ZE677 CALL [ntdll!RtlImageNtHeader]
001B:77E7A5E0 05C0 TEST "EAX , EAX"
001B:77E7A5E2 0F04170FFFFF JZ 77E734FF
001B:77E7A5E0 6603705C03 CMP "WORD PTR [EAX+5C],03"
001B:77E7A5ED 0F050C0FFFFF JNZ 77E734FF
001B:77E7A5F3 33C0 XOR "EAX , EAX"
001B:77E7A5F5 40 INC EAX
001B:77E7A5F6 C3 RET
001B:77E7A5F7 FFZ57C13E677 JMP [ntdll!LdrGetProcedure Address]
KERNEL32!GetProc Address
001B:77E7A5FD 55 PUSH EBP //Break due to Getprocaddress
001B:77E7A5FE 8BEC MOV "EBP, ESP"
001B:77E7A600 51 PUSH ECX
001B:77E7A601 51 PUSH ECX
001B:77E7A602 53 PUSH EBX
-------------------------------------------------------------------
//snipped
I put
bpm 0012F6E0-4
bpm 0012F6E0-3
bpm 0012F6E0-2
bpm 0012F6E0-1
then pressed F5
Break due to BP 04: BPMB #001B:0012F6DF RW DR0

301B:00CFD52C 0D956BA14000 LEA "EDX, [EBP+0040A16B]"
301B:00CFD532 6A40 PUSH 40
301B:00CFD534 52 PUSH EDX
301B:00CFD535 FFB53D974000 PUSH DW0RD PTR [EBP+0040973D]
301B:00CFD53B FFB539974000 PUSH DW0RD PTR [EBP +00409739]
301B:00CFD541 E0F40A0000 CALL 00CFE03A
301B:00CFD546 05C0 TEST "EAX , EAX"
301B:00CFD540 0F059DFDFFFF JNZ 00CFD2EB
301B:00CFD54E 61 POPAD
301B:00CFD54F 9D POPFD ///Restore registers
301B:00CFD550 50 PUSH EAX
301B:00CFD551 60505CB600 PUSH 00B65C50
301B:00CFD556 C20400 RET 4
301B:00CFD559 0BB55B974000 MOV "ESI,[EBP+0040975B]"
---------------------------------------Mydll.pec+152C-----------------------
//snipped

Traced with F8 after that reaches here:
001B:00B65C58 55 PUSH EBP //??? OEP
001B:00B65C59 8BEC MOV "EBP, ESP"
001B:00B65C5B 03C4C4 ADD "ESP,-3C"
001B:00B65C5E B0B059B600 MOV "EAX,00B659B0"
001B:00B65C63 E0CC0CF3FF CALL 00A96934
001B:00B65C60 A1F47FB600 MOV "EAX,[00B67FF4]"
001B:00B65C6D 0B00 MOV "EAX, [EAX]"
001B:00B65C6F E05CCBF9FF CALL 00B027D0
001B:00B65C74 A1F47FB6GG MOV "EAX,[00B67FF4]"
001B:00B65C79 8B00 MOV "EAX, [EAX]"
001B:00B65C7B 33D2 XOR "EDX,EDX"
001B:00B65C7D EG46C7F9FF CALL 00B023C0
001B:00B65C02 GBGDDC7CB6GG MOV "ECX,[00B67CDC]"
001B:00B65C00 A1F47FB6GG MOV "EAX,[00B67FF4]"
001B:00B65C0D GB00 MOV "EAX, [EAX]"
001B:00B65C0F 0B151C7FB400 MOV "EDX,[00B47F1C]"
001B:00B65C95 E04ECBF9FF CALL 00B027E0
001B:00B65C9A E091E0F2FF CALL 00A94530
001B:00B65C9F 90 NOP
001B:00B65CA0 0 ADD "[EAX],AL"
001B:00B65CA2 0 ADD "[EAX],AL"
001B:00B65CA4 0 ADD "[EAX],AL"
-------------------------------------------------------------------

__________________________________________________

001B:00B65C50 55 PUSH EBP //??? OEP
__________________________________________________

Probably. It is very similar on the OEP. :D ;) :D

edited:

I congratulate you! Really, it is OEP. :D :D :D

thank you very much.:D :)
Now I try to inline patch/unpack it.

Are there any tutorials on pecompact dll unpacking? there are

lots on exe unpacking, but could not find one on dll .

