Manually Unpacking SPLayer 0.08

Tuesday, March 01 2005 @ 06:14 PM CET

Contributed by: KaGra

Level : beginner

Manually unpacking PEid v0.93

&&&&&&&&&&&&&&&&&& SPLayer 0.08 Manually Unpacking Tutorial by KaGra &&&&&&&&&&&&&&&&&&&&

It was 10:39 at night,when I decided to see what kind of API's PEid v.093 used
because I was curious about some stuff.Unfortunatelly,this version of PEid is
protected by a protector.So,I opened another version of PEid and identified the packer
as SPLayer 0.08 -> Jibz.

Now only tools needed are: Olly v1.10,OllyDump Plugin,command line plugin,ImpRec v1.6f

Open the PEid (target) using Olly and u are at the Entry Point here:

00425FDA > ? 8D40 00 LEA EAX,DWORD PTR DS:[EAX]
00425FDD . B9 CC5F4200 MOV ECX,PEiD.00425FCC
00425FE2 . 6A 0E PUSH 0E
00425FE4 . 58 POP EAX
00425FE5 > C00C01 04 ROR BYTE PTR DS:[ECX+EAX],4
00425FE9 . 48 DEC EAX
00425FEA .^75 F9 JNZ SHORT PEiD.00425FE5

Now,in exceptions be sure that you have checked only ignore memory access violations in KERNEL32.
Press Shift+F9 one time,and Olly breaks at an exception,here:

00401016 89 DB 89
00401017 08 DB 08
00401018 50 DB 50 ; CHAR 'P'
00401019 45 DB 45 ; CHAR 'E'
0040101A 43 DB 43 ; CHAR 'C'
0040101B 32 DB 32 ; CHAR '2'
0040101C 00 DB 00
0040101D 8E DB 8E
0040101E E0 DB E0

Now,press the "M" buttont in Olly,and you can see the Image of memory.Right click and
set break-on-acess at code section (.text).Now press Shift+F9 once more and the
breakpoint is triggered,Olly pauses at code section,here:

00479599 C602 E9 MOV BYTE PTR DS:[EDX],0E9
0047959C 83C2 05 ADD EDX,5
004795A4 33C0 XOR EAX,EAX
004795A6 C3 RETN

Now start tracing using F7 and execute the RETN,and you are at windows API's
memory here:

77F79BA4 64:8B25 00000000 MOV ESP,DWORD PTR FS:[0]
77F79BAB 64:8F05 00000000 POP DWORD PTR FS:[0]
77F79BB5 C2 1400 RETN 14

Well,if u continue tracing with F7,the code will lead to an opcode like this:

7FFE0302 0F34 SYSENTER ; Jamps at kernel,Ring-3 debuggers cannot proceed debugging

This opcode will jamp at kernel,where Olly as a Ring-3 debugger cannot proceed the
debugging,and will just run the exe,bypassing the OEP where we need to land.So set
again a break-on-access breakpoint when being at 77F79BA4,in code (.text) section and
press Shift+F9 one more time and we land here:

00401016 .-E9 8C850700 JMP PEiD.004795A7

Trace the JMP using F7 and we land Here:

004795A7 B8 6884BAFF MOV EAX,FFBA8468
004795AC 64:8F05 00000000 POP DWORD PTR FS:[0]
004795B3 83C4 04 ADD ESP,4
004795B6 55 PUSH EBP
004795B7 53 PUSH EBX
004795B8 51 PUSH ECX
004795B9 57 PUSH EDI
004795BA 56 PUSH ESI
004795BB 52 PUSH EDX
004795BC 8D98 F8108D00 LEA EBX,DWORD PTR DS:[EAX+8D10F8]

Now trace till 004795BC.Those pushes you see,are the basic register pushes that a packer
saves in stack,then executes its code and at the end pops them back from stack and jamps at OEP.
So,when you are at 004795BC,go to ESP register and right click->Follow in Dump.In Dump window
you see this:

0012FFAC 04 03 FE 7F D5 BB 12 00 F7 03 00 00 00 00 00 00 ջ.......
0012FFBC 00 F0 FD 7F F0 FF 12 00 C7 14 E8 77 F7 03 00 00 ..w..
0012FFCC D4 BB 12 00 00 F0 FD 7F F0 DC B1 F1 C8 FF 12 00 Ի..ܱ.
0012FFDC 8F C8 53 80 FF FF FF FF 09 48 E9 77 10 12 E9 77 S€.Hww
0012FFEC 00 00 00 00 00 00 00 00 00 00 00 00 DA 5F 42 00 ............_B.
0012FFFC 00 00 00 00 ....

Now highlight the four bytes at 0012FFAC (04 03 FE 7F) and right click->Breakpoint->
Hardware on access->Dword.This will trigger Olly to pause when ESP has the same
value as now (0012FFAC).This will happen when the basic registers will be poped
and just before the Magic jamp at OEP.This trick can be used in many simple
packers,but of cource NOT all packers.

Now press one more time Shift+F9 and the breakpoint is triggered,we land here:

0047964A 5E POP ESI ; PEiD.00455F1E
0047964B 5F POP EDI
0047964C 59 POP ECX
0047964D 5B POP EBX
0047964E 5D POP EBP
0047964F FFE0 JMP EAX

Remove hardware breakpoint.So,you are at 0047964A,trace a little more using F7 and the
magic jamp at 0047964F goes you at OEP,so execute it and we land here:

00455F1E 6A DB 6A ; CHAR 'j'
00455F1F 60 DB 60 ; CHAR '`'
00455F20 68 DB 68 ; CHAR 'h'
00455F21 08 DB 08
00455F22 F5 DB F5
00455F23 42 DB 42 ; CHAR 'B'
00455F24 00 DB 00
00455F25 E8 DB E8
00455F26 B2 DB B2

We cannot see the code,so right click on it->Analysis->Analyze code.You see that:

00455F1E . 6A 60 PUSH 60
00455F20 . 68 08F54200 PUSH PEiD.0042F508
00455F25 . E8 B2180000 CALL PEiD.004577DC
00455F2A . BF 94000000 MOV EDI,94
00455F2F . 8BC7 MOV EAX,EDI
00455F31 . E8 1AFAFFFF CALL PEiD.00455950
00455F36 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00455F39 . 8BF4 MOV ESI,ESP
00455F3D . 56 PUSH ESI ; /pVersionInformation
00455F3E . FF15 90114000 CALL DWORD PTR DS:[401190] ; GetVersionExA
00455F44 . 8B4E 10 MOV ECX,DWORD PTR DS:[ESI+10]

So OEP=00455F1E.Now dump the process using OllyDump,without having Import Rebuilding Option
checked.Now open ImpRec,select the process and enter as OEP=OEP as seen in Olly-Imagebase=
00455F1E-00400000=00055F1E.Then IAT Autoseach and Get Imports.Now press Show invalid.Good,no
Invalid thunks,so proceed and Fix Dump.

Now go for it,and run the fixed dump.Wow,it runs just fine.Target Unpacked!

Have in mind that if U ran the fixed dumped exe under Olly,it will check if there is
a Debugger using IsDebuggerPresent API.So you should either have OllyHide Plugin
or just place a breakpoit at IsDebuggerPresent,and when Olly breaks,trace till
user code and make EAX=0.

That's all about it.In zip you will find the unpacked PEid v0.93 and this tutorial.