Scribd
Upload
34 views2 pages

Finding The Ahk-ExtraDecryption

This document summarizes the steps to unpack and analyze a UPX packed executable file in Ollydbg. It includes: 1) Opening the target file in Ollydbg; 2) Setting a breakpoint after UPX unpacking; 3) Checking for the string "AUTOHOTKEY SCRIPT"; 4) Noting the important offset value of 700 used during decryption of the AutoHotkey script from the executable.

Uploaded by

Initial De
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
34 views2 pages

Finding The Ahk-ExtraDecryption

This document summarizes the steps to unpack and analyze a UPX packed executable file in Ollydbg. It includes: 1) Opening the target file in Ollydbg; 2) Setting a breakpoint after UPX unpacking; 3) Checking for the string "AUTOHOTKEY SCRIPT"; 4) Noting the important offset value of 700 used during decryption of the AutoHotkey script from the executable.

Uploaded by

Initial De
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

1.

open target in Olly

2. 'unpacking' UPX
just scroll down until it looks like here

PUSH EBX
PUSH EDI
CALL EBP
POP EAX
POPAD
LEA EAX, [ESP-80]
PUSH 0
CMP ESP, EAX
JNZ SHORT 00471BD0
SUB ESP, -80
JMP 00442B4F <- set BREAKPOINT here
DB 00
DB 00
DB 00
DB 00

3. String Reference ">AUTOHOTKEY SCRIPT<"

to jump in here:

LEA EAX, [ARG.11]


PUSH EAX
LEA EAX, [ARG.24]
PUSH EAX
PUSH 0045E320 ASCII ">AUTOHOTKEY SCRIPT<"
LEA ECX, [LOCAL.84]
MOV [ARG.4], EBX
CALL <StrCmp>
TEST EAX, EAX
JNZ SHORT 004482A7
MOV [ESI+4B1], BL
JMP <Continue>

Place label(StrCmp; Continue) to get a better overview


No the same pattern ">AHK WITH ICON<"

LEA EAX, [ARG.11]


PUSH EAX ; /Arg3
LEA EAX, [ARG.24] ; |
PUSH EAX ; |Arg2
PUSH 0045E310 ; |Arg1 = 0045E310 ASCII ">AHK WITH
ICON<"
LEA ECX, [LOCAL.84] ; |
CALL <StrCmp> ; \includes.00450C9F
TEST EAX, EAX
JNZ SHORT 004482CC
MOV [BYTE ESI+4B1], 1
JMP SHORT <Continue>
------------------------------------------------------------------------------

And now the N/A Versions...


note ">" is ">AUTOHOTKEY SCRIPT<" ...

LEA EAX, [ARG.11]


PUSH EAX ; /Arg3
LEA EAX, [ARG.24] ; |
PUSH EAX ; |Arg2
PUSH 0045B68C ">"
LEA ECX, [LOCAL.84] ; |
MOV [ARG.4], 1 ; |
CALL <StrCmp> ; \includes.00450C9F
TEST EAX, EAX
JNZ SHORT 004482F7
MOV [ESI+4B1], BL
JMP SHORT <AHK-ExtraDecryt>

... and "<" is ">AHK WITH ICON<"

LEA EAX, [ARG.11]


PUSH EAX ; /Arg3
LEA EAX, [ARG.24] ; |
PUSH EAX ; |Arg2
PUSH 0045B684 ; |Arg1 = 0045B684
LEA ECX, [LOCAL.84] ; |
CALL <StrCmp> ; \includes.00450C9F
TEST EAX, EAX
JNZ <Could not extract script from Exe
MOV [BYTE ESI+4B1], 1

4. And here it is da AHK-ExtraDecryt !!!

AHK-ExtraDecryt:
MOV EAX, [ARG.11] ARG.11= ScriptLength
LEA EDX, [EAX+2BC] DX = ScriptLength + 700 [<-
0x2BC] !!!
CMP DX, BX Note: BX=0000
JNZ SHORT SKIP_EDX_400
MOV EDX, 400
SKIP_EDX_400:
SHR EAX, 1 = ScriptLength \ 2
MOV ECX, [ARG.24] ARG.24 = ScriptStart
MOV [ARG.28], ECX ARG.24 = i
MOV ECX, EBX Note: EBX=00000000
JE SHORT <Continue>
Loop
/MOV EDI, [ARG.28]
|LEA EDI, [EDI+ECX*2]
|SUB [EDI], DX ScriptStart[i*2] =
ScriptStart[i*2] - DX
|INC ECX
|CMP ECX, EAX
\JB SHORT Loop

Continue:
MOV EAX, [ARG.24]

5. The important value is the 700

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy