Exe crashes after dump

[ghost]

After I dump unpacked exe from memory, it won't open (crashes behind). What do I do?

Eventlog:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
  <Provider Name="Application Error" Guid="{a0e9b465-b939-57d7-b27d-95d8e925ff57}" /> 
  <EventID>1000</EventID> 
  <Version>0</Version> 
  <Level>2</Level> 
  <Task>100</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2024-03-04T08:29:05.3254817Z" /> 
  <EventRecordID>178586</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="18896" ThreadID="17380" /> 
  <Channel>Application</Channel> 
  <Computer>xxx</Computer> 
  <Security UserID="S-1-5-21-2343472507-1675375070-2831047493-1001" /> 
  </System>
<EventData>
  <Data Name="AppName">7ff7e36e0000.xxx.exe</Data> 
  <Data Name="AppVersion">3.3.0.19920</Data> 
  <Data Name="AppTimeStamp">65bc8049</Data> 
  <Data Name="ModuleName">7ff7e36e0000.xxx.exe</Data> 
  <Data Name="ModuleVersion">3.3.0.19920</Data> 
  <Data Name="ModuleTimeStamp">65bc8049</Data> 
  <Data Name="ExceptionCode">c0000005</Data> 
  <Data Name="FaultingOffset">0000000001ab9da0</Data> 
  <Data Name="ProcessId">0xa78</Data> 
  <Data Name="ProcessCreationTime">0x1da6e0e049a3793</Data> 
  <Data Name="AppPath">xxx\7ff7e36e0000.xxx.exe</Data> 
  <Data Name="ModulePath">xxx\7ff7e36e0000.xxx.exe</Data> 
  <Data Name="IntegratorReportId">78ec1458-a7b4-4389-9aa1-157af3b677cf</Data> 
  <Data Name="PackageFullName" /> 
  <Data Name="PackageRelativeAppId" /> 
  </EventData>
  </Event>

[hasherezade]

hi @Yehh22 ! I don't know details of your particular case, but what you experience is unfortunately not uncommon. Some of the dumps are just not runnable - they can be used for static analysis only. And not much can be done about it. Let me explain.

Once the module is loaded into the memory - it is mapped, relocated, imports are loaded. Then the execution is redirected to the entry point, and the executable runs. While it is running, it can be doing some modifications in its sections (I am not talking about self-modifying code, but just about reading and writing the data, however, self modifying code may also involved sometimes). Those sections will no longer be the same as they were before the executable run, and those changes are mostly not reversible. If you dump the executable from memory at this point, you dump it with all those modifications that happened in between. If you try to rerun it, the application will run with the assumptions that are no longer valid (data could have been overwritten, so reaching it can cause a crash). To really get a clean dump, that can be rerun, you would have to create it the moment the Entry Point was hit, or even before. But this is more complex scenario, doing it in a generic way would hooking and monitoring various APIs, etc. PE-sieve doesn't support it. I would recommend you doing it under a debugger (you can i.e. pause the execution at certain point, and then dump the module with PE-sieve).

[ghost]

Ah, that explained the issue. Sadly I don't have much experience with reversing and debugging...

[hasherezade]

You may try your luck with this tool: https://github.com/hasherezade/pin_n_sieve It is an experimental, PE-sieve based unpacker, that tries to dump the executables at proper moment. It does some API hooking via Intel PIN, so you will have to install this platform as well. All is explained in the readme.

[ghost]

Tried out pin_n_sieve, it seems to get stuck and dumping repeatly. Not sure if it's intended. Sadly, the dumped exe still crashes. Ida pro disassembler opens perfectly without any errors

[hasherezade]

@Yehh22 - maybe you can send me the sample, and I will take a look what exactly is happening? Is it a malware? Can you just share the hash?

[ghost]

here is the sample

https://mega.nz/file/6U4ThSLQ#qWC9YB9g3jeGoPP706BENk_aZfeUWJ9-x0yxyyuCjd4

It's not a malware, it's a legitimate tool but I would like to analyze unpacked exe and modify it to disable anti debug