I read an article on IAT encryption processing. I learned how to fix IAT after arriving at OEP. If there is any error, please advise.
Copyright: evilangel
Test shell is The original program kryton The Krypter [v.0.2]
I. Shell check:
PEiD shell check:
Kryton 0.2-> Yado/Lockless
2. Arrive at OEP
First, load the OD, ignore all exceptions, and stop
00434000> 8B0C24 mov ecx, [esp];
Kernel32.7C817027
00434003 E9 0A7C0100 jmp 0044BC12
00434008 AD lods dword ptr [esi]
00434009 42 inc edx
0043400A 40 inc eax
0043400B BD BE9D7A04 mov ebp, 47A9DBE
Turn on the memory (alt + m ),
Memory map, entry 19
Address = 0041F000
Size = 00015000 (86016 .)
Owner = kryton 00400000
Section = YADO
Include = Resource
Type = Imag 01001002
Access = R
Initial access = RWE
F2 disconnection, F9 running
7C932315 66: 8B50 0C mov dx, [eax + C]
7C932319 66: 8955 B4 mov [ebp-4C], dx
7C93231D 8D70 10 lea esi, [eax + 10]
7C932320 8975 94 mov [ebp-6C], esi
7C932323 8B55 0C mov edx, [ebp + C]
7C932326 66: F742 02 FFFF test word ptr [edx + 2], 0 FFFF
7C93232C 75 11 jnz short 7C93233F
Then open the memory
Memory map, entry 20
Address = 00401000
Size = 00002000 (8192 .)
Owner = kryton 00400000
Section = YADO
Include = Code
Type = Imag 01001002
Access = R
Initial access = RWE
F2 disconnection, F9 running
003A3A39 66: 8138 FF15 cmp word ptr [eax], 15FF; // come here
Er
003A3A3E 75 09 jnz short 003A3A49
003A3A40 8378 02 00 cmp dword ptr [eax + 2], 0
003A3A44 75 03 jnz short 003A3A49
003A3A46 8958 02 mov [eax + 2], ebx
003A3A49 40 inc eax
003A3A4A 49 dec ecx
003A3A4B 85C9 test ecx, ecx
003A3A4D ^ 75 EA jnz short 003A3A39
003A3A4F 8B8D AFBB4100 mov ecx, [ebp + 41 BBAF]
003A3A55 890C24 mov [esp], ecx
003A3A58 8B95 B6BB4100 mov edx, [ebp + 41BBB6];
KRYPTON.00401000
003A3A5E FFE2 jmp edx; //
The OEP address is sent to edx and then jumped to OEP.
Go to OEP and check out what is written by MASM32/TASM32
00401000 6A 00 push 0; // OEP
00401002 E8 C1100000 call 004020C8; // ENTER back
Vehicle follow-in
00401007 A3 583B4000 mov [403B58], eax
0040100C 6A 00 push 0
0040100E 68 29104000 push 00401029
00401013 6A 00 push 0
00401015 6A 67 push 67
00401017 FF35 583B4000 push dword ptr [403B58]
0040101D E8 DC100000 call 004020FE
00401022 6A 00 push 0
00401024 E8 45100000 call 0040206E
Iii. Analysis of IAT encryption methods
After you press enter in the 00401002 E8 C1100000 call 004020C8 line, you can see
0040206E-FF25 C8D04100 jmp [41D0C8]; // you can view
Encrypted
00402074-FF25 CCD04100 jmp [41D0CC]
0040207A-FF25 D0D04100 jmp [41D0D0]
00402080-FF25 D4D04100 jmp [41D0D4]
00402086-FF25 D8D04100 jmp [41D0D8]
0040208C-FF25 DCD04100 jmp [41D0DC]
00402092-FF25 E0D04100 jmp [41D0E0]
00402098-FF25 E4D04100 jmp [41D0E4]
0040209E-FF25 E8D04100 jmp [41D0E8]
004020A4-FF25 ECD04100 jmp [41D0EC]
004020AA-FF25 F0D04100 jmp [41D0F0]
004020B0-FF25 F4D04100 jmp [41D0F4]
004020B6-FF25 F8D04100 jmp [41D0F8]
004020BC-FF25 FCD04100 jmp [41D0FC]
004020C2-FF25 00D14100 jmp [41D100]
004020C8-FF25 04D14100 jmp [41D104]; // enter
This line
004020CE-FF25 00000100 jmp [41D10C]
004020D4-FF25 10D14100 jmp [41D110]
004020DA-FF25 14D14100 jmp [41D114]
004020E0-FF25 18D14100 jmp [41D118]
004020E6-FF25 110000100 jmp [41D11C]
004020EC-FF25 20D14100 jmp [41D120]
004020F2-FF25 24D14100 jmp [41D124]
004020F8-FF25 28D14100 jmp [41D128]
004020FE-FF25 2366100 jmp [41D12C]
00402104-FF25 30D14100 jmp [41D130]
0040210A-FF25 38D14100 jmp [41D138]
In the data window, you can see
0041D0C8 0038001F
0041D0CC 0038003E
0041D0D0 0038005D
0041D0D4 0038007C
0041D0D8 0038009B
0041D0DC 003800BA
0041D0E0 003800D9
0041D0E4 003800F8
0041D0E8 00380117
0041D0EC 00380136
0041D0F0 00380155
0041D0F4 00380174
0041D0F8 00380193
0041D0FC 0000001b2
0041D100 001_1d1
0041D104 0000001f0
0041D108 00000000
0041D10C 00000020f
0041D110 00000022e
0041D114 00000024d
0041D118 0020.26c
0041D11C 00000028b
0041D120 0000002aa
0041D124 001272c9
0041D128 0000002e8
0041D12C 00380307
0041D130 00380326
0041D134 00000000
0041D138 00380345
0041D13C 00000000
Press enter to enter several jmp []. Two encryption methods are available,
One is:
00380193 8135 AE013800 D933C233 xor dword ptr [20171ae], 33C233D9
0034719d A1 AE013800 mov eax, [20171ae]
00100001a2 8135 AE013800 D933C233 xor dword ptr [1_1ae], 33C233D9
0020.1ac FFE0 jmp eax
The other is:
0038009B 8105 B6003800 A> add dword ptr [3800B6], 4C6DF1A1
003800A5 A1 B6003800 mov eax, [3800B6]
003800AA 812D B6003800 A> sub dword ptr [3800B6], 4C6DF1A1
003800B4 FFE0 jmp eax
Through analysis, we can conclude that if the immediate number after [xxxxxxxx] And xxxxxxxx is greater than 40000000
Perform the add operation. Otherwise, run the xor operation. You can also use the value of [xxxxxxxx] to judge the operation.
4. write code, fix IAT, and shell off
Below is a blank area for code writing. I found 0040236B.
0040263B B8 C8D04100 mov eax, 0041D0C8; // encrypt the IAT start address
Eax
00402640 8B10 mov edx, [eax]; // address stored by eax to edx
00402642 83FA 00 cmp edx, 0; // judge whether the value is zero
00402645 74 18 je short 0040265F; // if it is zero, only the next
Eax
00402647 83C2 02 add edx, 2; // edx + 2 to point
Address location
0040264A 8B0A mov ecx, [edx]; // send this address to ecx
0040264C 8B09 mov ecx, [ecx]; // The value of the address to ecx
0040e e 83C2 04 add edx, 4; // edx + 4, get only want to immediately
Number of addresses
00402651 8B12 mov edx, [edx]; // count it to The edx itself immediately
00402653 81FA 00000040 cmp edx, 40000000; // determine whether the number of immediate messages is greater
40000000
00402659 77 10 ja short 0040266B; // if the value is greater than, add the value.
0040265B 33CA xor ecx, edx; // No xor operation is executed
0040265D 8908 mov [eax], ecx; // Save the value to [eax]
Medium
0040265F 83C0 04 add eax, 4; // eax + 4
00402662 3D 3104100 cmp eax, 0041D13C; // compare whether the device has reached the IAT termination
Address
00402667 ^ 72 D7 jb short 00402640; // continue execution if no
00402669 90 nop
0040266A 90 nop
0040266B 03CA add ecx, edx; // execute the add operation.
0040266D ^ eb ee jmp short 0040265D; // store the Function Location
Address in [eax]
Binary Code
B8 C8 D0 41 00 8B 10 83 FA 00 74 18 83 C2 02 8B 0A 8B 09 83 C2 04 8B 12 81 FA 00 00 00 40 77
10
33 CA 89 08 83 C0 04 3D 3C D1 41 00 72 D7 90 90 03 CA EB EE
Right-click the line 0040263B-create an EIP, And Then disconnect the line F2 in line 00402669. Run F9, so that all IAT operations are completed.
The repaired data window is displayed.
0041D0C8 7C81CAC2 kernel32.ExitProcess
0041D0CC 7C8092F1 kernel32.GetTickCount
0041D0D0 7C810BDE kernel32.SetFilePointer
0041D0D4 7C801812 kernel32.ReadFile
0041D0D8 7C82869E kernel32.CopyFileA
0041D0DC 7C810AC7 kernel32.GetFileSize
0041D0E0 7C80236B kernel32.CreateProcessA
0041D0E4 7C809B97 kernel32.CloseHandle
0041D0E8 7C812F6D kernel32.GetCommandLineA
0041D0EC 7C832026 kernel32.SetEndOfFile
0041D0F0 7C801A28 kernel32.CreateFileA
0041D0F4 7C835E6F kernel32.MoveFileA
0041D0F8 7C809AA1 kernel32.VirtualAlloc
0041D0FC 7C809B34 kernel32.VirtualFree
0041D100 7C810DD7 kernel32.WriteFile
0041D104 7C80B6F1 kernel32.GetModuleHandleA
0041D108 00000000
0041D10C 77D2F3B7 USER32.SendMessageA
0041D110 77D211F1 USER32.PostQuitMessage
0041D114 77D1DBD4 USER32.MoveWindow
0041D118 77D50702 USER32.MessageBoxA
0041D11C 77D21304 USER32.LoadIconA
0041D120 77D1B6C4 USER32.GetWindowRect
0041D124 77D247FE USER32.GetDlgItem
0041D128 77D1E5D2 user32.get1_topwindow
0041D12C 77D3B12C USER32.DialogBoxParamA
0041D130 77D2F55B USER32.SetWindowTextA
0041D134 00000000
0041D138 7632311E COMDLG32.GetOpenFileNameA
0041D13C 00000000
Go back to OEP ---> 00401000, right-click it, and create an EIP. Then you can shell the EIP, which is valid for ImpREC restoration.
PEiD: MASM32/TASM32
Evilangel