banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

"Learning Notes on Starting from Zero to Learn IDA Reverse Engineering - 15 (Dumping and Rebuilding Import Function Table (IAT))"

Convert Script to Executable File#

This chapter introduces two steps after unpacking, converting the executable file and rebuilding the import function table.

image.png

OEP

In the previous chapter, the OEP has been debugged, and the program is analyzed again by operating IDA at the OEP. Prepare to execute the conversion operation, use the following IDC script to convert.

static Byte(ea) {
	return (ea) & 0xff;
}

static main()
{
    auto fp, ea;
    fp = fopen("dump.bin", "wb");  // Open the file to write
    for (ea=0x400000; ea < 0x40b200; ea++)  // Loop through the specified address range
    {
        fputc(Byte(ea), fp);  // Write the data in the specified address to the file
    }
    fclose(fp);  // Close the file
}

Note: In the actual operation, using the above code to convert in IDA 7.7 will cause problems, and the converted content is not normal

So here is a Python 3 script to convert. The script is as follows:

import idaapi
import idc
import struct

start_ea = 0x400000
end_ea = 0x40b200
step = 4  # Each address occupies 4 bytes

file_path = "dump.bin"
with open(file_path, "wb") as f:
    for ea in range(start_ea, end_ea, step):
        # Read 4 bytes of data at the specified address and convert it to little-endian byte order
        bin_data = struct.pack("<L", idaapi.get_32bit(ea))
        f.write(bin_data)

The base address of the file is 0x400000. Find the highest address of the converted file from the IDA segments tab. From the figure below, you can see that the end of the Overlay block is 0x40b200.

image.png

Then open the menu bar-File-Run Script, this function can be done with both IDC script and Python script. After executing the IDC script, a bin file will be generated in the IDC current directory.

image.png

The file header of the bin file is as follows.

image.png

Make a backup of the dump.bin file, and then rename it to an executable file with the extension .exe.

image.png

The icon of this file is not displayed, so there is still a problem to be solved.

Then open it with PE editor.

image.png

pe editor 1.7

Click on sections to open the section view.

image.png

Section View

Right-click on each section and select dumpfixer.

image.png

At this time, the icon is displayed correctly, but the program still cannot run because the IAT has not been fixed.

image.png

What is IAT#

IAT (Import Address Table) is an important data structure in the Windows PE format, which is used to dynamically load and link symbols of external DLL libraries during program execution. IAT stores the names and addresses of all functions to be called in external DLL libraries, which can be used by the program's dynamic linker at runtime.

IAT stores the addresses of all imported functions executed by the program.

image.png

Decrypted IAT of the packed file

image.png

IAT of the original file

The two pictures above are marked with the address 0x403238, and the content looks similar.

image.png

Open IDA of the original file, and the lower left corner of IDA shows that the file offset corresponding to this memory address is 0x1038, as shown in the figure above. At this time, you can open the hex editor to view its content.

image.png

Byte at 0x1038 in the original file opened by 010editor

The value at 0x1038 in the above figure is 0x355e.

If 0x355e is added to the base address 0x400000, it becomes 0x40355e. To view the content at this address, you need to manually load all sections in the file (load the original file) using IDA.

image.png

Content at 0x40355e

Select to load all sections, go to 0x40355e, and you can also see the API function name GetModuleHandleA on the right.

With these offset values added to the value of the base address, you can find the corresponding function name string. Based on this string, you can obtain the native address of these functions on the system. In this example, the address of GetModuleHandleA is obtained, and then the bytes 5E 35 00 00 are replaced with the native address of the function.

The system obtains the function name string corresponding to the initial value 0x355e plus the base address, and then stores the native address of the function in 0x403238.

Then open another IDA window to load the dumped file dump - bak.exe and go to 0x403238.

image.png

In the above figure, the file offset address is 0x3238, which does not match the original file. The main reason is that dumpfixer changes the file occupancy (rawsize) to be the same as the memory occupancy (rawsize), resulting in a change in the offset.

Open dump - bak.exe with 010editor and go to 0x3238.

image.png

This is the native address of the API function, not the offset pointing to the API name string.

Because when dumping, the program has already obtained the native addresses of the API functions to be called and saved them to the IAT, so the native address of the GetModuleHandleA API in the packed program is stored at this address.

image.png

GetModuleHandleA API function

The above dump has a problem, that is, when the program is executed, it will read the offset from the IAT, add the base address to obtain the API function name string, and obtain the native addresses of these API functions on the system through the system. The program cannot correctly fill the IAT according to this process during the conversion, which will eventually cause the program to crash.

Rebuild IAT#

The idea of rebuilding the IAT is to restore the offset values that point to the API function strings, and fixing the IAT requires a tool called Scylla.

image.png

Run Scylla, in attach to an active process, select the process of the packed program paused in IDA.

image.png

Packed program running to OEP

image.png

Fill in the value of OPE as 00401000 and click IAT Autosearch.

image.png

The figure above shows that the starting address is 0x403184 and the size is 0x108.

image.png

Click Get Imports.

image.png

In the figure above, it shows that there are 22 places that have not been fixed.

image.png

Right-click on the unrecognized function, select scylla plugins-pecompact v2.x to fix it.

image.png

Successfully fix unrecognized functions

image.png

There are some suspicious functions, select show suspect to confirm whether the function at 0x403278 is fixed successfully.

image.png

In the above figure, it can be seen that it is fixed successfully. After confirming that there is no problem, click FIX DUMP in the lower right corner of Scylla.

image.png

Select the previously dumped .exe file and write the fixed IAT.

image.png

The fixed program can run normally, indicating that the fix is successful.

Use IDA to load the file that has been unpacked and the IAT has been fixed. The program starts executing from OEP, which is 0x401000, and the fixed file is the same as the original file.

image.png

IDA loads the executable file after fixing the IAT

image.png

Fixed IAT

This chapter mainly introduces how to convert the section content and rebuild the import IAT function table, and complete the final unpacking work, completing the unpacking of this UPX packed program and learning the entire unpacking process.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.