initial import.

Author: pedramamini

Makefile

@@ -0,0 +1,9 @@
+LATEX_FILE=render.article
+
+all:
+<<<<<<< .mine
+	rm ${LATEX_FILE}.{toc,aux,log,nav,out,pdf,snm}; pdflatex ${LATEX_FILE}.tex && pdflatex ${LATEX_FILE}.tex
+
+=======
+	rm ${LATEX_FILE}.{toc,aux,log,nav,out,pdf,snm,vrb} 2>/dev/null; pdflatex ${LATEX_FILE}.tex && pdflatex ${LATEX_FILE}.tex; rm ${LATEX_FILE}.{toc,aux,log,nav,out,snm,vrb} 2>/dev/null;
+>>>>>>> .r102

Makefile.mine

@@ -0,0 +1,7 @@
+
+#LATEX_FILE=render.presentation
+LATEX_FILE=render.article
+
+all:
+	rm ${LATEX_FILE}.{toc,aux,log,nav,out,pdf,snm}; pdflatex ${LATEX_FILE}.tex && pdflatex ${LATEX_FILE}.tex
+

Makefile.r102

@@ -0,0 +1,4 @@
+LATEX_FILE=render.article
+
+all:
+	rm ${LATEX_FILE}.{toc,aux,log,nav,out,pdf,snm,vrb} 2>/dev/null; pdflatex ${LATEX_FILE}.tex && pdflatex ${LATEX_FILE}.tex; rm ${LATEX_FILE}.{toc,aux,log,nav,out,snm,vrb} 2>/dev/null;

Makefile.r86

@@ -0,0 +1,6 @@
+
+LATEX_FILE=render.presentation
+
+all:
+	rm ${LATEX_FILE}.{aux,log,nav,out,pdf,snm,toc}; pdflatex ${LATEX_FILE}.tex
+

TODO.txt

@@ -0,0 +1,17 @@
+* Restructure the PE format section. I like the order you suggested dealing with it at a high-level first, showing it in Olly/LordPE and then start digging into the details of relevant headers...
+
+* Make a high-level, abstract view of a PE file; headers, directories and sections (with file layout and in-memory layout). Show code/data separation. Talk about virtual and raw addresses. Show that in the context of the overall memory space layout of the application, zooming out
+
+* I also want to do some quick drawings for the packer exercise depicting the slack space, the stub code, etc, just to make it more obvious what we are doing.
+
+* Add section about OEP finding (I have my code laying around, do you have yours?)
+-Get scripts
+-Add basic slides (in packer reconstruction)
+-Commit
+
+* Add mention of IDA's fixes for certain PE parsing problems and anti-disassembly tricks
+
+* pydbg dumping + pefile import reconstruction (I have scripts to do a full dump with pydbg/vtrace and then do a "find-intermodular-calls" with the help of pefile)
+-Add small section in packer reconstruction, pose it as an exercise
+
+* prolog finding and image reconstruction (have scripts to clean-up a dump, could have some notes on those)

