Convert script to executable file#
This chapter introduces two steps after unpacking, converting the executable file and rebuilding the import function table.
OEP
In the previous chapter, the OEP has been debugged, and the program is analyzed again by operating IDA at the OEP. Prepare to execute the conversion operation, use the following IDC script to convert.
static Byte(ea) {
return (ea) & 0xff;
}
static main()
{
auto fp, ea;
fp = fopen("dump.bin", "wb"); // Open the file to be written
for (ea=0x400000; ea < 0x40b200; ea++) // Loop through the specified address range
{
fputc(Byte(ea), fp); // Write the data in the specified address to the file
}
fclose(fp); // Close the file
}
Note: In the actual operation, using the above code to convert in IDA 7.7 will cause problems, and the converted content is not normal
So here is a Python3 script to convert, the script is as follows:
import idaapi
import idc
import struct
start_ea = 0x400000
end_ea = 0x40b200
step = 4 # Each address occupies 4 bytes
file_path = "dump.bin"
with open(file_path, "wb") as f:
for ea in range(start_ea, end_ea, step):
# Read 4 bytes of data at the specified address and convert it to little-endian byte order
bin_data = struct.pack("<L", idaapi.get_32bit(ea))
f.write(bin_data)
The base address of the file is 0x400000. Find the highest address of the converted file from the IDA segments tab. From the figure below, you can see the end of the Overlay block is 0x40b200.
Then open the menu bar-File-Run script file, this function can be done with both IDC script and Python script. After executing the IDC script, a bin file will be generated in the current directory of IDC.
The file header of the bin file is as follows:
Make a backup of the dump.bin file, and then rename it to an executable file with the extension .exe.
The icon of this file is not displayed, so there is still a problem to be solved.
Then open it with a PE editor.
pe editor 1.7
Click on sections to open the section view.
Section view
Right-click on each section and select dumpfixer.
At this time, the icon is displayed normally, but the program still cannot run because the IAT has not been fixed.
What is IAT#
IAT (Import Address Table) is an important data structure in the Windows PE format, which is used to dynamically load and link symbols of external DLL libraries during program execution. The IAT stores the names and addresses of all functions to be called in the external DLL library, which can be used by the program dynamic linker at runtime.
IAT stores the addresses of all imported functions executed by the program
Decrypted IAT of the packed file
IAT of the original file
The two figures above are marked with the address 0x403238, and the contents look similar.
Open the IDA of the original file, and the lower left corner of IDA shows that the file offset corresponding to this memory address is 0x1038, as shown in the figure above. At this time, you can open the hexadecimal editor to view its contents.
Byte at 0x1038 in the original file opened by 010editor
The value at 0x1038 in the above figure is 0x355e.
If 0x355e is added to the base address 0x400000, it becomes 0x40355e. In order to view the contents of this address, you need to manually load all sections in the file again (Load Original File) according to the file offset displayed by IDA in the lower left corner.
Content at 0x40355e
Select to load all sections, go to 0x40355e, and you can also see the function name of the API as GetModuleHandleA on the right.
With these offset values added to the value of the base address, you can find the corresponding function name string. Based on this string, you can obtain the native address of these functions on the system. In this example, the address of GetModuleHandleA is obtained, and then the bytes 5E 35 00 00 are replaced with the native address of the function.
The system obtains the function name string corresponding to the initial value 0x355e plus the base address, and then stores the native address of the function in 0x403238.
Then open another IDA window to load the dumped file dump - bak.exe and go to 0x403238.
In the above figure, the file offset address is 0x3238, which does not match the original file. The main reason is that dumpfixer changes the file occupancy (rawsize) to be the same as the memory occupancy (rawsize), which causes the offset to change.
Open dump - bak.exe with 010editor and go to 0x3238.
Here is the native address of the API function, not the offset pointing to the API name string.
Because when dumping, the program has already obtained the native addresses of the API functions to be called and saved them to the IAT, so the native address of the GetModuleHandleA API in the packed program is stored at this address.
GetModuleHandleA API function
The above dump has a problem, that is, when the program is executed, it will read the offset from the IAT, add the base address to obtain the API function name string, and obtain the native addresses of these API functions on the system through the system. The dumped content retains the actual addresses of the functions, and the program cannot correctly fill the IAT according to this process, which will eventually cause the program to crash.
Rebuild IAT#
The idea of rebuilding the IAT is to restore the offset values pointing to the API function strings and fix the IAT using a tool called Scylla.
Run scylla, in attach to an active process, select the process of the packed program paused in IDA.
Packed program running to OEP
Fill in the value of OPE as 00401000 and click IAT Autosearch.
The figure above shows that the starting address is 0x403184 and the size is 0x108.
Click Get Imports.
In the figure above, it shows that there are 22 places that have not been fixed.
Right-click on the unrecognized functions, select scylla plugins-pecompact v2.x to fix.
Successfully fix unrecognized functions
There are some suspicious functions, select show suspect to confirm whether the function at 0x403278 is fixed successfully.
In the above figure, it can be seen that it is fixed successfully. After confirming that there is no problem, click FIX DUMP in the lower right corner of scylla.
Select the previously dumped .exe file and write the repaired IAT.
The repaired program can run normally, indicating that the repair is successful.
Use IDA to load the file that has been dumped and the IAT has been repaired. The program starts executing from OEP, which is 0x401000, and the repaired file is the same as the original file.
IDA loads the executable file after repairing the IAT
Repaired IAT
This chapter mainly introduces how to convert the section content and rebuild the import IAT function table, and complete the final unpacking work, completing the unpacking of this UPX packed program, and learning the entire unpacking process.