Unpacking of the DLL by nothing differs from unpacking a EXE !

But it is necessary to remember:

1) About reloc's;

2) About image base with which it dumped. :D

You may note that there was a OCR (optical charcter recogntion software ) error I used to get the softice screen dump.

OEP is 00B65C58 & not 00B65C50.

I dumped the dll after giving jmp eip at OEP using Lord PE.

I opened the original(unpacked) dll process in Revirgin.

entered the OEP clicked fetch IAT- it says "found nothing" .

Image base as shown by Lord PE is 00A90000 at dumping

Anyway I will try to find more on the revirgin and try meanwhile inline patching... seems easier than unpacking:)
bcoz pecompact fuses all the sections and what not:mad:

thank U for Ur valuable help:D :)

I do not know as you there copied it from SoftICE, but OEP it:

301B:00CFD54E 61 POPAD
301B:00CFD54F 9D POPFD ///Restore registers
301B:00CFD550 50 PUSH EAX
301B:00CFD551 60505CB600 PUSH 00B65C50 <---put OEP on the stack
301B:00CFD556 C20400 RET 4

If you are on eip=00CFD551 PUSH 00B65C50, give command
a eip
jmp eip
but it is necessary to remember about "nop".
Or to use command !SUSPEND with IceExt.
Then open LordPE and dump it and to restore import!!!

I do not know that there for problems with import.
May be to use ImpRec?
:D :D :D :D :D

#include "ProcessPeFile.h"
#include "stdafx.h"
#include "Richedit.h"
#include "RavToFileOffset.h"

char szMsg[190]="�ļ��%s\x0d\x0a----------------------------------------------------------\x0d\x0a��ƽ̨�� 0x%04X\x0d\x0a�� %d\x0d\x0a�ļ��ǣ� 0x%04X\x0d\x0a��װ��ַ�� 0x%08X\x0d\x0a\x0a";
char szMsg1[100]="\x0d\x0a\x0d\x0a----------------------------------------------------------\x0d\x0a��Ľڣ�%s\x0d\x0a";
char szMsgSection[190]="----------------------------------------------------------\x0d\x0a�� С ��ַ Raw_�ߴ� Raw_ƫ�� \x0d\x0a----------------------------------------------------------\x0d\x0a";
char szFmtSection[40]="%s %08X %08X %08X %08X %08X\xd\xa";
char szMsgImport[400]="\x0d\x0a------------------------------------------------\x0d\x0a��⣺ %s\x0d\x0a------------------------------------------------\x0d\x0a OriginalFirstThunk %08X\x0d\x0a TimeDateStamp %08X\x0d\x0a ForwarderChain %08X\x0d\x0a FirstThunk %08X\x0d\x0a------------------------------------------------\x0d\x0a�� 뺯��\x0d\x0a------------------------------------------------\x0d\x0a";
char szMsgOrdinal[30]="%8u (��ŵ��)\x0d\x0a";
char szErrNoImport[40]="��ļ��ʹ��κε��뺯��";
char szMsgName[10]="%8u %s\x0d\x0a";
extern char szFileName[MAX_PATH];
extern HINSTANCE hInst; // current instance
extern HWND hWinEdit;//richedit ��ھ��
extern HWND hWinMain;//��ھ��

void _AppendInfo(char * szMsgSection);

void ProcessPeFile(void * lpFile, IMAGE_NT_HEADERS * lpPEHead, unsigned long dwSize)
{
char szBuffer[1024];
char szSectionName[16];
IMAGE_SECTION_HEADER * pSECTIONHead;
IMAGE_IMPORT_DESCRIPTOR * pIMPORTDES;
unsigned long visualadd;
unsigned long FileOffset;

wsprintf(szBuffer,szMsg,szFileName,lpPEHead->FileHeader.Machine,
lpPEHead->FileHeader.NumberOfSections,
lpPEHead->FileHeader.Characteristics,
lpPEHead->OptionalHeader.ImageBase);
SetWindowText(hWinEdit,szBuffer);//��ʾ PE �ļ�ͷ�е�һЩ��Ϣ

