Back

Enigma6.8 unpacking + repair part- 1

 The latest Enigma shelling, although it is also removed, there are still some reluctances. To repair IAT perfectly, you need to manually process some functions necessary for different languages to completely repair IAT.

Platform: windows XP 32-bit

Tools: OD, REC

Packing object: VC6.0 program

Looking for OEP

1648719810614.png

Looking for OEP, I use a language-specific feature code location method. This method is very fast. Single-step is more difficult than OEP. This shell is also very strict in detecting breakpoints. There are also corresponding detection methods for F8 single-step tracking. For example, the return address calculated after a certain CALL will become an incorrect value and cannot be returned to the previous layer normally. We also try to avoid using CC breakpoints and memory breakpoints, and only use hardware breakpoints to debug programs.



We can find a VC++6.0 shellless program on the Internet to find the CALL at the head of the OEP (the first few are fine, don’t be too far away, and don’t be too close). I will also package various language example programs for everyone. for reference.

The feature code I am looking for is 33 C0 6A 00 39 44 24 08 68 00 10 00 00 0F 94 C0 50 FF 15 ?? ?? ?? ?? 85 C0

1648719819213.png
1648719825818.png

Let’s let the program run first. After all, almost all encrypted shells will be filled with the original code segment data. Running the program will let the program decode the code segment so that we can locate the OEP with the feature code.

1648719831651.png

Just click the hardware execution breakpoint here, reload the program F9 so that the program execution will break at our execution breakpoint in the past, we look at the stack window and return directly to the call of the previous layer. OEP

1648719836152.png

The search for OEP is over here. It is not difficult. This method can locate the OEP by other methods of processing the OEP head except that the direct virtualization effect of the entrance is not good. For example, the stolen code can also effectively process the head back. The code or the code close to the head can be located for the next analysis to retrieve the head code.

Repair IAT
Let me first introduce several ways to deal with IAT with EG shell.

1.Simulate function execution

2.Pure encryption

3.Encryption + simulation function

4.There is also a special case, but it is also a simple encryption, and the difficulty is the lowest. I will also briefly talk about it below.

1648719845481.png
1648719864487.png

The first type: simulation function execution
The IAT function executed by the simulation function is the IAT function at the beginning of the above screenshot 0111, which is all simulation type IAT, we just select a right button to find the reference and find the call to call.

1648719871087.png

I also randomly choose a call reference 00421678, we rebuild the EIP execution in this call to see what it becomes

1648719887223.png
1648719891043.png
1648719895191.png

The code is executed in sections by adding flowers. Let’s write a breakpoint to the hardware under this IAT function address to see where to write this address

We can see that the content of the EDX register starts with the address 0111 of the memory segment applied by the shell. We can look up the source of edx, and follow up to see where the 0111 address is generated.

005C3F0B 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-0x10]

1648719901505.png

I can try to reload the program under the VirtualAlloc breakpoint. When the program just applies for the 0111 segment of memory, let’s see what is in this memory segment.

We randomly select a simulated function address and search for this value in the 0111 section. We will find that we can find this address. We remember this address and reload the program VirtualAlloc until we just apply for this address. We will find this address. It’s no longer a 0111 value but an API function address, and it smells the truth.

1648719907533.png

We are here to write the next hardware breakpoint to cancel the breakpoint for the memory application, and then F9 runs, we will find that it will be broken in a filled place, well, let’s try to prevent him from successfully overwriting the original API address. See, the result is that the simulation functions of the IAT table all become normal function addresses, and the simulation functions are solved in this way. To write a script, I will attach my script, which is not very good.

1648719912504.png

Leave A Reply

Your email address will not be published. Required fields are marked *