Thursday, April 15, 2010

IDA Pro: Solving ‘Access Denied’ issue while debugging Windows Mobile Devices

Debugging Windows Mobile application made possible on any phone brand. But when debugging it using IDA Pro might prevent most user from connecting to their devices.

The picture above show you an error log says 'Access is denied'. Connecting to your naked devices make it impossible to connect. Thus, we need some tweak to your phone OS. There is a few thing we need to do before we can proceed to debug the program on Windows Mobile.

1. Make sure your phone is connected to the PC (I just use Microsoft ActiveSync to use with HTC Touch HD).

2. Run your IDA Pro (I use version

3. We need to enable Remote API (RAPI) on your phone first using simple tools. Download here and install it into your phone.

4. On your IDA Pro, click menu Debugger > Attach > and click Remote WinCE Debugger. You should be able to connect into your phone and prompting to select the application you want to debug.

Here it is a little video demonstrate the IDA debugging take places:

Saturday, April 10, 2010

Manual Unpacking UPX Packed file + Fix IAT

UPX utilities is a well-known tools to compress almost any executable file including several type of dynamic and different OS executable. But it just for making your file smaller and not for protection at all. In this tutorial, I will show you an example how to unpack UPX packed file with a few tools. Of course, you can find this kind of tutorial any where on the internet but mostly not complete to make people understand. Before we get started,

Here it is what you need:

1. OllyDbg (or Immunity Debugger, OllyICE, etc.)
2. ImportREC
3. IDA Pro


1. Example UPX Packed file (gms.exe or download here)

Let's get Started:

1. Load your gms.exe (or any UPX packed file) into your OllyDbg. Once you loaded the file, you will get into the first stop of the PUSHAD offset. For gms.exe the offset is 558B40. Other file might be differ but it doesn't matter.

Figure 1

2. Next, scroll down until you find POPAD instruction or just press CTRL+F and type POPAD, hit Enter and you'll be jumped into that instruction as highlighted (A) on Figure 2 below. How do I know

Figure 2

3. Press F7 to step into until JMP as highlighted on the image above (B), so there it is the OEP that we are looking for. For this tutorial it is 406A94. Press F2 to make breakpoint on that offset.

4. Run the program by pressing F9 and wait until it stop to the breakpoint. At this point, right click on CPU window and click Dump debugged process. Why choosing that? This because at this point the program has been decompressed into memory. So, what you need to do, dump the process into a file and save it anywhere. For example: C:\Documents and Settings\User\Desktop\dumped.exe. After doing that, DO NOT CLOSE THE OLLYDBG.

Figure 3

5. If you are try to run the dumped.exe file it might be come up with an error message. This because your program does not point the right IAT address. To fix that, open up Import REConstructor tools. On top, you'll see 'Attach to an open process' section. Open the combo box and choose the path of gms.exe to be attached.

After that, at the 'IAT Infos Needed' section click on AutoSearch button. You probably come out with error message says 'Could not found anything good at this OEP:-('. This mean you are currently not at the right entrypoint to start the application properly that might cause error while executing it. To fix that, change the default OEP value to 0xF5B68. And try hit AutoSearch button again. If you are doing right you should get this message:

How do I know the OEP address?

OEP = RVA Address - Image Base

Image Base = 00400000 <-- PE Header image address
How do I get Image Base address?
Just simply press ALT-M on OllyDbg and find 'PE header' text on 'Contains' column. You'll find the Offset address over there.

RVA Address = 004F5B68 <-- where the last disassemble analysis end up.

How do I get RVA address? Lets take a look with IDA Pro. If you load gms.exe on IDA you will see the program flow and at the end of flow it will end up with unexpected stack pointer.

If you see at JMP (same on OllyDbg), it is clearly jump to the address where the value is RVA address before it end with unexpected end point. All UPX packed file flow should be look like that.

Original Entry Point = 0xF5B68 <-- where the OEP is the address to the decompression routine done.

How do I get the OEP?
To get OEP, RVA address minus Image base address then you will get the value for UPX packed OEP. Use formula as given above.

6. Once you get this message, click Get Imports button to extract all Import table information. Make sure all listed import function should be marked as valid=YES at the end of every list line. If there is a thunks marked as valid=NO, you need to remove it all by right click on the thunk and choose Delete thunk(s).

7. After doing that, you can click on Fix dump button and choose where your dumped.exe is located. ImportREC will fix the dumped.exe automatically. Then you can try to execute the program and it should be running correctly and you can continue for further analysis.

That's all. If you got any question about this tutorial feel free to leave a comment.