_AppendInfo(szMsgSection);
int numberOfSections;
numberOfSections=lpPEHead->FileHeader.NumberOfSections;
pSECTIONHead=(IMAGE_SECTION_HEADER *)((int)lpPEHead+sizeof(IMAGE_NT_HEADERS));
while(numberOfSections)//�_��ʾÿ��Ϣ
{
RtlZeroMemory(szSectionName,sizeof(szSectionName));
wsprintf(szBuffer,szFmtSection,
(char *)pSECTIONHead,pSECTIONHead->Misc.VirtualSize,
pSECTIONHead->VirtualAddress,pSECTIONHead->SizeOfRawData,
pSECTIONHead->PointerToRawData,pSECTIONHead->Characteristics);
_AppendInfo(szBuffer);
pSECTIONHead=(IMAGE_SECTION_HEADER *)((int)pSECTIONHead+sizeof(IMAGE_SECTION_HEADER));
numberOfSections--;
}

///////////////////////��ʾ��Ϣ
IMAGE_DATA_DIRECTORY derectory;
derectory=lpPEHead->OptionalHeader.DataDirectory[1];
visualadd=derectory.VirtualAddress;
FileOffset=_RVAToOffset(lpFile,visualadd);

pIMPORTDES=(IMAGE_IMPORT_DESCRIPTOR *)((int)lpFile+FileOffset);
wsprintf(szBuffer,szMsg1,
_GetRVASection(lpFile,pIMPORTDES->OriginalFirstThunk));
_AppendInfo(szBuffer);

while(pIMPORTDES->OriginalFirstThunk||pIMPORTDES->TimeDateStamp||
pIMPORTDES->ForwarderChain||pIMPORTDES->Name||pIMPORTDES->FirstThunk)
{
FileOffset=_RVAToOffset(lpFile,pIMPORTDES->Name);
FileOffset=(int)lpFile+FileOffset;
wsprintf(szBuffer,szMsgImport,(char *)FileOffset,
pIMPORTDES->OriginalFirstThunk,pIMPORTDES->TimeDateStamp,
pIMPORTDES->ForwarderChain,pIMPORTDES->FirstThunk);
_AppendInfo(szBuffer);

if(pIMPORTDES->OriginalFirstThunk)
visualadd=pIMPORTDES->OriginalFirstThunk;
else
visualadd=pIMPORTDES->FirstThunk;

FileOffset=_RVAToOffset(lpFile,visualadd);
FileOffset=(int)lpFile+FileOffset;

DWORD THUNKDATA;
THUNKDATA=*((DWORD *)FileOffset);
while(THUNKDATA)
{
if (THUNKDATA
& IMAGE_ORDINAL_FLAG32)
{
THUNKDATA=THUNKDATA & 0xFFFF;
wsprintf(szBuffer,szMsgOrdinal,THUNKDATA);
}
else
{
unsigned long Offset;
Offset=_RVAToOffset(lpFile,THUNKDATA);
Offset=(int)lpFile+Offset;
IMAGE_IMPORT_BY_NAME * pImportByName;
pImportByName=(IMAGE_IMPORT_BY_NAME *)Offset;
wsprintf(szBuffer,
szMsgName,pImportByName->Hint,pImportByName->Name);
}
_AppendInfo(szBuffer);
FileOffset=(int)FileOffset+4;
THUNKDATA=*((DWORD *)FileOffset);
}
pIMPORTDES=(IMAGE_IMPORT_DESCRIPTOR *)((int)pIMPORTDES+sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
/////////////////////////��Ϣ��ʾ��
}

void _AppendInfo(char * szMsgSection)
{
CHARRANGE stCR;
SendMessage(hWinEdit,EM_EXSETSEL,0,(LPARAM)&stCR);
SendMessage(hWinEdit,EM_REPLACESEL,FALSE,(LPARAM)szMsgSection);
}

/*But, first you should build a project(In VC workspace)
And you should map a openned file.Get the handle of the file,
get the IMAGE_NT_HEADER of the file.
If you really want the whole project, you can mail me.
[email protected].*/

I here have looked this PECompact 1.84 and have unpacked him.
I can tell, that a code of a kind:

:XXXXXXXX POPAD
:XXXXXXXX POPFD
:XXXXXXXX PUSH EAX
:XXXXXXXX PUSH XXXXXXXX
:XXXXXXXX RET 4
I observed many times in a code of the PECompact.

After bpm esp-4... etc. needed press F5(So much time - how many it is necessary to find OEP).

So probably it was necessary still pressed F5.

May be this (001B:00B65C58 55 PUSH EBP) not OEP!

If it is possible give the link to your program.

I am sorry for my horrible english.

I think the OEP is right becuase I tried the same method on a crackme(PEcompact 1.84) and two other targets(exe) after Unpack+IAT rebuild(Imprec) all are working fine :).

