![]() So, if you get bored by the text or you already know ESIL, I recommend you watch that and skip to the blog conclusion. This whole section can be summarized by a 2 minute 18 second asciinema video. In reality, it was only a few minutes after reaching this point before I solved the challenge. There is a lot of text here, but that is because I am explaining what I am doing and why. I am going to treat this section as a very basic introduction to ESIL. We could likely decode all this information with ESIL and avoid working through the assembly or decompilation. ![]() Wait a minute! There are not many windows API calls and none of them are used to decode data. We can’t execute it because our binary is broken, so let’s just use ESIL.ĮSIL can quickly emulate these instructions, and afterward you can just view the memory without worrying about having correct offsets. │ 0x00401214 e802000000 call fcn.0040121bįiguring out what this is doing statically is maybe good for learning, but it is also time consuming. │ 0x00401204 ff1508d04000 call dword 0x40d008 BOOL TerminateProcess(HANDLE hProcess, UINT uExitCode) │ │ 0x004011ea ff150cd14000 call dword 0x40d10c "B$\x01" HINSTANCE ShellExecuteA(HWND hwnd, LPCSTR lpOperation, LPCSTR lpFile, LPCSTR lpParameters, LPCSTR lpDirectory, INT nShowCmd) │ │ 0x004011ae ff1504d04000 call dword 0x40d004 BOOL WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped) │ 0x00401166 ff150cd04000 call dword 0x40d00c HANDLE CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile) How corrupted, though? Can Radare2 make sense of it?Ĭopy to Clipboard │ 0x0040114b e8b0feffff call fcn.00401000 This is wrong–I know the real reason is because the file is corrupted. Googling the error showed a lot of other people with the same problem and implied I needed some extra software. It will be good enough for the next stage, though. Either way, because you are not fixing the file properly, you won’t get the file back properly. You don’t even have to be exact to get UPX to unpack it. To fix the file size, I simply added bytes to the end of the file. All that work and I should have just used a hex editor on the file to see the XML data at the end of the file was cut off. This process took some guessing and checking, but soon it became obvious the file size was wrong. I compared this output with the challenge file. I then grabbed some properly UPX packed files and ran my modded version of UPX on them to see what the output of my loop would be. The checkOverlay call is where everything goes bad, so I added the for loop above it to print out all the numbers that seem relevant. Printf("sub: 0x%lx\n", file_size - ALIGN_UP(isection.rawdataptr isection.size, ih.filealign)) Ĭonst unsigned overlay = file_size - ALIGN_UP(isection.rawdataptr Printf("sum: 0x%x\n", (unsigned int) ( isection.rawdataptr isection.size )) Printf("isection.size: 0x%x\n", (unsigned int) isection.size) Printf("isection.rawdataptr: 0x%x\n", (unsigned int) isection.rawdataptr) Printf("ih.filealign: 0x%x\n", (unsigned int) ih.filealign) ThrowCantUnpack("unexpected value in the PE header") infoHeader("", fn_basename(fi->getName()), getName(), objs) ![]() Void PeFile::unpack0(OutputFile *fo, const ht
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |