Awesome
Arxan binary info extractor and fixer
Arxan binary fixer using unpacked executable dump.
Intro
Arxan is an portable executable file protector that includes features such as:
- code morphing.
- code integrity checking (checksum).
- executable image (section) encryption.
This tool helps to get some information about the loader and a decrypted working image for comfortable research.
Note: The tool does not automatically deactivate integrity checks and does not deobfuscate code fragments.
Loader
Execution of the protection code begins with the loader. The loader contains several mandatory functions, which are executed sequentially:
- Function to set full access rights for sections (to decrypt the image).
- Function to decrypt Image.
- Function to create a copy of the import table.
Each function has an entry and exit pattern:
Entry:
; save context
push rax
push rcx
push r11
push r9
push rdi
push r10
push r13
push r12
; ...
movupd xmmword ptr ss:[rsp],xmm1
movupd xmmword ptr ss:[rsp + 10],xmm9
movupd xmmword ptr ss:[rsp + 20],xmm15
movupd xmmword ptr ss:[rsp + 30],xmm10
; obfuscated code (jmps)
Exit:
; restore context
movupd xmm1,xmmword ptr ss:[rsp]
movupd xmm9,xmmword ptr ss:[rsp + 10]
movupd xmm15,xmmword ptr ss:[rsp + 20]
movupd xmm10,xmmword ptr ss:[rsp + 30]
; ...
pop r8
pop rdx
pop rsi
pop r15
pop rdi
pop r9
pop rcx
pop rax
; obfuscated code (jmps)
After completing their task, functions set variable (DWORD
) in memory that set the completion of the function's execution phase.
Entry Point
Loader function executions start from Entry Point for version 1 and from TLS for version 2.
Note: The "rule" of version may not be valid, you need to manually check the TLS entry. Versioning exists only for the convenience of research.
OEP (Original Entry Point) will be executed after the completion of all loader functions.
Requirements
Installation
Install Python modules
pip install pefile
pip install distorm3
Command line options
Arguments:
Option | Default | Description |
---|---|---|
-h/--help | List of available command options | |
-s/--source | source executable file packed by Arxan | |
-d/--dump | dump executable file with decrypted sections | |
-o/--output | output merged executable file | |
-t/--trace | false | out trace log |
-f/--fix-header | true | fix executable header checksum and rebase flag |
Using
- Disable image dynamic rebase flag (Dll can move) in PE header.
- Get information about the address of the decryption function with the
s
option. - Load the target into the debugger and break on entering the decrypt_image function.
- Disable all breakpoints and trace over to exit from the function or to the next entry.
- Create a dump (e.g. with OllyDumpEx).
- Use fixer and dump with the
d
option. - Ready to research!
Sample
Just sample, of course, the addresses are unique for each executable file =)
-
Disable image dynamic rebase and get information with the
s
option:fix-arxan -s samples/test.exe Parsing source PE file... PE file overview Reported values are in "Hex | Dec | Bin" form Image base: 140000000 Size of Image: 72E8E00 | 120491520 CheckSum: 0556B36C [6CB35605] Is Dynamic Base (ASLR): False DLL Characteristics: 8120 | 33056 | 1000000100100000 Tracing... Target: samples/test.exe Arxan version: 2 Crypted code: True `set_access_rwx` function entry @: VA: 140E889C0 RVA: 00E889C0 RAW: 00E87DC0 `access_flag` variable @: VA: 1422192D9 RVA: 022192D9 RAW: 022186D9 `decrypt_image` function entry @: VA: 1466E49AB RVA: 066E49AB RAW: 0495ADAB Done
-
Load the target into the debugger and break on
@066E49AB
. -
Disable all breakpoints, trace over to decrypt image and create dump.
-
Use source and dump with the
d
option:fix-arxan -s samples/test_file.exe -d samples/test_dump.exe Parsing dump file... Tracing... Target: samples/test.exe Arxan version: 2 Crypted code: False `set_access_rwx` function entry @: VA: 140E889C0 RVA: 00E889C0 RAW: 00E889C0 `access_flag` variable @: VA: 1422192D9 RVA: 022192D9 RAW: 022192D9 `decrypt_image` function entry @: VA: 1466E49AB RVA: 066E49AB RAW: 066E49AB `build_import` function entry @: VA: 147077598 RVA: 07077598 RAW: 07077598 `build_import` variable @: VA: 147054199 RVA: 07054199 RAW: 07054199 Mapping... Processing... Restoring IAT... Removing digital signature... Writing output... Saved to samples/test_unp.exe Donese
-
Done.
Tested protected executable files
These files were successfully tested and decrypted:
- Grand Theft Auto V (1.0.1737 - 1.0.2060)
- Red Dead Redemption 2 (1.0.1207 - 1.0.1311)
- Age of Empires III: Definitive Edition (100.12.5208)
- Call of Duty: Infinite Warfare (1.0 - 1.2)
- Call of Duty: Black Ops (1.0.0.0)
- Gears 5 (1.0.0.0)