Install embedded patches for protected applications through hook api functions

Http://www.pediy.com/kssd/pediy08/pediy8-793.htm

Hook api functions

Embedded patches for protected applications

Original: Sub z3r0

Topic: Spirit of the wind

Forum: Seek 'n' destroy team 2oo6

Contents

Principle of Shell and embedded patch ................................................... 2
Simple Hook method .................................................................. 3
Difficult hook Methods .................................................................. 4
My methods ..................................................................... 5
Use the Hook method to install an embedded patch for asprotect 2.xx shell ........................... 6
Use the Hook method to install the embedded patch of telock 0.98 + shell .............................. 8
Use the Hook method to build an embedded patch for the armadillo 4.xx shell ........................... 10
Use the Hook method to build an embedded patch for the execryptor 2.xx shell ........................... 12
Use the Hook method to install the embedded patch of themida 1. XX shell ................................. 15

Introduction:

To understand the meaning of embedded patches, you must understand the following issues:

Q: What does a shelling or adding a protection program usually do to the original program?

A: The shelling program compresses the original code of the application (such as ASPack and UPX shells) or encrypts (such as telock and themida shells) or has two (such as asprotector and Armadillo shells ), add his own code to the result file, and change the EP (entry point) to the EP of his own code.

Q: What are the operations on shell program code?

Answer: 1. allocate some memory for yourself (maybe not in this step)

2. decrypt the code and write the allocated memory (self-decryption)

3. decrypt the original code of the program and write it to the base address of the original image (usually 400000 H)

4. Some shells also need to remove the API function [input table] or simulate the API function functions.

5. Fixed the input table (or redirected the address from calling the API function to the simulated API function)

6. Jump to OEP (original entry point)

Note: The second step may occur more than twice, which makes normal embedded patches more difficult. Now that you understand the principle of shell, you need to understand the principle of embedded patch. The problem is similar:

Q: What is an embedded patch?

A: Embedded patching is a technique that removes the need to shell a program!

Q: How does it work?

A: To do this, we must insert a piece of code after the original code of the program is written in the shell code and before the application to be modified. One of the most important issues with embedded patches is to obtain the CRC value. You can usually use the API function (createfile-readfile, createfilemapping-mapviewoffile) to read the file and get it.

(For more information, see the Lena tutorial and the ollydebug tutorial for arteam beginners)

(If you want to learn advanced embedded patch skills, see the ARMA/aspr embedded patch tutorial of johnwho)

Q: How do we hook up an API function?

A: I know there are two methods:

Simple Method:

1. Read 5 or 6 bytes at the beginning of the API function and save them at an address X.

2. Rewrite the 5-byte or 6-byte at the beginning of the API function into a jump command [note] and jump to address X.

3. Write our code at the address x + 5 or X + 6.

4. At the end of the Code, write a jump command and jump to this address-"API function address" plus 5 or 6.

[Original note] You can use the following commands to redirect: JMP [xxxx] (6 byte), JMP xxxx (5 byte), or push xxxx ret (6 byte)

My function task: Write 5 bytes at [eax] to [EBX]; write the "Jump to [EBX]" command to [eax]; write the "Jump to [eax + 5]" command to [EBX + 10].

[Figure 1]

This method is correct, but not applicable to all API functions and all Windows platforms.

Difficult method:

1. Read and save 5 or 6 bytes at the beginning of the API function.

2. Rewrite the 5 and 6 bytes at the beginning of the API function into a command to jump to address X. [Push/RET mode]

3. write our code in address X, and then write some code (function: first save the original return address of the API function, change the return address of the API function to the address y in our code), restore the 5-byte or 6-byte at the beginning of the API function, and write a jump command to jump to the API function.

4. The code at address y must be re-executed in step 1, and then jump to the original return address.

[Figure 2]

[Step 1 and Step 2 are completed at the original entry point of the program. When Step 2 is intercepted, it changes the API back to the original state. Therefore, step 2 must be done again, that is, install.
Hook again for next interception. The original return address of the API function is read from dword ptr ss: [esp] each time it is intercepted.

This method is difficult, but it applies to all API functions and all Windows platforms.

Q: What is your method?

