Shulou(Shulou.com)05/31 Report--

This article is about how to use ESP techniques to unpack executable files, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Shelling and unpacking

Shell software can help you compress executable files, just like zip files. Generally speaking, when you are using zip files, you need to extract them manually. But for shelling, it adds a portion of the "runtime wrapper" code that will not be compressed to the code of the executable. When you run the executable, the unencapsulated code will unpack and run other malicious code that has been encapsulated in the executable.

Identify and add shells

How to identify this shelled malware? One way to do this is to check the string information, but there are not a large number of strings to view in the shelled executable. You can also analyze the import classes and libraries in the code, but the shelled executable does not display this part of the content, which makes reverse analysis more difficult. Therefore, in order to successfully reverse analyze the shelled malware, we need to debug it until the uncompressed code is found, and then analyze the exported executable code.

The "ESP trick", the ESP register, can be used here. We can use this technique to set the hardware breakpoint in the ESP register, and when we move to the breakpoint, we reach the program's entry point (OEP). Next, we can export the rest of the executable and get the unpacked executable code.

Unpack and seize the flag game

We have specially developed a Mini Program to demonstrate how to unpack executables manually. You can click [here] to get it. In fact, this is a Mini Game to seize the flag, when you find the correct password, you need to enter and try to get Flag. You can find the password by comparing string data in Radare2, or you can search directly with the "strings" command, but what if the program adds a shell? Therefore, we use the free UPX wrapper to encapsulate and shell the code, and its unpacking process is relatively simple, so it is a very suitable tool for learning. Good luck to everyone!

Process analysis

When we use rabin2 to run the encapsulated executable and look at the import information, we can see that there is little information here, and the string has no literal meaning:

$rabin2-I UPX_Proj_Packed.exe [Imports] 0010x0040d03c NONE FUNC KERNEL32.DLL_LoadLibraryA 002 0x0040d040 NONE FUNC KERNEL32.DLL _ ExitProcess 003 0x0040d044 NONE FUNCKERNEL32.DLL_GetProcAddress 0040x0040d048 NONE FUNCKERNEL32.DLL_ VirtualProtect 0010x0040d050 NONE FUNC msvcrt.dll__iob $

Obviously, this is a packaged program. We can use the PEiD tool to view the wrapper information it uses:

As you can see, the UPX wrapper is used here. Of course, this wrapper is very easy to unpack, and you can download the UPX unpacking program directly to unpack it. But what we're going to demonstrate here is how to do this manually, so next we start the program in x64dbg and press F9 until we reach the entry point of the application. X64dbg marks the entry point directly with "EntryPoint". Here we use the pushal instruction to set the entry point identifier.

Next, we need to press F8 or F7, or press the "step over" or "step into" button. Then you need to right-click the ESP register on the right and select "Follow in Dump".

Next, we need to select the first four bytes of the exported data at the bottom of the x64dbg, and then set a hardware access breakpoint in DWord.

Next, we can press the F9 key to rerun the application, and when it reaches the hardware endpoint, the program will pause. We set a popal instruction after the breakpoint and use it to indicate that we are still on the correct execution path. We can also see that the 0x0040c483 at the end of the jump is the end of the unpacked executable.

After skipping the jmp instruction, we reached the entry point of the program.

The next step is to analyze the exported application, press the CTRL+A key and start analyzing the assembly code to ensure that there are no errors in the assembly code everywhere. Now we can start the export program by pressing the CTRL+ I key or selecting Scylla in the plug-in bar.

Now, click the "IAT Autosearch" button to have the program automatically help us find the imported address table (IAT) of the executable. After clicking the "Get Imports" button, we will get the third-party library referenced by the executable.

Now, click the "Dump" button and save the exported executable. But when we run this executable, we get the error shown in the following figure:

This is because the unpacked executable does not contain the IAT from the previous executable, so we also need to fix it. Go back to the Scylla interface, click the "Fix Dump" button, select the executable you just exported, and click OK. After the repair is successful, the executable file name will be followed by a "SCY", and it will now work properly.

Then reopen the unpackaged executable in Rabin2 and try to export the settings information in it.

If you use the password "this_is_password" to run our application, you will see an interface like this:

Congratulations on your successful Flag!

The above is how to use ESP techniques to unpack executable files. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.