[2012 CodeEngn Conference 07] 퍼다우크 - Manual UnPack by Debugger

4,012 views

Published on

2012 CodeEngn Conference 07

실행압축 툴의 본래 취지는 크게 크래커로부터 개발자들의 소프트웨어를 보호하고 온라인 상으로 전송되는 바이너리의 크기를 줄여주는 순기능 역할과 악성코드나 불법적인 바이너리의 내용이나 분석을 어렵게 만드는 역기능 역할의 양면성이 존재한다. 학문적인 접근으로, 실행압축에 대한 리버스엔지니어링 도전은 더 나은 소프트웨어에 대한 발전과 더불어 안전한 소프트웨어 산업 발전을 증진시키는 촉매제 역할을 할 수 있다고 본다. Themida와 UPX 알고리즘을 디버거로 따라가면서 살펴보는 것은 리버시엔지니어에게 안티디버깅을 비롯하여 가상화, 다형성 등의 원리를 이해하고 공부하는데 많은 도움을 줄 것으로 기대한다.

http://codeengn.com/conference/07

Published in: Technology
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,012
On SlideShare
0
From Embeds
0
Number of Embeds
71
Actions
Shares
0
Downloads
116
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide

[2012 CodeEngn Conference 07] 퍼다우크 - Manual UnPack by Debugger

  1. 1. Manual Unpack By Debugger 2012-12-01 A-FIRST 고흥환 책임연구원www.CodeEngn.com Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.7th CodeEngn ReverseEngineeringAll rights reserved. Copyright (c) AhnLab, Inc. 1988-2012. Conference
  2. 2. Contents Packer Debugger Detection Virtual Machine Detection Anti Tracing Manual Unpack UPX Manual Unpack Themida 1.9.X Manual Unpack Themida 2.1.8.0 Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  3. 3. PackerCopyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 2
  4. 4. Name Latest stable Software license x86-64 support .netshrink 2.3 (March 29, 2012 (2012-03-29))[1] Proprietary Yes Armadillo Packer 8.60 (July 6, 2011 (2011-07-06)) Proprietary Yes ASPack 2.29 (August 3, 2011 (2011-08-03)) Proprietary ?Executable compression= Runtime Packer ASPR (ASProtect) 1.64 (September 1, 2011 (2011-09-01)) Proprietary ?= Packer BoxedApp Packer 2.2 (June 16, 2009 (2009-06-16))[2] Proprietary Yesis any means of CExe 1.0b (July 20, 2001 (2001-07-20)) GPL Nocompressing an executable Enigma Protector 3.80 (August 2, 2012 (2012-08-02))[3] Proprietary Yesfile and combining thecompressed data with EXE Bundle 3.11 (January 7, 2011 (2011-01-07))[4] Proprietary ?decompression code into a EXE Stealth 4.14 (June 29, 2011 (2011-06-29))[5] Proprietary ?single executable. eXPressor 1.8.0.1 (January 14, 2010 (2010-01-14)) Proprietary ? MPRESS 2.19 (January 2, 2012 (2012-01-02)) Freeware Yes I. Encryption Obsidium 1.4.6 (July 18, 2012 (2012-07-18))[6] Proprietary Yes II. Compression PELock 1.0.694 (January 23, 2012 (2012-01-23))[7] Proprietary No III. Redirection PESpin 1.33 (May 3, 2011 (2011-05-03)) Freeware Yes IV. Substitution RLPack Basic 1.21 (October 31, 2008 (2008-10-31)) GPL No V. Obfuscation Smart Packer Pro 1.7 (November 5, 2011 (2011-11-05)) Proprietary Yes VI. Polymorphism Themida 2.2.1.0 (July 25, 2012 (2012-07-25)) Proprietary ? VII. Metamorphism 3.08 (December 12, 2011 (2011-12-12)) UPX GPL No VIII.Protection VMProtect 2.1 (September 26, 2011 (2011-09-26)) Proprietary Yes IX. Virtualization XComp/XPack Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 0.98 (February 18, 2007 (2007-02-18)) Freeware No 3
  5. 5. Themida & UPX PeCompact FSG ASM MPRESS (0.45%) (1.3%) (0.87%) (0.69%) Anti007 ASProtect (0.40%) (1.3%) etc Themida (0.38%) ASPack (3.5%) SFX (0.38%) (1.5%) nSPack (0.31%) Upack (0.21%) VMProtector (0.13%) Not a Valid PE Armadillo (0.12%) (1.6%) Nullsoft (2.1%) Microsoft C (22.2%) PolyCryptor (6.4%) UPX Invalid (7.8%) Delphi (21.1%) (8.0%) Nothing Visual Basic (14.2%) (4.4%) 2011 AhnLab 10,000,000 파일 대상 Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 4
  6. 6. Debugger DetectionCopyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 5
  7. 7. BeingDebugged (PEB+0x2)PEB_LDR_DATA(PEB+0x0C)ProcessHeap (PEB+0x18) Flags(ProcessHeap+0x0C) ForceFlags (ProcessHeap+0x10)NtGlobalFlag (PEB+0x68) Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  8. 8. IsDebuggerPresent() TEB (Thread Environment Block) PEB (Process Environment Block) Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  9. 9. CheckRemoteDebuggerPresent(ProcessId, &bPresent) Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  10. 10. timeGetTime(), GetTickCount(), NtQueryPerformanceCounter(), RDTSCGarbage Codes timeGetTime()Garbage Codes Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  11. 11. SEH (Structured Exception Handler) StackException HandlerException Handler Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  12. 12. CreateFileA “.SICE” “.SIWVID” “.NTICE”HANDLE WINAPI CreateFile( __in LPCTSTR lpFileName, __in DWORD dwDesiredAccess, __in DWORD dwShareMode, __in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes, __in DWORD dwCreationDisposition, __in DWORD dwFlagsAndAttributes, __in_opt HANDLE hTemplateFile); Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  13. 13. FindWindow “FilemonClass” “File Monitor – Sysinternals: www.sysinternals.com” “Filem” “DeepFrz” “PROCMON_WINDOW_CLASS” “Process Monitor – Sysinternals: www.sysinternals.com” “PROCEXP” “RegmonClass” “Registry Monitor – Sysinternals: www.sysinternals.com” “18467-41” “REGMON” “regsys” “sysregm” “PROCMON” Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  14. 14. NtQuerySystemInformation “iceext.sys” “ntice.sys” “Syser.sys” “HanOlly.sys” “extrem.sys” “FRDTSC.sys”NTSTATUS WINAPI NtQuerySystemInformation( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength); Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  15. 15. RegOpenKeyA "SOFTWARENuMegaDriverStudio" RegQueryValueEx “InstallDir" LoadLibraryA "~SoftIceNMTRANS.DLL“ GetProcAddress “NmSymIsSoftICELoaded“ Call NmSymIsSoftICELoaded Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 14
