Author: fritzFS
Hello,
as the title says, I am trying to unpack a hardlock envelope.
Yes, I have read the posts on this forum related to hardlock/envelope/hasp.
Tools: OllyDbg, OllyDump.
Target executable file has .text, .rdata, .data, .rsrc and .protect section.
(LordPE SS: hxxp://img358.imageshack.us/img358/5697/lordpe1jc4.jpg)
Things I've done so far:
1. plug the dongle
2. opened the target with ollydbg
3. set a breakpoint on new thread (ollydbg: options->debugging options->events)
OEP is starting within a new created thread ...
4. ollydbg breaks here:
7C810856 33ED XOR EBP,EBP --> HERE
7C810858 53 PUSH EBX
7C810859 50 PUSH EAX
7C81085A 6A 00 PUSH 0
7C81085C ^E9 73ACFFFF JMP kernel32.7C80B4D4
7C80B4D4 6A 10 PUSH 10 --> HERE
7C80B4D6 68 18B5807C PUSH kernel32.7C80B518
7C80B4DB E8 EB6FFFFF CALL kernel32.7C8024CB
7C80B4E0 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
7C80B4E4 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C80B4EA 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
7C80B4ED 8178 10 001E0000 CMP DWORD PTR DS:[EAX+10],1E00
7C80B4F4 75 0F JNZ SHORT kernel32.7C80B505
7C80B4F6 803D 0830887C 00 CMP BYTE PTR DS:[7C883008],0
7C80B4FD 75 06 JNZ SHORT kernel32.7C80B505
7C80B4FF FF15 E812807C CALL DWORD PTR DS:[<&ntdll.CsrNewThread>>; ntdll.CsrNewThread
7C80B505 FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C80B508 FF55 08 CALL DWORD PTR SS:[EBP+8] -> OEP?
7C80B50B 50 PUSH EAX
7C80B50C E8 98170000 CALL kernel32.ExitThread
In this disassembly we see the OEP:
7C80B508 FF55 08 CALL DWORD PTR SS:[EBP+8] ; XXXXXX.0046A630
So, our new start functions looks like:
0046A630 /. 55 PUSH EBP
0046A631 |. 8BEC MOV EBP,ESP
0046A633 |. 6A FF PUSH -1
0046A635 |. 68 40776500 PUSH XXXXXX.00657740
0046A63A |. 68 E2D66000 PUSH XXXXXX.0060D6E2 ; JMP to MSVCR71._except_handler3
; SE handler installation
0046A63F |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0046A645 |. 50 PUSH EAX
0046A646 |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0046A64D |. 81EC 18010000 SUB ESP,118
0046A653 |. 53 PUSH EBX
0046A654 |. 56 PUSH ESI
0046A655 |. 57 PUSH EDI
0046A656 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0046A659 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] --> problem #1
0046A65C |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
0046A65E |. 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
0046A661 |. 894D E0 MOV DWORD PTR SS:[EBP-20],ECX
0046A664 |. 8B70 08 MOV ESI,DWORD PTR DS:[EAX+8]
0046A667 |. 50 PUSH EAX ; /block
0046A668 |. 8B3D 78156300 MOV EDI,DWORD PTR DS:[631578] ; |MSVCR71.free
0046A66E |. FFD7 CALL EDI ; \free
0046A670 |. 56 PUSH ESI ; /src
0046A671 |. 8D95 D8FEFFFF LEA EDX,DWORD PTR SS:[EBP-128] ; |
0046A677 |. 52 PUSH EDX ; |dest
0046A678 |. FF15 50156300 CALL DWORD PTR DS:[631550] ; \wcscpy
0046A67E |. 56 PUSH ESI
0046A67F |. FFD7 CALL EDI
0046A681 |. 83C4 10 ADD ESP,10
0046A684 |. FF15 90116300 CALL DWORD PTR DS:[631190] ; [GetCurrentThreadId
0046A68A |. 8BF0 MOV ESI,EAX
0046A68C |. 8975 E4 MOV DWORD PTR SS:[EBP-1C],ESI
0046A68F |. 8D85 D8FEFFFF LEA EAX,DWORD PTR SS:[EBP-128]
0046A695 |. 50 PUSH EAX ; /Arg2
0046A696 |. 56 PUSH ESI ; |Arg1
0046A697 |. E8 C4030000 CALL XXXXXX.0046AA60 ; \XXXXXX.0046AA60
0046A69C |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
0046A6A3 |. 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
0046A6A6 |. 51 PUSH ECX
0046A6A7 |. FFD3 CALL EBX
0046A6A9 |. 8BF8 MOV EDI,EAX
0046A6AB |. 897D DC MOV DWORD PTR SS:[EBP-24],EDI
0046A6AE |. 56 PUSH ESI ; /Arg1
0046A6AF |. E8 3C040000 CALL XXXXXX.0046AAF0 ; \XXXXXX.0046AAF0
0046A6B4 |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
0046A6BB |. 8BC7 MOV EAX,EDI
0046A6BD |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0046A6C0 |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0046A6C7 |. 5F POP EDI
0046A6C8 |. 5E POP ESI
0046A6C9 |. 5B POP EBX
0046A6CA |. 8BE5 MOV ESP,EBP
0046A6CC |. 5D POP EBP
0046A6CD \. C2 0400 RETN 4
Anyway, when I get to this OEP (0046A630), I do next step:
5. Dump the file using OllyDump with OEP
Problem:
Of course, now I try to run the dumped executable file and it crashes.
The problem is with this new start function, some parameters are passed from the hardlock envelope decrypt
when it finishes, that's marked as 'problem #1'.
Should I hardcode that value?
Replace it with :
0046A659 |. 8B45 08 MOV EAX,0x011CD488
Have anyone come across such hardlock envelope?
Thank you.
Last edited by fritzFS : 08-07-2006 at 03:37 PM.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课