Exetools - Inline patching a packed dll

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Inline patching a packed dll (https://forum.exetools.com/showthread.php?t=2108)

Inline patching a packed dll

I am trying to inline patch a dll packed with pecompact v?1.84.

the first step would be finding the OEP isnt it?

when tried to load the dll into symbol loader - SICE DS 2.7(win XP no sp1) patched nmtrans.dll, siwvid.sys & ntice.sys it doesnot load.

the section characteristics of the first section ie pec1 is already E0000020.

then i tried to preload the dll adding line to winice.dat but when i

start SICE and give any command like d A90000 or BPX A90000 or

(any command a*) * = anything. SICE CRASHES with the

message Int0E Fault at address ****** offset 00006D78. If i dont load the dll and run the app then above faults dont occur but obviously I cannot set any memory breakpoints on the address I mentioned - they will be ignored.

After Unloading SICE by reboot I tried Ollydbg 1.09b loaded the exe and started a wild "trace over" (F8) once i felt i was near the call for the dll. Oops there occurs an exception in

kernel32.dll; Ok i pass it to the app using Shift+F7 or F8 but then app runs without pausing -

dll gets loaded up unpacking routine is already over :(:(. Tried

Using a plugin olly dump 2.20 to find OEP by tracing - immediately

there is an exception and an error message is displayed and the

process is terminated, Sh**t.

I tried BPX ISDEBUGGERPRESENT - Response is it breaks 60 times.

How do i find and disable the antidebugging routines used by the dll bcoz it is packed?.
SICE detection tools say it is detected only by INT 01

Plz help.

Hi!
Open a DLL in the HIEW and replace the first byte on CCh.
Start the SoftICE and give a command "i3here on".
Start the program and when will stop give a command "r eip eip-1".
Then replace the first byte on original.
Then give a command "i3here off". :)

I am sorry for my horrible english.

In the meanwhile i used iceext extension for sice.
It is not detected mostly even by Int1.

I tried Ur suggestion. works well.

One culd use a macro too:
MACRO a= "r eip eip-1; eb eip %1"

At the entry i have
PUSHFD
PUSHAD
CALL abcd
here reisters are saved.
and these should be restored to just before OEP jump.

so i looked for the register value loaction in data window and

set break on text then bpx / bpm at address. but it doesnot stop there.

Where am I going wrong :mad:

I badly understand you. You can not find OEP?
Try to make something such as it. :D

-It is necessary to remember value ESP on EP in DLL.
-Then to put "bpx GetProcAddress"
or "bpx (GetProcAddress+3)"(on especially spiteful protectors)
and press "F5".
-When will stop do it "bc *"

-Then to put "bpr esp-4 esp+4"(if you in win98) or
bpm esp-4
bpm esp-3
bpm esp-2
bpm esp-1 (if you in win2k/XP). :)

Yes I was unable to find OEP.
I tried your advise.
I ultimately reached 00B65C58.
Is this the OEP. I have marked in the code below(Soft Ice)
How to confirm that.
i also didnot understand the principle behind the breakpoints.

___________________________________________________________
EAX=0012F750 EBX=00CFC000 ECX=0012F798 EDX=00050001 ESI=0012F6F0
EDI=00000001 EBP=0012F6FC ESP=0012F6E0 EIP=00CFD550 CS=001B DS=0023
SS=0023 o d I a z a p c
ES=0023 FS=0030 GS=0000
__________Mydll!.pec______________________________________

001B:00CFBFF9 FFFF INVALID
001B:00CFBFFB FFFF INVALID
001B:00CFBFFD FFFF INVALID
001B:00CFBFFF FFEB JMP EBX //BREAK DUE TO EMBEDDED INT3
001B:00CFC001 06 PUSH ES
001B:00CFC002 68505C0D00 PUSH 000D5C58
001B:00CFC007 C3 MET
001B:00CFC000 9C PUSHFD //SAVE REGISTERS
001B:00CFC009 60 PUSHAD //SAVE REGISTERS
001B:00CFC00A E802000000 CALL 00CFC011
001B:00CFC00F 33CO XOR EAX , AH
001B:00CFC011 8BC4 MOV EAX, ESP
001B:00CFC013 83C004 ADD EAX , 04
001B:00CFC016 93 XCHG EAX, EBB
001B:00CFC017 8BE3 MOV ESP, EBB
________________________________________________________________

//snipped

Break due to Getprocaddress [after F5]

