Shifting yourself to space

April 17, 2011

The case of video.exe

Filed under: Uncategorized — shift32 @ 5:46 pm
Tags: , , ,

The case of video.exe

Just another day without much work and I wanted to do some fun reversing. I fetched some malware from malc0de.com database and started investigating.

The malware is packed, and from the begining it has a few annoying anti-debugging stuff, however IDA knows how to deal with them and with a little bit of editting in olly
everything can be overrun

loc_49C8F4:                            ; CODE XREF: start+9A7B6_j
.data:0049C8F4                 jmp     loc_49C8FD
.data:0049C8F4 ; END OF FUNCTION CHUNK FOR start
.data:0049C8F4 ; ---------------------------------------------------------------------------
.data:0049C8F9                 db 22h, 9Eh, 8Dh
.data:0049C8FC ; ---------------------------------------------------------------------------
.data:0049C8FC                 sahf
.data:0049C8FD ; START OF FUNCTION CHUNK FOR start
.data:0049C8FD

Notice the db 22h, 9eh and 8dh which resolve to

simple assembly obfuscation

Olly gets a little bit crazy when hitting the single step button, these anti-debuggin tricks appear all along the way

I’m writing this documentation while still disassembling the malware and so far I’ve ran into several xor-loop decryption
It seems that the crucial parts of this malware are encrypted with a simple xorl-loop encryption method, which is quite easy to spot

simple xor decryption loop of a code chunk

EAX seems to hold the address that will be decrypted, EBP holds the relative address and makes it a true virtual address
DL/EDX seems to hold the decryption key (70h) and ECX as always has the len

The malware continues it’s journey and allocate space at 0x00BEE00, without any known reasons (for now ? : )

It seems that every decryption method is quite similar to the other, only they’re written over and over
DST address is always in either EAX or EDX (depending on the size word,dword,byte, etc),
KEY is always in either EAX or DL which seems to be 0 most times
LEN is always in ECX

after these arguments are pushed onto the stack they’re moved into the registers and a simple mov-xor-dec-jnz loop begins

Next there’s an interesting PE header deobfuscation method, the method is very long and I still haven’t fully understood how it works
but the main thing it does is copy an obfuscated PE header from ESI to EDI using AL as the register holding the chars and DL as the state machine
The method consists of MANY JNB/JNZ and ADD/ADC’s with DL which makes it even harder to understand what’s going on and why

Once the DOS stub header is reconstructed, the basic PE header is copied along with the section names, size, and virtual addresses of the real executable
They’re all located from 0x00EB000.
There’s an interesting side note here to say, if you’ve been disassembling the binary with me, you’d notice that EB0000 plays an important role here, it is chunk we’ve allocated
somewhile ago with VirtualAlloc in 0x49C436

I didn’t follow all of it, I just ran through it managed to copy all the DOS header and the PE header,
once we return – the packer starts fixing regular jmps (E8,E9) and JMP DWORD (25FF), the loop itself is quite easy
it starts from the DOS stub looking for these bytes, if they exist, it just changes their values

fix jmps

Afterwards another PE header is parsed and copied, this time it’s a DLL type PE header, all the sections are copied into the executable and the original PE header is freed with VirtualFree (00BEE0000)

This is probably the end of part I in this series, I hope to continue and reverse this malware and actually see what it is doing

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.