The reason we chose to do MEW (again) is that in its version 5 it is a simple crypter which can be used as a perfect example on how to write static unpackers for these kind of crypters. That kind would be the kind that doesn't do anything to imports but only encrypts the executable code section. Next time we revisit static unpackers we will be talking about such cases. We are going to leave that aside for now because this Monday is all about simple and fast unpacker writing. Start your timers we will do in under 10 minutes.

Minute 1 - 2:

We load our sample into Olly and see the entire MEW5 code at the entry point.

  MOV ESI,0040005B
  LODS DWORD PTR DS:[ESI]
  XCHG EAX,ECX
  LODS DWORD PTR DS:[ESI]
  XCHG EAX,EBX
  PUSH EBX
  LODS DWORD PTR DS:[ESI]
  XCHG EAX,ESI
  PUSH ESI
  POP EDI
L010:
  LODS BYTE PTR DS:[ESI]
  ROL AL,29
  ADD AL,BA
  ROR AL,50
  STOS BYTE PTR ES:[EDI]
  LOOPD L010
  RET

Yes, that it. The whole code. So what does it do? First it loads a pointer to all internal information into ESI register. We follow ESI in the hex dump to find that there are 3 DWORDs that have the data necessary for unpacking. First DWORD is 0x3000 which is the size of the first section, second DWORD is 0x004012c0 which is the address of the original entry point and third DWORD is 0x00401000 which is the virtual address of the first section. Code following this loads 0x3000 bytes one by one and decrypts them with a custom decryption algorithm. Here instruction sequence ROL, ADD and ROR is used to decrypt data.

Minute 3 - 4:

We make a copy of existing TitanEngine SDK sample for DEF and use that as a template for our unpacker. We are making a Delphi unpacker since,... well since TitanEngine is low on Delphi samples and this is a nice and quick exercise.

Minute 5 - 9:

We code the unpacker. First we need to read the ESI pointer and read the data from the file. Once we make that we convert third DWORD to physical address inside mapped file and we also convert the original entry point address to relative one. Simple call to StaticMemoryDecryptEx makes sure that our StaticCallBack decrypts the data by executing this custom decryption algorithm. Lastly we add the code to store the new entry point to PE32 header and we're done.

Minute 9:47 - 10:

We run the compiled unpacker to test if it works... Success!

TitanEngine ReversingLabs Corporation

Download RL!deMEW5 unpacker (package contains unpacker binary, source and samples used)

BOOL APIENTRY DllMain(HMODULE hModule,
   DWORD  ul_reason_for_call, LPVOID lpReserved){
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		if(GetModuleHandleA("BadGuy.dll") == NULL){
			LoadLibraryA("BadGuy.dll");
			return false;
		}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

Returning false at DLL_PROCESS_ATTACH makes Windows unload our GetModuleHandleA.dll but not before BadGuy.dll gets loaded. Simple code above ensures that our BadGuy.dll gets loaded only once (Windows also prevents this so this isn't really needed) since MEW 10 packed file can import GetModuleHandleA multiple times. Our BadGuy.dll only creates a new thread which displays a message box about it being successfully loaded. This could have been done with a single DLL file but we wanted to keep it short and simple.

There are many examples of design flaws in PE shell modifiers which could seriously threaten system security. Such example are not only limited to arbitrary code execution but could also lead to privilege elevation. We will continue to write about such shell modifier flaws in the future.

Download MEW 10 LoadLibrary exploit POC

This week we do a video tutorial about MEW analysis and we give pointers into making unpacker for this format. Download RL!deMEW 10 - 11 unpacker.