001B:77E7A5D9 50 PUSH EAX
001B:77E7A5DA FF15AC1ZE677 CALL [ntdll!RtlImageNtHeader]
001B:77E7A5E0 05C0 TEST "EAX , EAX"
001B:77E7A5E2 0F04170FFFFF JZ 77E734FF
001B:77E7A5E0 6603705C03 CMP "WORD PTR [EAX+5C],03"
001B:77E7A5ED 0F050C0FFFFF JNZ 77E734FF
001B:77E7A5F3 33C0 XOR "EAX , EAX"
001B:77E7A5F5 40 INC EAX
001B:77E7A5F6 C3 RET
001B:77E7A5F7 FFZ57C13E677 JMP [ntdll!LdrGetProcedure Address]
KERNEL32!GetProc Address
001B:77E7A5FD 55 PUSH EBP //Break due to Getprocaddress
001B:77E7A5FE 8BEC MOV "EBP, ESP"
001B:77E7A600 51 PUSH ECX
001B:77E7A601 51 PUSH ECX
001B:77E7A602 53 PUSH EBX
-------------------------------------------------------------------
//snipped
I put
bpm 0012F6E0-4
bpm 0012F6E0-3
bpm 0012F6E0-2
bpm 0012F6E0-1
then pressed F5
Break due to BP 04: BPMB #001B:0012F6DF RW DR0

301B:00CFD52C 0D956BA14000 LEA "EDX, [EBP+0040A16B]"
301B:00CFD532 6A40 PUSH 40
301B:00CFD534 52 PUSH EDX
301B:00CFD535 FFB53D974000 PUSH DW0RD PTR [EBP+0040973D]
301B:00CFD53B FFB539974000 PUSH DW0RD PTR [EBP +00409739]
301B:00CFD541 E0F40A0000 CALL 00CFE03A
301B:00CFD546 05C0 TEST "EAX , EAX"
301B:00CFD540 0F059DFDFFFF JNZ 00CFD2EB
301B:00CFD54E 61 POPAD
301B:00CFD54F 9D POPFD ///Restore registers
301B:00CFD550 50 PUSH EAX
301B:00CFD551 60505CB600 PUSH 00B65C50
301B:00CFD556 C20400 RET 4
301B:00CFD559 0BB55B974000 MOV "ESI,[EBP+0040975B]"
---------------------------------------Mydll.pec+152C-----------------------
//snipped

Traced with F8 after that reaches here:
001B:00B65C58 55 PUSH EBP //??? OEP
001B:00B65C59 8BEC MOV "EBP, ESP"
001B:00B65C5B 03C4C4 ADD "ESP,-3C"
001B:00B65C5E B0B059B600 MOV "EAX,00B659B0"
001B:00B65C63 E0CC0CF3FF CALL 00A96934
001B:00B65C60 A1F47FB600 MOV "EAX,[00B67FF4]"
001B:00B65C6D 0B00 MOV "EAX, [EAX]"
001B:00B65C6F E05CCBF9FF CALL 00B027D0
001B:00B65C74 A1F47FB6GG MOV "EAX,[00B67FF4]"
001B:00B65C79 8B00 MOV "EAX, [EAX]"
001B:00B65C7B 33D2 XOR "EDX,EDX"
001B:00B65C7D EG46C7F9FF CALL 00B023C0
001B:00B65C02 GBGDDC7CB6GG MOV "ECX,[00B67CDC]"
001B:00B65C00 A1F47FB6GG MOV "EAX,[00B67FF4]"
001B:00B65C0D GB00 MOV "EAX, [EAX]"
001B:00B65C0F 0B151C7FB400 MOV "EDX,[00B47F1C]"
001B:00B65C95 E04ECBF9FF CALL 00B027E0
001B:00B65C9A E091E0F2FF CALL 00A94530
001B:00B65C9F 90 NOP
001B:00B65CA0 0 ADD "[EAX],AL"
001B:00B65CA2 0 ADD "[EAX],AL"
001B:00B65CA4 0 ADD "[EAX],AL"
-------------------------------------------------------------------

__________________________________________________

001B:00B65C50 55 PUSH EBP //??? OEP
__________________________________________________

Probably. It is very similar on the OEP. :D ;) :D

edited:

I congratulate you! Really, it is OEP. :D :D :D

thank you very much.:D :)
Now I try to inline patch/unpack it.

Are there any tutorials on pecompact dll unpacking? there are

lots on exe unpacking, but could not find one on dll .

Unpacking of the DLL by nothing differs from unpacking a EXE !

But it is necessary to remember:

1) About reloc's;

2) About image base with which it dumped. :D

You may note that there was a OCR (optical charcter recogntion software ) error I used to get the softice screen dump.

OEP is 00B65C58 & not 00B65C50.

I dumped the dll after giving jmp eip at OEP using Lord PE.

I opened the original(unpacked) dll process in Revirgin.

entered the OEP clicked fetch IAT- it says "found nothing" .

