10.31
Halloween is a special time of year and it deserves a special blog we might call "writing unpackers in reverse". But wait, writing unpackers in reverse... isn't that packer writing?
We are going to do some TitanEngine coding in order to make it do a complete opposite of what it is meant for. We are going to force our good friend Titan to recreate a crypter we already made an unpacker for. Crypter we are recreating is called LameCrypt. So, what does LameCrypt do?
Its a very very simple crypter designed only to crypt the first executable section by XORing with 0x90. Extremely simple protection mechanism which looks just like this:
PUSHAD PUSHFW MOV EBX,4C000 L003: XOR BYTE PTR DS:[EBX+401000],90 DEC EBX CMP EBX,-1 JNZ L003 POPFW POPAD MOV EAX,0044CF38 JMP NEAR EAX
That is the entire crypter code. To recreate it we will copy the binary for the code above and leave the constants blank. After processing that binary data looks like this:
60 66 9C BB 00 00 00 00 80 B3 00 00 00 00 90 4B 83 FB FF 75 F3 66 9D 61 B8 00 00 00 00 FF E0
All the zeroes above will be filled with the following data: virtual size of the first section, virtual offset of the first section and the address of the original entry point. This data, once filled to code above, will be written to the new section. List of actions to perform for this would be:
- Read necessary PE32 data
- Fill theĀ binary data from above
- Add new section to PE32 file
- Fill written data to it
- Encrypt the first section by XORing it with 0x90
- Update PE header data
Since this is a very simple crypter its code is very short. What makes this a Halloween post is the spooky fact that TE can be forced to create his own worst enemies, crypters! Until next time...
TitanEngine ReversingLabs Corporation |
LameCrypter |
