Convert Script to Executable File#
This chapter introduces two steps after unpacking, converting the executable file and rebuilding the import function table.
OEP
In the previous chapter, the OEP has been debugged, and the program is analyzed again by operating IDA at the OEP. Prepare to execute the conversion operation, use the following IDC script to convert.
static Byte(ea) {
return (ea) & 0xff;
}
static main()
{
auto fp, ea;
fp = fopen("dump.bin", "wb"); // Open the file to write
for (ea=0x400000; ea < 0x40b200; ea++) // Loop through the specified address range
{
fputc(Byte(ea), fp); // Write the data in the specified address to the file
}
fclose(fp); // Close the file
}
Note: In the actual operation, using the above code to convert in IDA 7.7 will cause problems, and the converted content is not normal
So here is a Python 3 script to convert. The script is as follows:
import idaapi
import idc
import struct
start_ea = 0x400000
end_ea = 0x40b200
step = 4 # Each address occupies 4 bytes
file_path = "dump.bin"
with open(file_path, "wb") as f:
for ea in range(start_ea, end_ea, step):
# Read 4 bytes of data at the specified address and convert it to little-endian byte order
bin_data = struct.pack("<L", idaapi.get_32bit(ea))
f.write(bin_data)
The base address of the file is 0x400000. Find the highest address of the converted file from the IDA segments tab. From the figure below, you can see that the end of the Overlay block is 0x40b200.
Then open the menu bar-File-Run Script, this function can be done with both IDC script and Python script. After executing the IDC script, a bin file will be generated in the IDC current directory.
The file header of the bin file is as follows.
Make a backup of the dump.bin file, and then rename it to an executable file with the extension .exe.
The icon of this file is not displayed, so there is still a problem to be solved.
Then open it with PE editor.
pe editor 1.7
Click on sections to open the section view.
Section View
Right-click on each section and select dumpfixer.
At this time, the icon is displayed correctly, but the program still cannot run because the IAT has not been fixed.
What is IAT#
IAT (Import Address Table) is an important data structure in the Windows PE format, which is used to dynamically load and link symbols of external DLL libraries during program execution. IAT stores the names and addresses of all functions to be called in external DLL libraries, which can be used by the program's dynamic linker at runtime.
IAT stores the addresses of all imported functions executed by the program.
Decrypted IAT of the packed file
IAT of the original file
The two pictures above are marked with the address 0x403238, and the content looks similar.
Open IDA of the original file, and the lower left corner of IDA shows that the file offset corresponding to this memory address is 0x1038, as shown in the figure above. At this time, you can open the hex editor to view its content.
Byte at 0x1038 in the original file opened by 010editor
The value at 0x1038 in the above figure is 0x355e.
If 0x355e is added to the base address 0x400000, it becomes 0x40355e. To view the content at this address, you need to manually load all sections in the file (load the original file) using IDA.
Content at 0x40355e
Select to load all sections, go to 0x40355e, and you can also see the API function name GetModuleHandleA on the right.
With these offset values added to the value of the base address, you can find the corresponding function name string. Based on this string, you can obtain the native address of these functions on the system. In this example, the address of GetModuleHandleA is obtained, and then the bytes 5E 35 00 00 are replaced with the native address of the function.
The system obtains the function name string corresponding to the initial value 0x355e plus the base address, and then stores the native address of the function in 0x403238.
Then open another IDA window to load the dumped file dump - bak.exe and go to 0x403238.
In the above figure, the file offset address is 0x3238, which does not match the original file. The main reason is that dumpfixer changes the file occupancy (rawsize) to be the same as the memory occupancy (rawsize), resulting in a change in the offset.
Open dump - bak.exe with 010editor and go to 0x3238.
This is the native address of the API function, not the offset pointing to the API name string.
Because when dumping, the program has already obtained the native addresses of the API functions to be called and saved them to the IAT, so the native address of the GetModuleHandleA API in the packed program is stored at this address.
GetModuleHandleA API function
The above dump has a problem, that is, when the program is executed, it will read the offset from the IAT, add the base address to obtain the API function name string, and obtain the native addresses of these API functions on the system through the system. The program cannot correctly fill the IAT according to this process during the conversion, which will eventually cause the program to crash.
Rebuild IAT#
The idea of rebuilding the IAT is to restore the offset values that point to the API function strings, and fixing the IAT requires a tool called Scylla.
Run Scylla, in attach to an active process, select the process of the packed program paused in IDA.
Packed program running to OEP
Fill in the value of OPE as 00401000 and click IAT Autosearch.
The figure above shows that the starting address is 0x403184 and the size is 0x108.
Click Get Imports.
In the figure above, it shows that there are 22 places that have not been fixed.
Right-click on the unrecognized function, select scylla plugins-pecompact v2.x to fix it.
Successfully fix unrecognized functions
There are some suspicious functions, select show suspect to confirm whether the function at 0x403278 is fixed successfully.
In the above figure, it can be seen that it is fixed successfully. After confirming that there is no problem, click FIX DUMP in the lower right corner of Scylla.
Select the previously dumped .exe file and write the fixed IAT.
The fixed program can run normally, indicating that the fix is successful.
Use IDA to load the file that has been unpacked and the IAT has been fixed. The program starts executing from OEP, which is 0x401000, and the fixed file is the same as the original file.
IDA loads the executable file after fixing the IAT
Fixed IAT
This chapter mainly introduces how to convert the section content and rebuild the import IAT function table, and complete the final unpacking work, completing the unpacking of this UPX packed program and learning the entire unpacking process.