Image base as shown by Lord PE is 00A90000 at dumping

Anyway I will try to find more on the revirgin and try meanwhile inline patching... seems easier than unpacking:)
bcoz pecompact fuses all the sections and what not:mad:

thank U for Ur valuable help:D :)

I do not know as you there copied it from SoftICE, but OEP it:

301B:00CFD54E 61 POPAD
301B:00CFD54F 9D POPFD ///Restore registers
301B:00CFD550 50 PUSH EAX
301B:00CFD551 60505CB600 PUSH 00B65C50 <---put OEP on the stack
301B:00CFD556 C20400 RET 4

If you are on eip=00CFD551 PUSH 00B65C50, give command
a eip
jmp eip
but it is necessary to remember about "nop".
Or to use command !SUSPEND with IceExt.
Then open LordPE and dump it and to restore import!!!

I do not know that there for problems with import.
May be to use ImpRec?
:D :D :D :D :D

#include "ProcessPeFile.h"
#include "stdafx.h"
#include "Richedit.h"
#include "RavToFileOffset.h"

char szMsg[190]="�ļ��%s\x0d\x0a----------------------------------------------------------\x0d\x0a��ƽ̨�� 0x%04X\x0d\x0a�� %d\x0d\x0a�ļ��ǣ� 0x%04X\x0d\x0a��װ��ַ�� 0x%08X\x0d\x0a\x0a";
char szMsg1[100]="\x0d\x0a\x0d\x0a----------------------------------------------------------\x0d\x0a��Ľڣ�%s\x0d\x0a";
char szMsgSection[190]="----------------------------------------------------------\x0d\x0a�� С ��ַ Raw_�ߴ� Raw_ƫ�� \x0d\x0a----------------------------------------------------------\x0d\x0a";
char szFmtSection[40]="%s %08X %08X %08X %08X %08X\xd\xa";
char szMsgImport[400]="\x0d\x0a------------------------------------------------\x0d\x0a��⣺ %s\x0d\x0a------------------------------------------------\x0d\x0a OriginalFirstThunk %08X\x0d\x0a TimeDateStamp %08X\x0d\x0a ForwarderChain %08X\x0d\x0a FirstThunk %08X\x0d\x0a------------------------------------------------\x0d\x0a�� 뺯��\x0d\x0a------------------------------------------------\x0d\x0a";
char szMsgOrdinal[30]="%8u (��ŵ��)\x0d\x0a";
char szErrNoImport[40]="��ļ��ʹ��κε��뺯��";
char szMsgName[10]="%8u %s\x0d\x0a";
extern char szFileName[MAX_PATH];
extern HINSTANCE hInst; // current instance
extern HWND hWinEdit;//richedit ��ھ��
extern HWND hWinMain;//��ھ��

void _AppendInfo(char * szMsgSection);

void ProcessPeFile(void * lpFile, IMAGE_NT_HEADERS * lpPEHead, unsigned long dwSize)
{
char szBuffer[1024];
char szSectionName[16];
IMAGE_SECTION_HEADER * pSECTIONHead;
IMAGE_IMPORT_DESCRIPTOR * pIMPORTDES;
unsigned long visualadd;
unsigned long FileOffset;

wsprintf(szBuffer,szMsg,szFileName,lpPEHead->FileHeader.Machine,
lpPEHead->FileHeader.NumberOfSections,
lpPEHead->FileHeader.Characteristics,
lpPEHead->OptionalHeader.ImageBase);
SetWindowText(hWinEdit,szBuffer);//��ʾ PE �ļ�ͷ�е�һЩ��Ϣ

_AppendInfo(szMsgSection);
int numberOfSections;
numberOfSections=lpPEHead->FileHeader.NumberOfSections;
pSECTIONHead=(IMAGE_SECTION_HEADER *)((int)lpPEHead+sizeof(IMAGE_NT_HEADERS));
while(numberOfSections)//�_��ʾÿ��Ϣ
{
RtlZeroMemory(szSectionName,sizeof(szSectionName));
wsprintf(szBuffer,szFmtSection,
(char *)pSECTIONHead,pSECTIONHead->Misc.VirtualSize,
pSECTIONHead->VirtualAddress,pSECTIONHead->SizeOfRawData,
pSECTIONHead->PointerToRawData,pSECTIONHead->Characteristics);
_AppendInfo(szBuffer);
pSECTIONHead=(IMAGE_SECTION_HEADER *)((int)pSECTIONHead+sizeof(IMAGE_SECTION_HEADER));
numberOfSections--;
}

