MW-Blog

As the name hints, PolycryptPE is a polymorphic executable packer that was made by JLabSoftware, but has since been dropped from development. JLabSoftware had some heated conversations since at least the anti-virus vendor Kaspersky flagged every file packed with PolyCryptPE. Anyway, PolyCryptPE deploys some nice stuff like File locking, ApiHooking and some inlined anti-debug and anti-dump stuff.

After pushing a few register on to the stack the stub goes into a small XOR loop the decrypt the next phase:

Almost right after thats done it goes to another decryption loop:

The loop is revisited again after few other opcodes have been run. After the loop has been run for the second time, the whole stub is decrypted. Scroll about 400 bytes forward to find the following:

If you want a quick and dirty unpack place breakpoint on the RETN. The “PUSH 0″ command will be modified before you land onto the breakpoint. Single step into the RETN, and you’re at the OEP.

The reason the above is quick and dirty is that most likely you’ll end up with broken file. Below is a few notes on the anti-debug mechanisms deployed by the packer.

PolyCrypt PE deploys inline anti-debug mechanisms, with the following being one of them:

Note that the registers have been changed from the usual antidebug snippets that are floating around the web. The purpose of this is to throw off some scanners that try to detect anti-debug code. These sequences can be found in few places of the code, so the easiest way to bypass is to either use the OllyHide plugin, or manually modify the PEB to hide the presence of your debugger.

Another thing is that PolyCryptPE modifies the PE header data in the memory image causing most dumpers to throw up. One way to fix this is to copy the DOS and PE headers from the disk image and hotpaste them onto the memory image.

PolyCryptPE also deploys a filelocking feature. It will lock the disk image of the file so it cannot be access. The check whether to lock the file or not is done here:

Place a breakpoint on the CMP BYTE PTR SS:[EBP+<offset>],0
When the debugger hits the breakpoint, modify the target [EBP+<offset>] to zero to make the bypassing jump happen.

And the last, but not least protective feature of PolyCryptPE is the import hooking. If the hooking is active, you’ll be reading a butt-ugly dump. Find the following place in the code:

Place a breakpoint on the CMP BYTE PTR SS:[EBP+<offset>],1

When the debugger hits the breakpoint, modify the target [EBP+<offset>] to zero to make the bypassing jump happen.

This kind of concludes the unpacking procedure for PolyCryptPE. There are no public unpackers for PolyCryptPE :)

This entry was posted on Tuesday, February 6th, 2007 at 1:45 pm and is filed under Packer-Magic. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.