A: My method is to teach you to use hooks to intercept API functions to defeat CRC checks and patch programs (after the original code of the program has been decrypted or decompressed ).

Question: How can this problem be solved?

A: The embedded patch method consists of the following steps:

Step 1: Use one of the following techniques to defeat the CRC check:

A) Hook readfile or mapviewoffile and write the original bytes back to the buffer zone. (We use this method for asprotector shell)

[Buffer refers to eax + 128 When mapviewoffile is returned]

B) hook up the API function call for the last CRC Check and rewrite the Calculated CRC value to the original CRC value of the program. (We often use this method)

C) For shells with memory check, we should first correct the memory data. (We use this method for target programs with themida protection)

Step 2: hook api functions such as getmodulehandlea (for Delphi/C ++ programs), getversion (for C ++ programs), and thunrtmain (for vbprograms, they will be called shortly after they arrive at OEP; patch them. (In some cases, we must use counters to count the number of calls to the OEP)

(If the shelling program does not remove the input table, you can also compare the return address of getmodulehandlea. If the return address is smaller than the sum of "first address of the code segment + size of the code segment", you will know that, this call comes from the original code of the program, that is, it is time to install patches .)

["Code segment" refers to the original code of the program]

Now let's use some target programs:

Johnwho inlineme:

1, asprotect 2.11

SND! 2oo5 unpackmes:

2, telock 0.98 +

(3) Armadillo 4.20

5, themida 1.3.x

6, execryptor 2.1.70

Use the Hook method to install the embedded patch of asprotect 2.xx shell:

Use Topo to open our target program (johnwho inlineme )...

[Figure 3]

[815 bytes are idle. You can write the patch code here]

815 bytes is enough! So we will use the existing segments... The idle memory address is 4898d1... So we changed the program EP to the offset address 898d1.

Think about what we must do in this case:

1. The idle memory will be changed by aspr, so we need to allocate some memory for installing our hook.

2. Write our code and correct the address in the allocated memory. [Code relocation]

[Figure 4]

3. hook the mapviewoffile function to defeat CRC:

We will hook mapviewoffile... Modify accessmode to 1 (file_map_copy) (to make it changeable )... Modify the return address of the mapviewoffile function to bring the returned address to our code (after mapviewoffile function is executed, we will fix its buffer-the buffer address is placed in eax )... Then we compare the EP of the file image with our EP (898d1), and rewrite the EP of the file image to the OEP (1000) of the shell to correct the CRC.

4. Hook the getmodulehandle function to remove the nag screen:

The first call to getmodulehandle with null as the parameter is from the code segment, which refers to the original code of the application... This means that the program has been shelled out of memory, which is a good time to install patches. [Figure 5]

Run the program... Good! Annoying things are removed!

Use the Hook method to install an embedded patch for telock 0.98 + shell:

First, copy the file and use Topo to open our target (use snd unpackme? We want to fix its title )...

Add a new 400-byte section to the file...

Change the offset of EP to the new space: 66bd6

We must first find the CRC:

Use Olly to open the original file backup... For the closehandle function, refer to breakpoint... Run and wait until the Olly is disconnected... Press Ctrl + F9 to get to ret... Then press F8 to view the Code:

[Figure 6]

Run the checkpoint at 4659de... Copy the eax value (this is the original CRC )...

Now let's think about what we need to do for this case:

1. telock shell protects applications whose input table does not have getprocaddress... So we have to find the address of the function from the output table of Kernel32 (a little professional technology is required !) ... You can also manually add getprocaddress in their input table or use lordpe...

2. As shown in the preceding figure, we can write "mov eax, 04e468f32 | JMP rj9de" to the return address of closehandle for the first call to pass the CRC check.

3. hook getmodulehandle for patching:

The first call to getmodulehandle with null as the parameter is from the code segment, which refers to the original code of the application... This means that the program has been shelled out of memory, which is a good time to install patches.

This code first finds getprocaddress, and then hooks closehandle and getmodulehandle...

[Figure 7]

Hook callback function...

[Figure 8]

Run it now

[Figure 9]

Haha! The title has been modified... Ah! If Teddy knows, he will kill me!

Use the Hook method to build an embedded patch for the armadillo 4. XX shell (without hmemcpy2:

I'm sure this method also applies to hmemcpy2 (but I don't have time to test it !)