///////////////////////��ʾ��Ϣ
IMAGE_DATA_DIRECTORY derectory;
derectory=lpPEHead->OptionalHeader.DataDirectory[1];
visualadd=derectory.VirtualAddress;
FileOffset=_RVAToOffset(lpFile,visualadd);

pIMPORTDES=(IMAGE_IMPORT_DESCRIPTOR *)((int)lpFile+FileOffset);
wsprintf(szBuffer,szMsg1,
_GetRVASection(lpFile,pIMPORTDES->OriginalFirstThunk));
_AppendInfo(szBuffer);

while(pIMPORTDES->OriginalFirstThunk||pIMPORTDES->TimeDateStamp||
pIMPORTDES->ForwarderChain||pIMPORTDES->Name||pIMPORTDES->FirstThunk)
{
FileOffset=_RVAToOffset(lpFile,pIMPORTDES->Name);
FileOffset=(int)lpFile+FileOffset;
wsprintf(szBuffer,szMsgImport,(char *)FileOffset,
pIMPORTDES->OriginalFirstThunk,pIMPORTDES->TimeDateStamp,
pIMPORTDES->ForwarderChain,pIMPORTDES->FirstThunk);
_AppendInfo(szBuffer);

if(pIMPORTDES->OriginalFirstThunk)
visualadd=pIMPORTDES->OriginalFirstThunk;
else
visualadd=pIMPORTDES->FirstThunk;

FileOffset=_RVAToOffset(lpFile,visualadd);
FileOffset=(int)lpFile+FileOffset;

DWORD THUNKDATA;
THUNKDATA=*((DWORD *)FileOffset);
while(THUNKDATA)
{
if (THUNKDATA
& IMAGE_ORDINAL_FLAG32)
{
THUNKDATA=THUNKDATA & 0xFFFF;
wsprintf(szBuffer,szMsgOrdinal,THUNKDATA);
}
else
{
unsigned long Offset;
Offset=_RVAToOffset(lpFile,THUNKDATA);
Offset=(int)lpFile+Offset;
IMAGE_IMPORT_BY_NAME * pImportByName;
pImportByName=(IMAGE_IMPORT_BY_NAME *)Offset;
wsprintf(szBuffer,
szMsgName,pImportByName->Hint,pImportByName->Name);
}
_AppendInfo(szBuffer);
FileOffset=(int)FileOffset+4;
THUNKDATA=*((DWORD *)FileOffset);
}
pIMPORTDES=(IMAGE_IMPORT_DESCRIPTOR *)((int)pIMPORTDES+sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
/////////////////////////��Ϣ��ʾ��
}

void _AppendInfo(char * szMsgSection)
{
CHARRANGE stCR;
SendMessage(hWinEdit,EM_EXSETSEL,0,(LPARAM)&stCR);
SendMessage(hWinEdit,EM_REPLACESEL,FALSE,(LPARAM)szMsgSection);
}

/*But, first you should build a project(In VC workspace)
And you should map a openned file.Get the handle of the file,
get the IMAGE_NT_HEADER of the file.
If you really want the whole project, you can mail me.
[email protected].*/

I here have looked this PECompact 1.84 and have unpacked him.
I can tell, that a code of a kind:

:XXXXXXXX POPAD
:XXXXXXXX POPFD
:XXXXXXXX PUSH EAX
:XXXXXXXX PUSH XXXXXXXX
:XXXXXXXX RET 4
I observed many times in a code of the PECompact.

After bpm esp-4... etc. needed press F5(So much time - how many it is necessary to find OEP).

So probably it was necessary still pressed F5.

May be this (001B:00B65C58 55 PUSH EBP) not OEP!

If it is possible give the link to your program.

I am sorry for my horrible english.

I think the OEP is right becuase I tried the same method on a crackme(PEcompact 1.84) and two other targets(exe) after Unpack+IAT rebuild(Imprec) all are working fine :).

But with dll no sucess getting IAT.Also with "XP notepad" i packed with pecompact imprec wont work.

I have a few doubts:

In Unpacked(original) notepad/exe/dll entry point in PE header(PEP) is OEP, Is it Correct?

Is OEP hard coded(present in the file on disk) in PECompacted file?

I tried getting IAT info in Imprec for Notepad98 it gives values but for notepad XP says :

"Could Not Find anything good at this OEP".

I tried changing max recursion & buffer size in options but no use. I think i have to

find IAT manually and fix it.

I am sending U the target while I try confirming the OEP myself because that would give me real confidence.

I tried to rebuild the import table with Imprec.
Since it fails even with correct oep i used another delphi dll initially & then this one; sort of partial grafting work.

Now the dll is working perfectly in certain environment :D :D like if it is the first dll called from the prog. It doesnot work on different comptuer or diff OS(win 98) or its 3rdc alled dll etc..:( I worked in Xp.

what could be cause. Relocs ?

Plz help me with suggestions. :)

Hi!
Yes, vdsrun40.dll is necessary for me.
What size of this DLL?

But I tried to unpack it having picked up on another .exe(my small .exe).
Strange:
esp=12f8ec(in winXP)
oep=D1160(without image base)
import (rva: 2681CC size: 7D8)<- I'm used Revirgin(in winXP).

I can nothing tell certain about relocs.

But, vdsrun40.dll is necessary for me!!!