  16. 16. Anti TracingCopyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 15
  17. 17. STI, INT 1SetEvent, DelayExecution Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  18. 18. Garbage Code - Linear Sweep Disassembly Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  19. 19. DbgUiRemoteBreakin PatchDbgBreakPoint Patch Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  20. 20. Virtual Machine DetectionCopyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 19
  21. 21. I. Virtual Machine Artifacts in Processes, File System, and RegistryII. Virtual Machine Artifacts in MemoryIII.Virtual Machine Specific Virtual HardwareIV.Virtual Machine Specific Processor Instructions and Capabilities < On the Cutting Edge : Thwarting Virtual Machine Detection 참조 > Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  22. 22. RegOpenKeyA “SoftwareWine” "HARDWAREACPIDSDTVBOX__"LONG WINAPI RegOpenKey( __in HKEY hKey, __in_opt LPCTSTR lpSubKey, __out PHKEY phkResult); Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  23. 23. RegOpenKeyA “HARDWAREDESCRIPTIONSystem” RegQueryValueEx “SystemBiosVersion" Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  24. 24. Vmware010603FB B8 68584D56 MOV EAX,564D5868 // Magic Number "VMXh"01060400 B9 14000000 MOV ECX,14 // BACKDOOR_COMMAND_NUMBER01060405 66:BA 5856 MOV DX,5658 // Port Number01060409 ED IN EAX,DX // I/O command0105F878 B9 0A000000 MOV ECX,0A0105F87D B8 04D75548 MOV EAX,4855D7040105F882 05 6481F70D ADD EAX,0DF781640105F887 BB 65D48586 MOV EBX,8685D4650105F88C BA 40B63400 MOV EDX,34B6400105F891 81EA E85F3400 SUB EDX,345FE80105F897 ED IN EAX,DX // I/O command0105F898 81FB 68584D56 CMP EBX,564D58680105F89E 75 0A JNZ SHORT 0105F8AA Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  25. 25. Manual Unpack UPX 1.9.3Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 24
  26. 26. IMAGE DOS HEADER IMAGE NT HEADER .UPX0 HEADER .UPX1 HEADER .rsrc HEADER Extracted Data Packed Data Unpack Code EntryPoint resource IAT TableCopyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  27. 27. EntryPoint Initialize Decompress Extracting Yes E8 09 orAddress Correction E9 09 No Retrieves the API Address JUMP OEP Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  28. 28. UPX0 – Compressed Data / UPX1 – Decompressed Data Extracting Algorithm …Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  29. 29. E8 09 (CALL) / E9 09 (JMP) Address CorrectionCopyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  30. 30. Retrieves the address UPX->IATCopyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  31. 31. Manual Unpack Themida 1.9.XCopyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 30
  32. 32. Themida ?l Themida Advanced Windows Software Protection Systeml WinLicense Professional Software Protection & Licensing Managementl Code Virtualizer Total Obfuscation against Reverse Engineering Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 31
  33. 33. Version 1.9.X IMAGE DOS HEADER IMAGE NT HEADER .UPX0 HEADER .UPX1 HEADER .rsrc HEADER Packed Data .rsrc Section .idata Section SFX EntryPoint IAT Table Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  34. 34. Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 33
  35. 35. VirtualAlloc, CreateFile, ReadFile “ADVAPI32.DLL” VirtualAlloc, CreateFile, ReadFile “USER32.DLL” VirtualAlloc, CreateFile, ReadFile “KERNEL32.DLL” Subsystem VirtualizationCopyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 34
  36. 36. Multi-ThreadCopyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 35
  37. 37. Themida SFX 1’st Decoding & Processing 2’st Decoding & ProcessingSFX (Self-Extracting Archive) Algorism 3’st Decoding & Processing 4’st Decoding & Processing … … n’st Decoding & ProcessingUnPacking Decode & ReEncode Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 36
  38. 38. Manual Unpack Themida 2.1.8.0Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 37
  39. 39. New Version 2.1.8.0 Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 38
  40. 40. Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 39
  41. 41. Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 40
  42. 42. Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 41
  43. 43. Version 2.1.8.0 IMAGE DOS HEADER IMAGE NT HEADER .UPX0 HEADER .UPX1 HEADER .rsrc HEADER Packed Data .rsrc Section .idata Section Extracted SFX Encoded SFX Decode Code EntryPoint Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
  44. 44. … 어렵다www.CodeEngn.com7th CodeEngn ReverseEngineeringAll rights reserved. Copyright (c) AhnLab, Inc. 1988-2012. Conference

×