Open seanthegeek opened 1 year ago
I just took a look at Pafish, latest 32-bit release 9e7d694ed87ae95f9c25af5f3a5cea76188cd7c1c91ce49c92e25585f232d98e
.
My first observation is that the mouse movement function fails for both zero movement and 'supernatural' movement, so it's difficult to differentiate based solely on the tool's output. I considered recompiling with more output, but instead opted for an instruction trace to see exactly what happens during experimentation:
yarascan=0,bp0=0x4F63,bp1=0x5080,action1=stop
The yarascan
option is just to suppress the existing bypass yara from interfering. The other options capture the entire execution of the rtt_mouse_speed_limit()
function.
Unfortunately I observed that even with Disable automated interaction
selected to suppress the auxiliary human.py
this function still fails with 'supernatural' speed:
CAPE Sandbox - Debugger log: Tue Feb 6 14:43:08 2024
Breakpoint 0 hit by instruction at 0x00404F63 (thread 4564) EAX=0x404f63 "U" EBX=0x2000800 ECX=0xffffffff EDX=0x1d ESI=0x2f EDI=0x26911c4 ESP=0x62f93c *ESP=0x402788 EBP=0x62f968
Break at 0x00404F63 in pafish.exe (RVA 0x4f63, thread 4564, ImageBase 0x00400000)
0x00404F63 55 PUSH EBP ESP=0x62f938 "h" *ESP=0x62f968
0x00404F64 89E5 MOV EBP, ESP EBP=0x62f938 "h"
0x00404F66 83EC48 SUB ESP, 0x48 ESP=0x62f8f0 *ESP=0x0
0x00404F69 C745F4B80B0000 MOV DWORD [EBP-0xc], 0xbb8
0x00404F70 C745EC0A000000 MOV DWORD [EBP-0x14], 0xa
0x00404F77 C745F000000000 MOV DWORD [EBP-0x10], 0x0
0x00404F7E C7042410000000 MOV DWORD [ESP], 0x10
0x00404F85 A130854100 MOV EAX, [0x418530] EAX=0x76874d10
0x00404F8A FFD0 CALL GetSystemMetrics EAX=0x500 ECX=0x500 EDX=0x30 ESP=0x62f8f4 *ESP=0x0
0x00404F8C 83EC04 SUB ESP, 0x4 ESP=0x62f8f0 *ESP=0x0
0x00404F8F 89C1 MOV ECX, EAX
0x00404F91 BA67666666 MOV EDX, 0x66666667 EDX=0x66666667
0x00404F96 89C8 MOV EAX, ECX
0x00404F98 F7EA IMUL EDX EAX=0x300 EDX=0x200
0x00404F9A 89D0 MOV EAX, EDX EAX=0x200
0x00404F9C D1F8 SAR EAX, 0x1 EAX=0x100
0x00404F9E C1F91F SAR ECX, 0x1f ECX=0x0
0x00404FA1 89CA MOV EDX, ECX EDX=0x0
0x00404FA3 29D0 SUB EAX, EDX
0x00404FA5 8945E8 MOV [EBP-0x18], EAX
0x00404FA8 C7042411000000 MOV DWORD [ESP], 0x11
0x00404FAF A130854100 MOV EAX, [0x418530] EAX=0x76874d10
0x00404FB4 FFD0 CALL GetSystemMetrics EAX=0x2e1 ECX=0x2e1 EDX=0x2e1 ESP=0x62f8f4 *ESP=0x0
