Safengine Olly scripts

Aici puteti posta software nou dezvoltat de dumneavoastra.
Software news and new software launch.

Safengine Olly scripts

Post Number:#1  Postby CodeCracker » 13 Mar 2019 15:13

Safengine_OEP_finder.txt and SafeEngine_ThunksFixer.txt: two Olly scripts;
First load the target and run Safengine_OEP_finder.txt - this will lead to OEP;
After that load SafeEngine_ThunksFixer.txt script: this will fix instructions involving import table thunks;
Currently I have no way to fix emulated imports (the import table).
SafeEngine_ThunksFixer.txt still has a bug: it randomly crashes when executing some SafeEngine code: NOT always crashes!
Attachments
SafeEngine_Scripts.zip
(8.25 KiB) Downloaded 12 times
CodeCracker
Mediu
Mediu
Progress to next rank:
28%
 
Status: Offline
Posts: 64
Joined: 06 Feb 2016 14:04
Referred by: giv

Invitations sent: 0
Referrals: 2
Local time: 25 May 2019 08:58
Has thanked: 0 time
Been thanked: 61 times

Re: Safengine Olly scripts

Post Number:#2  Postby CodeCracker » 16 Apr 2019 11:50

I found a way to kill import table redirection!

Breakpoint on write to code section (.text section) doesn't work on some cases
At this point we can watch how imports are restored!
Next will check for Import Redirection magic jump: that jump should jump
The script may log more then one jump location: obviously only one location is right
First that sheet gets the kernel32.GetModuleHandleA RVA = B741 (41B70000)
Export table address: 7C802C2C 41 B7 00 00
So set breakpoint on read to 7C802C2C, after breakpoint and continue execution (step in)
you will see that will compare ndll base address with kernel32.GetModuleHandleA
The jump after should jump and imports will be no more redirected (clean import table)!
Attachments
Safengine_OEP_finder_&IAT.txt
(5.76 KiB) Downloaded 5 times
CodeCracker
Mediu
Mediu
Progress to next rank:
28%
 
Status: Offline
Posts: 64
Joined: 06 Feb 2016 14:04
Referred by: giv

Invitations sent: 0
Referrals: 2
Local time: 25 May 2019 08:58
Has thanked: 0 time
Been thanked: 61 times

Re: Safengine Olly scripts

Post Number:#3  Postby CodeCracker » 16 Apr 2019 13:16

Target:
https://forum.tuts4you.com/topic/39325- ... ielden-239

magicjump5: 004D30FB
magicjump5 may be wrong!
magicjump2: 004D28E4
JumpDestination: 004D28C8 | Entry address
magicjump2: 004D3349
JumpDestination: 004D3308 | Entry address
magicjump2: 004D80BB
JumpDestination: 004D80D7 | Entry address
magicjump2: 004D81DC
JumpDestination: 004D81F8 | Entry address
magicjump2: 004DA58A
JumpDestination: 004DA54C | Entry address
magicjump2: 004DB025
JumpDestination: 004DB056 | Entry address
magicjump2: 004DB9C9
JumpDestination: 004DB9AE | Entry address
magicjump2: 0054A8FD
JumpDestination: 0054A903

Unfortunately none of those address are not the magic jump (sorry)!

Log data, item 1
Message=ImportTableAddress: 00464000


First time gets the kernel32.GetModuleHandleA RVA = B741 (41B70000)
Export table address: 7C802C2C 41 B7 00 00
so set breakpoint on read to address 7C802C2C
You will should lead here:
004FDA27 . 8B3E MOV EDI, DWORD PTR DS:[ESI]
004FDA29 . 5E POP ESI ; kernel32.7C80262C
004FDA2A . 9C PUSHFD
004FDA2B .^ EB DD JMP SHORT 004FDA0A
// Step in needed:
004FDBF3 > \3BFE CMP EDI, ESI ; kernel32.7C80262C
004FDBF5 . 8D6424 04 LEA ESP, DWORD PTR SS:[ESP+0x4]
004FDBF9 ^ 0F82 00F9FFFF JB 004FD4FF
// No, is not this magic jump since is not the ntdll base address!

After step in a lot:
004A5D18 > \4A DEC EDX ; kernel32.7C807C3B
004A5D19 . 8B11 MOV EDX, DWORD PTR DS:[ECX]
004A5D1B . 3BD0 CMP EDX, EAX
004A5D1D . 60 PUSHAD
004A5D1E . E9 B5760500 JMP 004FD3D8

At 004A5D19 get the ntdll base address in edx

004FD3D8 > \8D6424 20 LEA ESP, DWORD PTR SS:[ESP+0x20]
004FD3DC .^ 0F83 C088FAFF JNB 004A5CA2
This is the magic jump which should be changed to jump! And now we have clean import table!

Is still hard for me to automatize things!
CodeCracker
Mediu
Mediu
Progress to next rank:
28%
 
Status: Offline
Posts: 64
Joined: 06 Feb 2016 14:04
Referred by: giv

Invitations sent: 0
Referrals: 2
Local time: 25 May 2019 08:58
Has thanked: 0 time
Been thanked: 61 times

Re: Safengine Olly scripts

Post Number:#4  Postby giv » 16 Apr 2019 14:24

CodeCracker wrote:Target:
Is still hard for me to automatize things!


Salut.
Ideea de baza este sa intelegi logica.
Apoi foarte simplu se poate face un script care sa te scape de munca repetitiva.
Best regards!
GIV
User avatar
giv
Admin
Admin
 
Status: Offline
Posts: 843
Age: 37
Joined: 02 Nov 2012 15:33
Location: Romania

Invitations sent: 3
Referrals: 35
National Flag:
Romania
Local time: 25 May 2019 08:58
Has thanked: 341 times
Been thanked: 328 times

Re: Safengine Olly scripts

Post Number:#5  Postby CodeCracker » 18 Apr 2019 10:30

A nice update:
I was able to code a good MagicJump finder (IAT redirection Finder) - attached.
Now the problem is that the old script Safengine_OEP_finder.txt won't be able to reach OEP
since the IAT fixing stuff is done late!
So you still got to patch that address (MagicJump) manually.
Attachments
Safengine_MagicJump_IATFinder.txt
(4.14 KiB) Downloaded 7 times
CodeCracker
Mediu
Mediu
Progress to next rank:
28%
 
Status: Offline
Posts: 64
Joined: 06 Feb 2016 14:04
Referred by: giv

Invitations sent: 0
Referrals: 2
Local time: 25 May 2019 08:58
Has thanked: 0 time
Been thanked: 61 times


Return to Lansari de software

Who is online

Users browsing this forum: No registered users and 1 guest

cron