|
0052D0E1 C2 1000 RETN 10
0052D0E4 90 NOP //oep
0052D0E5 90 NOP
0052D0E6 90 NOP
0052D0E7 90 NOP
...
...
0052D14C 90 NOP //stolen bytes
0052D14D 90 NOP
0052D14E E8 BC0EF0FF CALL dap.0042E00F //here
0052D153 391D 40025C00 CMP DWORD PTR DS:[5C0240],EBX
0052D159 75 0C JNZ SHORT dap.0052D167
0052D15B 68 8AD25200 PUSH dap.0052D28A
0052D160 FF15 94315500 CALL NEAR DWORD PTR DS:[553194] ; msvcrt.__setusermatherr
0052D166 59 POP ECX ; dap.0052D153
0052D167 E8 0C010000 CALL dap.0052D278
MS VC (with MFC .dll) app
You can cut this one..
0 00153670 ? 0000 00401000
About those 3 unresolved:
0 0015332C ? 0000 00F764E6
0 00153330 ? 0000 00F78B53
0 00153334 ? 0000 00F71E99
5 Resolved these pointers are correct one.
My dap.exe 2,37 MB (2.487.296 bytes) , md5 hash == 53E8C02AD30FD09652DEE62FD750DFC0
has oep at 0052D0E4 (106 stolen bytes)
Search for constants (rva address) ...
//find references | selected commands
0052EF50 - FF25 2C335500 JMP NEAR DWORD PTR DS:[55332C]
0052EF56 - FF25 34335500 JMP NEAR DWORD PTR DS:[553334]
0052EF5C - FF25 30335500 JMP NEAR DWORD PTR DS:[553330]
Encrypted code when you are on eip = 0052D14E
004CEE82 5A POP EDX ; dap.0052D153
004CEE83 2949 9A SUB DWORD PTR DS:[ECX-66],ECX
004CEE86 17 POP SS ; Modification of segment register
004CEE87 EE OUT DX,AL ; I/O command
004CEE88 8568 25 TEST DWORD PTR DS:[EAX+25],EBP
004CEE8B 9B WAIT
004CEE8C 2AC0 SUB AL,AL
004CEE8E 17 POP SS ; Modification of segment register
004CEE8F DB9F FD2112B6 FISTP DWORD PTR DS:[EDI+B61221FD]
004CEE95 8205 7CD0EF02 BD ADD BYTE PTR DS:[2EFD07C],-43
004CEE9C 4F DEC EDI ; ntdll.7C910738
004CEE9D 02E8 ADD CH,AL
code decryption happens here (use memory bp on write) :
0012E998 AC LODS BYTE PTR DS:[ESI]
0012E999 32C2 XOR AL,DL
0012E99B AA STOS BYTE PTR ES:[EDI]
0012E99C ^ E2 FA LOOPD SHORT 0012E998
0012E99E 59 POP ECX ; 0BE9FCF5
0012E99F 5E POP ESI ; 0BE9FCF5
0012E9A0 FF15 82234300 CALL NEAR DWORD PTR DS:[432382]
0012E9A6 81C4 54000000 ADD ESP,54
0012E9AC 61 POPAD
0012E9AD 68 82EE4C00 PUSH 4CEE82
0012E9B2 C3 RETN
004CEE82 E8 C9000600 CALL dap.0052EF50
004CEE87 6A 00 PUSH 0
004CEE89 FF15 44365500 CALL NEAR DWORD PTR DS:[553644]
004CEE8F E8 1ADC0500 CALL dap.0052CAAE ; JMP to MFC42.#6438
004CEE94 FF15 84335500 CALL NEAR DWORD PTR DS:[553384]
...
...
...
004D01F9 E8 C923F3FF CALL dap.004025C7
004D01FE 8BC8 MOV ECX,EAX
004D0200 E8 A96CF8FF CALL dap.00456EAE
004D0205 6A 00 PUSH 0
004D0207 FFB5 58FCFFFF PUSH DWORD PTR SS:[EBP-3A8]
004D020D 8B8D 7CEBFFFF MOV ECX,DWORD PTR SS:[EBP-1484] ; dap.005C3EC0
004D0213 E8 C8390000 CALL dap.004D3BE0
code is not encrypted
0052EF56 - FF25 34335500 JMP NEAR DWORD PTR DS:[553334]
//reference
004D293A E8 17C60500 CALL dap.0052EF56
code is not encrypted
0052EF5C - FF25 30335500 JMP NEAR DWORD PTR DS:[553330]
//reference
004D373A E8 1DB80500 CALL dap.0052EF5C
Now if you search for those commands you see it occurs very often (more then 90 times)
60 PUSHAD
50 PUSH EAX
51 PUSH ECX
52 PUSH EDX
53 PUSH EBX
55 PUSH EBP
56 PUSH ESI
57 PUSH EDI
binary search:
60 50 51 52 53 55 56 57
so i assume this target has some parts of code section that decrypt only when nedded (like Formik & Optimik -> use google to find this appz ; but those 2 have only 7 or 9 encrypted code sections ; svkp goes this way: decrypt code on when nedded , load it in memory , then encrypt it back)
Last one encrypted section ends at 004F2C79 .
004F2C73 80 DB 80
004F2C74 9B DB 9B
004F2C75 29 DB 29 ; CHAR ')'
004F2C76 . 854E E4 TEST DWORD PTR DS:[ESI-1C],ECX
004F2C79 . 60 PUSHAD
|