Use Topo to open our target (or use snd unpackme? We need to fix the title again )...

Add a new 300-byte section to the file...

Modify the offset of EP to the new space: 13b000

We must first find CRC:

Use Olly to open the original file backup... For the outputdebugstringa function, see breakpoint... Run the program 2nd times and stop at this function breakpoint... Press Ctrl + F9 to get to ret... Then press F8 to view the Code:

[Figure 10]

Right-click the Stack window and select "relative to EBP" under "Address" in the menu "... Now the Stack window is following EBP:

[Figure 11]

The figure shows 5 CRC values... Copy them all... Embedded patches will be used later.

(You can also use Armadillo CRC finder 1.3 By avatar to find these CRC values)

Now let's think about our purpose:

1. Hook outputdebugstringa, use the counter to detect the second call, and override those CRC.

2. Hook getmodulehandle and use the counter to detect 5th calls, because this time the parameter is null, that is, the call source is close to OEP.

[Figure 12]

Run the program to view its title:

[Figure 13]

[Figure 14]

Use the Hook method to build an embedded patch for the execryptor 2. XX shell:

Use Topo to open our target (or use snd unpackme? We need to fix the title again )...

Add a new 300-byte section to the file...

In this case, check CRC before arriving at Ep! It is calculated in TLS-callback...

So modify tlscallback to the code we added.

We must first find the crc values of the execryptor:

Set the first pause on the system breakpoint

[Figure 15]

Use Olly to open the original file backup (I'm sure you have prepared one !) ... For the lower _ lread function, refer to breakpoint... Press SHIFT + F9 14 times (maybe you are different there? I mean the last _ lread call )... Press Ctrl + F9 to get to ret... Then press F8 to view the Code:

[Figure 16]

Right-click the Stack window and select "relative to EBP" under "Address" in the menu "... Now the Stack window follows EBP:

[Figure 17]

Copy these CRC values.

What should we do now?

1. Hook _ lread function. Use the counter to overwrite the CRC values when detecting the 14th calls.

2. Hook the getmodulehandle function to patch the message box title:

The first call to getmodulehandle with null as the parameter is from the code segment, which refers to the original code of the application... This means a good time for patching.

Please refer to the code and comments for better understanding:

[Figure 18]

[Figure 19]

Run the program to see:

[Figure 20]

Use the Hook method to install an embedded patch for themida 1. XX shell (without ring0-level Drivers:

Use Topo to open our target (SND unpackme )...

Add a 550-byte new section to the file (I used to add the. themida section size and use it )...

Modify the EP to the offset address of the newly added space. The themida shell does not have any CRC Check (which makes our work much easier), but it has a little memory check!

But there are some more difficult problems! Its input table does not contain getmodulehandle and getprocaddress!

What can we do now?

1. Let's explore peb_ldr_data to get the imagebase value of Kernel32! Then, you can get the getmodulehandle and getprocaddress function addresses through the output table of Kernel32 (it is common to reverse! This will be a bit difficult ?). Or you can simply add the required API functions to the input table of the Program (manually or using loadpe.

2. Restore the EP in the PE Header in the memory first! (To pass the memory check ).

3. hook getmodulehandle to patch the message box title:

The first time that the returned address value of the getmodulehandle function call is smaller than H, it indicates that this call comes from the code segment, so we should patch it.

See the next picture for better understanding-> -〉

(Note: In my case, I didn't add any sections to my files... I just added the. themida section size to get free space for my use... So you will see that I allocated some memory to install my hook (because themida shell code will try to write something there ))

[Figure 21]

[Figure 22]

[After mounting the hook, the EP of the restored shell, and the shell section size, jump to the shell entry]

[Figure 23]

I think five examples are enough! This article is written here! (Any questions or questions? I will try my best to answer in the snd Forum .)

Thanks:

Teddy Rogers (Thanks for providing unpackmes and helping me publish this article)

Johnwho (thanks to his beautiful CRC skills)

Greetings:

Soda + Sina, Joker + lordxp, magic, and all snd/shabgard/unreal friends.

Sub z3r0 | spirit of the wind |-SND team 2oo6

SND team 2oo6 Forum> http://www.tuts4you.com/forum/