Training CD/Exercise Solutions/Anti-Analysis/0x90-fixed.exe

@@ -0,0 +1,111 @@
+------------------------------------------------------------------------------------------------------------------------
+Notes
+------------------------------------------------------------------------------------------------------------------------
+This is an easy one to find the OEP of.
+
+Single step through a couple of opcode tricks and into the main unpack loop. You should notice a JNZ to a *very* distant address.
+
+This distant address turns out to be the end of the packer.
+
+
+------------------------------------------------------------------------------------------------------------------------
+Transfer Command
+------------------------------------------------------------------------------------------------------------------------
+push [patched value]
+ret
+
+
+------------------------------------------------------------------------------------------------------------------------
+Entry Point Signature
+------------------------------------------------------------------------------------------------------------------------
+
+.aspack:00412001                 public start
+.aspack:00412001 start           proc near
+.aspack:00412001                 pusha
+.aspack:00412002                 call    skipBytes
+.aspack:00412002 ; ---------------------------------------------------------------------------
+.aspack:00412007                 db 0E9h
+.aspack:00412008 ; ---------------------------------------------------------------------------
+.aspack:00412008                 jmp     short loc_41200E ; ret address
+.aspack:0041200A ; ---------------------------------------------------------------------------
+.aspack:0041200A
+.aspack:0041200A skipBytes:                              ; CODE XREF: start+1p
+.aspack:0041200A                 pop     ebp             ; = fx ret addr after call (412007)
+.aspack:0041200B                 inc     ebp
+.aspack:0041200C                 push    ebp
+.aspack:0041200D                 retn
+.aspack:0041200D start           endp ; sp = -20h
+.aspack:0041200D
+
+.aspack:0041200E
+.aspack:0041200E loc_41200E:                             ; CODE XREF: start+7j
+.aspack:0041200E                 call    loc_412014
+.aspack:0041200E ; ---------------------------------------------------------------------------
+.aspack:00412013                 db 0EBh
+.aspack:00412014 ; ---------------------------------------------------------------------------
+.aspack:00412014
+.aspack:00412014 loc_412014:                             ; CODE XREF: .aspack:loc_41200Ep
+.aspack:00412014                 pop     ebp
+.aspack:00412015                 mov     ebx, 0FFFFFFEDh
+.aspack:0041201A                 add     ebx, ebp
+.aspack:0041201C                 sub     ebx, 12000h
+.aspack:00412022                 cmp     dword ptr [ebp+422h], 0
+.aspack:00412029                 mov     [ebp+422h], ebx
+.aspack:0041202F                 jnz     END_OF_PACKER
+
+.aspack:0041239A END_OF_PACKER:                          
+
+.aspack:0041239A                                         
+.aspack:0041239A                 mov     eax, 0A870h     ; original entry point offset
+.aspack:0041239F                 push    eax
+.aspack:004123A0                 add     eax, [ebp+422h] ;add image base to offset
+.aspack:004123A6                 pop     ecx
+.aspack:004123A7                 or      ecx, ecx
+.aspack:004123A9                 mov     [ebp+3A8h], eax ;patch 004123BA to be push [offset]
+.aspack:004123AF                 popa
+.aspack:004123B0                 jnz     short loc_4123BA
+.aspack:004123B2                 mov     eax, 1
+.aspack:004123B7                 retn    0Ch             ; error exit ?
+.aspack:004123BA ; ---------------------------------------------------------------------------
+.aspack:004123BA
+.aspack:004123BA loc_4123BA:                             ; CODE XREF: .aspack:004123B0j
+.aspack:004123BA                 push    0               ; put a ret addr on stack 
+.aspack:004123BF                 retn                    ; ret to pushed address 
+
+
+
+------------------------------------------------------------------------------------------------------------------------
+Known Unpackers
+------------------------------------------------------------------------------------------------------------------------
+
+// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com
+/* 
+Find target's OEP [ ASPack v2.12 ] v0.1
+---------------------------------------
+Author: DeAtH HaS cOMe #eCh!2004 .:[ CracksLatinos ]:.
+Email : [email protected] 
+OS : Win XP SP1,OllyDbg 1.10,OllyScript v0.92 
+Date : 09.10.2004 
+Config: No BreakPoint sets
+Note : Any bug or comments, please report at [email protected]
+That's all folks!
+Un saludo para todo CracksLatinoS, maravillosos listeros, y para mi enana Aur�nya :P
+*/
+
+eob Rompe
+findop eip, #6800000000#
+bphws $RESULT, "x"
+run
+
+Rompe:
+bphwc $RESULT
+sto
+sto
+log "El OEP del programa es:"
+log eip
+log "Dumpealo ahora y repara la IAT automaticamente con el IREC"
+log "Script CracksLatinos by DeAtH #eCh!2004"
+log "@: [email protected] WWW: http://www.ech2004.tk"
+msg "Script finalizado correctamente. Ahora esta parado en el OEP, dumpealo y arregla la IAT :D"
+
+ret

Training CD/Exercise Solutions/Packer Construction/crypted.exe

@@ -0,0 +1,52 @@
+------------------------------------------------------------------------------------------------------------------------
+Notes
+------------------------------------------------------------------------------------------------------------------------
+IAT built at runtime Dlls loaded by loader one api entry per dll left
+
+
+------------------------------------------------------------------------------------------------------------------------
+Transfer Command
+------------------------------------------------------------------------------------------------------------------------
+
+61               POPAD
+E9 [4Bytes]      JMP [offset]
+
+
+------------------------------------------------------------------------------------------------------------------------
+Entry Point Signature
+------------------------------------------------------------------------------------------------------------------------
+
+60                PUSHAD
+BE   [4 Bytes]    MOV ESI[Value]
+8DBE [4 bytes]    LEA EDI, DWORD PTR DS:[ESI+Value]
+57                PUSH EDI
+83CD FF           OR EBP, FFFFFFFF
+EB 10             JMP SHORT [Relative Jump]
+90                NOP
+90                NOP
+90                NOP
+90                NOP
+90                NOP
+90                NOP
+
+
+------------------------------------------------------------------------------------------------------------------------
+Known Unpackers
+------------------------------------------------------------------------------------------------------------------------
+
+//OllyScript Oep finder by shag
+// The amazing UPX OEP finder v2
+// This script will quickly put you at the OEP of an UPX-packed EXE.
+// Just run it!
+// Implemented using hardware breakpoints (just for fun).
+
+eob Break 
+findop eip, #61#
+bphws $RESULT, "x"
+run
+
+Break:
+sto 
+sto
+bphwc $RESULT
+ret