poniedziałek, 18 maja 2020

Reading malware - unpacking ASPack 2.12

Today I decided to check some 'new samples available online' and that's how I found the one called "gwzsesxxgq.exe". Below you'll find the details. Here we go...
This time I started somewhere here:


...which is partialy true ;) because I found this sample somewhere else few days later than it was published here. I believe it was this one:



Anyway because both samples looks the same - you can use the one mentioned above to continue.

TL;DR
As usual, I downloaded this sample on my Kali VM to check strings available inside:


That was not a good information... I decided to use hexdump -C binary.file with less, this is what I found:



Can you see the company name? ;> 

Few more:


For me - at 'this stage' of 'reading malware' ;) - it's a good indicator to check those strings at Google ;) When I was looking the name (guiwuzhe3) I was finding only some pages about some chinese games... :| I wasn't sure if it's a good way. But that's how I found that there is indeed a game and a movie :D


Well. I didn't know. :) But that's how I found another results, see below:


Ok. Let's try to find something useful about another found string:


Ok, at this moment I realized that 'probably' I'm reversing some "cheat-engine" xD what a great day!


TL;DR2:

I downloaded the binary from Kali VM to my Win7 VM:

 
Next thig was to run PEiD and scan the file:


Next step - open sample exec file in OllyDbg :) - and we can see our 'welcome-message':



Next I was looking for ("LOADER ERROR") POPAD instruction to set a breakpoint:


Don't worry about the popup. It's because the file is still packed. Click Yes. Then I set another breakpoint (F2) on RETN instruction, just like you can see below:


F9, F7, F7, F7, F7, F7 - (you should be on RETN) and hit Enter - we will jump to the address (when the binary will return):


We should be here:


Code is "not analysed" so right-click -> and goto Analysis -> Analyse code ;) Sooooo:


Hm. This is not the 'analysis' I was expecting for. ;Z

I was wondering what's going on anyway in the meantime I dumped the binary (using OllyDump plugin):


"Click Dump!" I said to myself (...and that was my mistake - we'll get back to that later;)):


(I dumped this new code using method1 and method2) So we should be here:

So far, so good. Next I opened dump2.exe file in Olly to check available strings:


Looks like now we have a few more ;) So I decided to compare both (ok, all 3;)) files in PEiD again. Original one looks like this:


Sure, it is. So now let's see for our hero in action :>


This is not the 'unpacked & ready to go with Ida'-code I was expecting for... or it is? ;]

"Google-is-your-friend", so I found the hint very quickly:


...or maybe I just need to spent some time with Lena again? (I think so.) ;)


Yes Cody, that small thing in programs called 'section' could be very important. 
Now, write it down 10000 times. 

So I opened the binary in Ida again and guess what:


Wow, shock! There is still .aspack section xD brilliant. :| Again Neo.

At this stage I decided to start everything again ;) I prepared a new (Win)VM to run this 'malware' (with some dynamic analysis) and see the difference between 'my unpacked binary' and the binary that will be extracted by the original started malware.

Checking:


Uh. Almost as beautiful as the crackmes we created last time, isn't it? ;) Anyway - that's not the point. Point is - now, we have a binary extracted by the original (packed) program as well as the one unpacked manualy. "It's time, it's time for diff-action" ;)

That's how I found this nice program. I decided to check it before I'll go back to the +University (or even to School) ;) so now we should be somewhere here:


Quick and easy - isn't it? ;] (But I still was not satisfied. ;S Anyway... ;])

As we can see 'our' unpacked binary is bigger (53) than the one created by AspackDie. So where was my mentioned 'mistake' (excluding: lack of practice ;))?


Yep. I missed the section-part. Well... next time ;)

Now we should know:
- how to (not;]) unpack ASPack manualy
- and how to do it using 'automated tool'.

Hope that helps one day. ;)

See you next time!



Special thanks goes to my Patreon:
- Daniel.

Thanks! You are AWESOME! ;]



Cheers









Brak komentarzy:

Prześlij komentarz