MOVAPS triggered ACCESS_VIOLATION....

Hi,

I met a malware which has a decryption code in it.
I tried unpack on debugger but it is stucked in mid of decryption.


movaps instruction triggered ACCESS_VIOLATION exception in decryption code.
I doubted it might be a anti debugging technique but it seem to be not.
(they are found in Windows shared libraries too)

I searched about this issue..


movaps instruction is explained like this 
but I don't understand the difference between the situations which can be passed or not.


MOVAPS--Move Aligned Packed Single-Precision Floating-Point Values
> the operand must be aligned on a 16-byte boundary http://qcd.phys.cmu.edu/QCDcluster/intel/vtune/reference/vc181.htm

It is also, 
> To move packed single-precision floating-point numbers to or from unaligned memory locations, use the MOVUPS instruction. 

 Anyway, the difference seem to be aligned/unaligned. 



16 byte boundary alignment is the answer.. 

> which generally means that the data's memory address is a multiple of the data size https://en.wikipedia.org/wiki/Data_structure_alignment 


It will be passed. (12F670 is a mltiple of 0x10.) 
movaps xmm1,xmmword ptr ds:[rcx+10]

[rcx+10]=[000000000012F670]=28 E8 42 9D FF FF 88 45 44 48 83 7D 28 00 0F 84
will not be passed.(12F638 is not a multiple of 0x10.) 
movaps xmm1,xmmword ptr ds:[rcx+10]

[rcx+10]=[000000000012F638]=B1 01 D5 02 B3 65 AC B0 4C ED 5F FA 80 5B 33 64

To shift stack address is danger, I have tried MOVUPS instruction instead. 
Fortunately it is passed... Decrypted code was executable.


This solution might be bad manner but useful during analysis...
And similar instruction, there is movdqa/movdqu combination.




Comments

Post a Comment

Popular posts from this blog

Firmware dumping via SPI

Image
I tried firmware dumping via SPI with Attify badge and Attify OS. Target camera is this one.. This camera seems to be famous among the IoT hackers. You would find many IoT hacking blogs about this camera. After the preview, I have extracted board. This time, I'd like to focus on Flash memory. It looks mxic mx25l12835f. From model number, we can find data-sheet. MX25L12835F . Now, let's connect flash memory pin and Attify Badge. Attify badge pin layout is.. D0 : SCK D1 : MISO  D2 : MOSI  D3 : CS  I have connected flash memory and Attify badge like this. D0 - SCLK(6) D1 - SI(5)  D2 - SO(2)  D3 - CS(1)  GND - GND(4)  3.3V - VCC(8)  3.3V - RESET(7)  3.3V - WP(3)  We dont need to connect power plug to camera. It is supplied via badge. For testing, trying spiflash.py and -i parameter. According to the python code, it returns ChipID. This command can be used for connectivity tesingt. "00 00 00" or "FF FF...
Read more

BLE sniffing with UbertoothOne

Image
This time, I'd like to try monitoring smartlock's BLE packets with Ubertooth One. Smartlock  use this dongle and Ubertooth One Find BLE device  check BLE dongle is connected. ➜ ~ sudo hciconfig hci0: Type: BR/EDR Bus: USB BD Address: 00:1A:7D:DA:71:13 ACL MTU: 310:10 SCO MTU: 64:8 UP RUNNING PSCAN RX bytes:622 acl:0 sco:0 events:38 errors:0 TX bytes:952 acl:0 sco:0 commands:38 errors:0 Let's find BLE devices ➜ ~ sudo hcitool lescan LE Scan ... 30:F8:3F:06:4F:6F (unknown) 30:F8:3F:06:4F:6F (unknown) 30:F8:3F:06:4F:6F (unknown) 18:62:E4:46:60:AB (unknown) Then, trying gatttool. Peripheral is defined by service and characteristic. Each service contains charateristics which contains data. ➜ ~ sudo gatttool -I -b 18:62:E4:46:60:AB [ ][18:62:E4:46:60:AB][LE]> connect [CON][18:62:E4:46:60:AB][LE]> primary [CON][18:62:E4:46:60:AB][LE]> attr handle: 0x0001, end grp handle: 0x0008 uuid: 0000fee7-0000-1000-8000-00805f9b34fb attr handle: 0x0009, en...
Read more