[TUTORIAL] Writing Dynamic Unpackers for Fun with TitanEngine (English Version)

July 14, 2011 4 comments

Yes!, finally, after a long long time, the English version of the TitanEngine tutorial is out!. You can find it in the Downloads section of the project’s homepage.

Special thanks goes to:

* Juan Esteban Forgia (@ztoker) for translating the first four pages.

* Apokliptiko for translating the second part of the tutorial.

* Francisco Falcón (@fdfalcon) for the reviewing.

* Fotis (@__fastcall) for supporting us all the time!.

If you find a mistake or if you have any comments, just drop us an line!.

Enjoy it!.

New Plugin for FUU – dePFE

February 18, 2011 Leave a comment

Crosspost from: http://pastafr0la.wordpress.com/2011/02/18/probando/

Thanks to “El Tio Pastafrola” for the contribution!.

Hello buddies!, today, i bring you a little review about the PFE packer v0.1 wich one i did my first steps with TitanEngine and FUU.

First of all, take a look at the packer’s GUI:

img1

We’ll pack a calc.exe with all the options to the maximum just to do a little test with it.

As we can see in the picture bellow, this packer runs in two separate processes:

img2

So, we loaded it into Olly and search for all the calls to CreateProcessA to land in packer’s hot zone

img3

This is the hot zone, we can see how the child process is created in a suspended mode, then, it allocates memory and finally it writes some stuffs in the childs’ memory 🙂

Lets put a BPX in WriteProcessMemory that follows the VirtualAllocEx and look what it has in the buffer

img4

The MZ signature you can see is the one that match our protected exe, in our case, calc.exe. This means that we wont to work with the second process because the first
process gives us the second process served on a silver platter.

The only thing we need to do is to align  and dump.

For the alignment, the only thing we need to do is to change the Raw Offset and Raw Size of each section for the corresponding VirtualOffset and VirtualSize.

img5

Then, we can dump the whole memory with the IsDebuggerPresent plugin:

img6

Finally, we have a fully functional and valid PE.

We can automate this task very easily with TitanEngine. We only need to follow these steps:

  • Set a breakpoint on WriteProcessMemory with the SetAPIBreakPoint function.
  • To define a callback function to set the breakpoint, align the PE image and dump the memory.

We don’t need to worry about to dump all the memory regions neither because TitanEngine gives us the DumpMemory function.

That’s all folks, is an easy packer as long as we attack the first process. In my first tests, i started to work with the second process and i have to admit that it was a very hard task to work with the two processes at the time because the SDK doesn’t provided us with good functions to deal with.

All this process was automated in the following plugin: bin src

ps. For those who are interested into create a plugin for FUU i give you the good news that the _DoUnpack function is no longer neccessary as our first callback.  Now, we can directly call the InitDebugEx becuse its last argument let us define a BPX that will run when it reach the debuggee’s callback.

Keep in mind this because if you try to set a BPX in an API without calling the DebugLoop function, it will not process  the LOAD_DLL (code exception: 6) event, therefor you will not be able to set the breakpoint because the DLLs are not yet loaded.

Categories: Tool Tags: , , ,

News …

December 1, 2010 Leave a comment

Hi!,

it has been a long time since our last post. We are still alive!.

As you probably know, no updates (main application and plugins) were released since October and that is because i’m working in a Anti-Anti-Debugger library for FUU and my new tool (aadp). We will need this library for future plugins so, is better to do it now!.

But this is not the only thing i want to talk about. Maybe you know (or not) that FUU was stolen and released under another name, without any change (except for the strings and logo :P) and under another license. You can check the ARTeam, tuts4you or crackinglandia’s web to read a more detailed thread.

I think, the end of the year is coming and the new version of FUU will not be released until next year, but, in the meanwhile, i will program some other plugins for the current version.

If you are interested in collaborate with the project (writing plugins, coding for the core of the app, GFX, etc) please, do not hesitate in contact us.

Well, i hope you enjoy the next plugins for FUU and i will see you next year with a new release of FUU!.

Stay tuned!,

NCR

Categories: News

New FUU plugin – dePeX

October 13, 2010 2 comments

Hi!,

after a while without any post of any kind, we are back!. This time is to let you know about another plugin update for FUU. This new plugin is for PeX, currently, we support PeX 0.99 but if you want us to support another version just send us the sample 🙂

I will show you just a few things about this simple packer.

This is the EP of PeX 0.99. If you look at the address where we are, you’ll see that the addresses belongs to the SFX section of the packed executable:

This is just the first “layer” of the packer.

We have this other piece of code where the addresses change drastically:

If you look at the [ESP], you’ll see RETF address:

In this case, 0x330000 is the address where the second layer will be executed, where imports are redirected and the JMP to the OEP is taken.

Then, we have the place where the IAT is redirected, here LoadLibrary is called to load into memory all the DLLs imported by the packed executable file:

Then, we have the GetProcAddress code that get all the imported functions from the packed file:

After this code is executed (redirection table), when we reach the OEP, we will see that all the indirect jumps from the IAT are redirected:

To fix the IAT wen can write a script for ODBScript (or OllyScript) by getting the original values from registers and overwrite the bad pointers with the good ones or simply look for the “magic” jump (yes, PeX has a magic jump that avoid the IAT redirection like many other packers):

we can find this jump by tracing the code mentioned above (GetProcAddress and LoadLibrary procedures) and analyzing it 😛

The last thing is the code that reach the OEP:

if we trace that piece of code, we’ll see that that the PUSH-RET combination will take the OEP’s address at the top of ESP:

This is just the value in the PUSH above plus 1:

That’s all folks!.

If you have any doubt, just email me!.

As always, all comments are welcome 😛

Here, you have the unpacker for PeX (dePeX) (binary) and here the sources.

See you soon!.

Categories: Tool Tags: , , ,

New FUU Plugin – deMew!

September 19, 2010 Leave a comment

Hi there!,

as i promised, here is another post about another plugin for FUU. This time i will talk about MEW.

MEW is a simple packer without any dirty trick , so, it is quite simple to unpack it and program an unpacker using TE.

Let’s see MEW11:


This is the EP of MEW11. Here, we can just follow the JMP using GetJumpDestination function from the TE SDK and looking at the end of the code we will see a RET instruction:


just setting a breakpoint at the RET and running the process we will break in the right moment when MEW11 will jump to the OEP of the program:

ESP register is pointing to the OEP address, so, we can read this value from ESP to get the OEP address.

The IAT is not a problem here. We can find the CALLs to LoadLibraryA and GetProcAddress just some bytes before the JMP to the OEP:


We can use the Find() function to search for the patterns but instead of that we can use ImporterAutoSearchIAT and ImporterAutoFixIAT to search and fix the IAT.

With other version of MEW it is the same thing, no big changes.

You can download the deMew plugin code in fuu SVN: http://code.google.com/p/fuu/source/browse/#svn/trunk/src/x86/Plugins/deMew

See you soon!.

Categories: Tool Tags: , , ,

Writing Dynamic Unpackers for Fun with TitanEngine

September 19, 2010 1 comment

Hi there!,

it has been a long time since our last post.

This time i just want to let you know about a little tutorial i wrote some moths ago and i finished today 🙂

This tutorial is about the functionality in TE and how to write plugins for FUU using TE.

This first revision of the tutorial is in spanish only but in the near future i will translate it to english.

You can download the tutorial here.

If you have any question please, do not hesitate to contact me!.

See you soon!.

Categories: Documentation Tags: , ,

FUU – Project News

August 4, 2010 2 comments

Hi there!,

well, as you probably saw in our last post, FUU is getting a x64 version. Guan de Dio is working on it and porting all the x86 stuffs to x64. Hopefully, we can count with a full working version very soon. In the meanwhile, we released a simple version just to test how everything work.

This simple version has only one plugin, a PE Visor.

We found a lot of problems during the development of FUUx64 because TE is has not native support for MASM64 but with a little hack we found a way to work with it, anyways, we also found some bugs during the development (we reported these bugs to the TE author).

Anyways, you can download the FUUx64 version and test it. If you find bugs or you can just send an email with comments, please, do not hesitate, send us an email.

We hope to release a new version of FUU (x86 and x64) very soon. Right now, i’m working in an very huge tutorial about how to write plugins for FUU using TE, Guan is on vacation and Zapper is missing in action ;P

You can download the x64 version here.

See you soon guys!

Categories: News Tags: ,