But with dll no sucess getting IAT.Also with "XP notepad" i packed with pecompact imprec wont work.

I have a few doubts:

In Unpacked(original) notepad/exe/dll entry point in PE header(PEP) is OEP, Is it Correct?

Is OEP hard coded(present in the file on disk) in PECompacted file?

I tried getting IAT info in Imprec for Notepad98 it gives values but for notepad XP says :

"Could Not Find anything good at this OEP".

I tried changing max recursion & buffer size in options but no use. I think i have to

find IAT manually and fix it.

I am sending U the target while I try confirming the OEP myself because that would give me real confidence.

I tried to rebuild the import table with Imprec.
Since it fails even with correct oep i used another delphi dll initially & then this one; sort of partial grafting work.

Now the dll is working perfectly in certain environment :D :D like if it is the first dll called from the prog. It doesnot work on different comptuer or diff OS(win 98) or its 3rdc alled dll etc..:( I worked in Xp.

what could be cause. Relocs ?

Plz help me with suggestions. :)

Hi!
Yes, vdsrun40.dll is necessary for me.
What size of this DLL?

But I tried to unpack it having picked up on another .exe(my small .exe).
Strange:
esp=12f8ec(in winXP)
oep=D1160(without image base)
import (rva: 2681CC size: 7D8)<- I'm used Revirgin(in winXP).

I can nothing tell certain about relocs.

But, vdsrun40.dll is necessary for me!!!

I could not upload it here. It times out in 30 seconds tried 5 times no luck. I will give U the link hxxp://www.extremesenses.com/iupdate/iupdatefull.zip you can do a zip preview in download manger eg mass downloader and get only the dll U need 451.5kb actual size but compressed to ~42%. :)

It is strange U got a different OEP.
I checked my dll again. it works well in Xp. So is another dll in 98.
thanks for taking the trouble

Hi!
Probably your version of the DLL differs from my version.

Code:

pec1:00B61160                 public start

pec1:00B61160 start:

pec1:00B61160                 push    ebp

pec1:00B61161                 mov     ebp, esp

pec1:00B61163                 add     esp, 0FFFFFFC4h

pec1:00B61166                 mov     eax, offset dword_B60ED8

pec1:00B6116B                 call    sub_A96C0C

pec1:00B61170                 mov     eax, ds:dword_B63DA0

pec1:00B61175                 mov     eax, [eax]

pec1:00B61177                 call    sub_AEC494

pec1:00B6117C                 mov     eax, ds:dword_B63DA0

pec1:00B61181                 mov     eax, [eax]

pec1:00B61183                 xor     edx, edx

pec1:00B61185                 call    @Forms@TApplication@SetTitle$qqrx17System@AnsiString ; Forms::TApplication::SetTitle(System::AnsiString)

pec1:00B6118A                 mov     ecx, ds:dword_B63ADC

pec1:00B61190                 mov     eax, ds:dword_B63DA0

pec1:00B61195                 mov     eax, [eax]

pec1:00B61197                 mov     edx, ds:dword_B41980

pec1:00B6119D                 call    sub_AEC4AC

pec1:00B611A2                 call    sub_A944B8

pec1:00B611A7                 nop

You R right.
I downloaded and checked the "new" version. Version number is sme but dll is different.
OEPs
000D1160 - new one
000D5C58 - old one( the one I have).
Could the author be an active member of this forum:confused: OR is it coincidental. i donot know :)
does your dll work on both win98/XP.

I changed the image base from 00400000 to image base when it works in one situation inside IDE. Now it works in all envirinments in a Single OS but not across different OS.
Looks like the OEP is correct because all the functions of the dll are working and no errrors occur once the dll is loaded.

I tried relox - relocation fixer by mact but then it crashes.
dont know how to do it manually Yet. ... have to learn.

may be some experts give a proper hint.

Also when i use revirgin 1.5 "publivc version" enter the oep and click fetch IAt says "found nothing" using IAT resolver gives junk values with 0 references for all. It happens with all apps which are compressed/ crypted.
I can get imports at same oep by imprec . something wrong with that version of revirgin?? or something else.

This is my small example which shows how make patch
for packed DLL by PECompact 1.84.
Enjoy! :D

hxxp://www.exetools.com/forum/showthread.php?s=&threadid=2178

thank U very much.
I will go through it today.
U R great.