-patch fu

Author: David Zimmer
Date: 06.09.11 - 4:03am

I have to write a lot of data decoders, so I am always experimenting with new techniques. One realization I had last night is that I could use the /patch option in scdbg to load code fragments from executables and run them directly.

Using the example code from a previous article I cooked up a quick patch to test it. Whole process took about 10 minutes which is quite efficient.

The steps were:

Find start and end offsets of target function block(s)
extract function bytes as hex blob(s)
extract hex blob of a data to decode
figure out what mem offsets to use (keeping original function base)
if using api for data display find offsets using -lookup
```
scdbg -lookup ExitProcess
ExitProcess = 0x7c81cb12
```

code about 6 lines of asm to call it and display it

B8 20104000    MOV EAX,401020  ;our decoder function va
68 00000400    PUSH 40000      ;encoded string offset
FFD0           CALL EAX
90             NOP
B8 EA07457E    MOV EAX,7E4507EA  ;MessageBoxA (for data display)
68 00000400    PUSH 40000    
FFD0           CALL EAX
90             NOP
B8 12CB817C    MOV EAX,7C81CB12  ;ExitProcess (to be tidy)
6A 00          PUSH 0
FFD0           CALL EAX

create patch file - Download sample patch file

test it


scdbg -patch build_6.22.11+_dll_exe.patch -foff 200

Loading patch file build_6.22.11+_dll_exe.patch
eax=0         ecx=0         edx=0         ebx=0
esp=12fe00    ebp=12fff0    esi=0         edi=0
Applied patch 0 va=401020 sz=16b cmt=main decoder
Applied patch 1 va=40000 sz=27 cmt=encoded data
Applied patch 2 va=401200 sz=24 cmt=loader stub
Applied patch 3 va=401190 sz=1 cmt=chkesp ret
Applied patch 4 va=401110 sz=7b cmt=strlen
Initilization Complete..
Max Steps: 2000000
Using base offset: 0x401000
Execution starts at file offset 200
401200  B820104000                      mov eax,0x401020
401205  6800000400                      push dword 0x40000
40120a  FFD0                            call eax
40120c  90                              nop
40120d  B8EA07457E                      mov eax,0x7e4507ea




401219  MessageBoxA(SoftwareMicrosoftCurrentVersionRun, )
401223  ExitProcess(0)

Stepcount 686

Works like a charm.

The demo I used, has a main decoder function, which also calls out to strlen and chkesp which were also patched in. The cool thing about this trick is that you can keep all your subfunctions at their proper virtual addresses very easily.

Couple other notes:

I wouldnt use this trick for lots of string decodes.
patch generator is included in gui_launcher-> more menu
this will work for multi function extractions if you keep the offsets right. As long as the functions dont use any external api.
note how the stub was coded to be position independant (call eax)
To develop the small asm calling stub, I just opened a random exe in olly and did it there
For a file decode, set a breakpoint to enter the dbgshell and then use .savemem to dump the decoded data to disk.
yes I trashed the stack with my call to MessageBoxA with only 1 arg :p

Anyway, just another cool trick for the quiver. enjoy..