-patch fu


Author: David Zimmer
Date: 06.09.11 - 4:03am



I have to write a lot of data decoders, so I am always experimenting with new techniques. One realization I had last night is that I could use the /patch option in scdbg to load code fragments from executables and run them directly.

Using the example code from a previous article I cooked up a quick patch to test it. Whole process took about 10 minutes which is quite efficient.

The steps were:
  • Find start and end offsets of target function block(s)
  • extract function bytes as hex blob(s)
  • extract hex blob of a data to decode
  • figure out what mem offsets to use (keeping original function base)
  • if using api for data display find offsets using -lookup
    scdbg -lookup ExitProcess
    ExitProcess = 0x7c81cb12
    
  • code about 6 lines of asm to call it and display it
    B8 20104000    MOV EAX,401020  ;our decoder function va
    68 00000400    PUSH 40000      ;encoded string offset
    FFD0           CALL EAX
    90             NOP
    B8 EA07457E    MOV EAX,7E4507EA  ;MessageBoxA (for data display)
    68 00000400    PUSH 40000    
    FFD0           CALL EAX
    90             NOP
    B8 12CB817C    MOV EAX,7C81CB12  ;ExitProcess (to be tidy)
    6A 00          PUSH 0
    FFD0           CALL EAX
    
    create patch file - Download sample patch file



  • test it
    
    scdbg -patch build_6.22.11+_dll_exe.patch -foff 200
    
    Loading patch file build_6.22.11+_dll_exe.patch
    eax=0         ecx=0         edx=0         ebx=0
    esp=12fe00    ebp=12fff0    esi=0         edi=0
    Applied patch 0 va=401020 sz=16b cmt=main decoder
    Applied patch 1 va=40000 sz=27 cmt=encoded data
    Applied patch 2 va=401200 sz=24 cmt=loader stub
    Applied patch 3 va=401190 sz=1 cmt=chkesp ret
    Applied patch 4 va=401110 sz=7b cmt=strlen
    Initilization Complete..
    Max Steps: 2000000
    Using base offset: 0x401000
    Execution starts at file offset 200
    401200  B820104000                      mov eax,0x401020
    401205  6800000400                      push dword 0x40000
    40120a  FFD0                            call eax
    40120c  90                              nop
    40120d  B8EA07457E                      mov eax,0x7e4507ea
    

    401219 MessageBoxA(SoftwareMicrosoftCurrentVersionRun, ) 401223 ExitProcess(0) Stepcount 686
Works like a charm.

The demo I used, has a main decoder function, which also calls out to strlen and chkesp which were also patched in. The cool thing about this trick is that you can keep all your subfunctions at their proper virtual addresses very easily.

Couple other notes:
  • I wouldnt use this trick for lots of string decodes.
  • patch generator is included in gui_launcher-> more menu
  • this will work for multi function extractions if you keep the offsets right. As long as the functions dont use any external api.
  • note how the stub was coded to be position independant (call eax)
  • To develop the small asm calling stub, I just opened a random exe in olly and did it there
  • For a file decode, set a breakpoint to enter the dbgshell and then use .savemem to dump the decoded data to disk.
  • yes I trashed the stack with my call to MessageBoxA with only 1 arg :p
Anyway, just another cool trick for the quiver. enjoy..




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 17 + 67 = ? followed by the letter: M 



About Me
More Blogs
Main Site
Posts: (year)
2023 (4)
     Yara Workbench Automation
     VS linker versions
     IDA decompiler comments
     DispCallFunc
2022 (5)
     VB6 Implements
     VB6 Stubs BS
     VB6 TypeInfo
     VB6 VTable Layout
     Yara isPCode rule
2021 (2)
     rtcTypeName
     VB6 Gosub
2020 (5)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Yara Corrupt Imports
     Yara Undefined values
2019 (6)
     Yara WorkBench
     SafeArrayGetVartype
     vb6 API and call backs
     PrintFile
     ImpAdCallNonVirt
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 (4)
     KANAL Mod
     Decoders again
     CDO.Message Breakpoints
     SysAnalyzer Updates
2015 (5)
     SysAnalyzer and Site Updates
     crazy decoder
     ida js w/dbg
     flash patching #2
     JS Graphing
2014 (5)
     Delphi IDA Plugin
     scdbg IDA integration
     API Hash Database
     Winmerge plugin
     IDACompare Updates
2013 (9)
     Guest Post @ hexblog
     TCP Stream Reassembly
     SysAnalyzer Updates
     Apilogger Video
     Shellcode2Exe trainer
     scdbg updates
     IDA Javascript w/IDE
     Rop Analysis II
     scdbg vrs ROP
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     findDll
     Java Hacking
     Windows 8
     Win7 x64
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     BootLoaders
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 (11)
     Retro XSS Chat Codes
     Exe as DLL
     Olly Plugins
     Debugging Explorer
     Attach to hidden process
     JS Refactoring
     Asm and Shellcode in CSharp
     Fancy Return Address
     PDF Stream Dumper
     Malcode Call API by Hash
     WinDbg Cheat Sheet
2009 (1)
     GPG Automation