0x00404FB6 83EC04 SUB ESP, 0x4 ESP=0x62f8f0 *ESP=0x0
0x00404FB9 89C1 MOV ECX, EAX
0x00404FBB BA67666666 MOV EDX, 0x66666667 EDX=0x66666667
0x00404FC0 89C8 MOV EAX, ECX
0x00404FC2 F7EA IMUL EDX EAX=0xccccce87 EDX=0x126
0x00404FC4 89D0 MOV EAX, EDX EAX=0x126
0x00404FC6 D1F8 SAR EAX, 0x1 EAX=0x93
0x00404FC8 C1F91F SAR ECX, 0x1f ECX=0x0
0x00404FCB 89CA MOV EDX, ECX EDX=0x0
0x00404FCD 29D0 SUB EAX, EDX
0x00404FCF 8945E4 MOV [EBP-0x1c], EAX
0x00404FD2 8D45D4 LEA EAX, [EBP-0x2c] EAX=0x62f90c
0x00404FD5 890424 MOV [ESP], EAX
0x00404FD8 A120854100 MOV EAX, [0x418520] EAX=0x76865750
0x00404FDD FFD0 CALL GetCursorPos EAX=0x1 ECX=0x2a410001 EDX=0xc0000029 ESP=0x62f8f4 *ESP=0x0
0x00404FDF 83EC04 SUB ESP, 0x4 ESP=0x62f8f0 *ESP=0x0
0x00404FE2 EB7F JMP 0x81
0x00405063 837DF400 CMP DWORD [EBP-0xc], 0x0
0x00405067 0F8577FFFFFF JNZ 0xffffff7d
0x00404FE4 8B45EC MOV EAX, [EBP-0x14] EAX=0xa
0x00404FE7 890424 MOV [ESP], EAX
0x00404FEA A1EC834100 MOV EAX, [0x4183ec] EAX=0x754f0f00
0x00404FEF FFD0 CALL Sleep EAX=0x0 ECX=0x2df3a281 EDX=0x2b8000 "P" ESP=0x62f8f4 *ESP=0x0
0x00404FF1 83EC04 SUB ESP, 0x4 ESP=0x62f8f0 *ESP=0x0
0x00404FF4 8D45CC LEA EAX, [EBP-0x34] EAX=0x62f904
0x00404FF7 890424 MOV [ESP], EAX
0x00404FFA A120854100 MOV EAX, [0x418520] EAX=0x76865750
0x00404FFF FFD0 CALL GetCursorPos EAX=0x1 ECX=0x2a410001 EDX=0xc00002f8 ESP=0x62f8f4 *ESP=0x0
0x00405001 83EC04 SUB ESP, 0x4 ESP=0x62f8f0 *ESP=0x0
0x00405004 8B45D4 MOV EAX, [EBP-0x2c] EAX=0x2de
0x00405007 8B55CC MOV EDX, [EBP-0x34] EDX=0x44f
0x0040500A 29D0 SUB EAX, EDX EAX=0xfffffe8f
0x0040500C 8945E0 MOV [EBP-0x20], EAX
0x0040500F 8B45D8 MOV EAX, [EBP-0x28] EAX=0x8
0x00405012 8B55D0 MOV EDX, [EBP-0x30] EDX=0x2f8
0x00405015 29D0 SUB EAX, EDX EAX=0xfffffd10
0x00405017 8945DC MOV [EBP-0x24], EAX
0x0040501A 837DE000 CMP DWORD [EBP-0x20], 0x0
0x0040501E 7506 JNZ 0x8
0x00405026 8345F001 ADD DWORD [EBP-0x10], 0x1
0x0040502A 8B45E0 MOV EAX, [EBP-0x20] EAX=0xfffffe8f
0x0040502D 99 CDQ EDX=0xffffffff
0x0040502E 89D0 MOV EAX, EDX EAX=0xffffffff
0x00405030 3345E0 XOR EAX, [EBP-0x20] EAX=0x170
0x00405033 29D0 SUB EAX, EDX EAX=0x171
0x00405035 3945E8 CMP [EBP-0x18], EAX
0x00405038 7D17 JGE 0x19
0x0040503A 8B45DC MOV EAX, [EBP-0x24] EAX=0xfffffd10
0x0040503D 99 CDQ
0x0040503E 89D0 MOV EAX, EDX EAX=0xffffffff
0x00405040 3345DC XOR EAX, [EBP-0x24] EAX=0x2ef
0x00405043 29D0 SUB EAX, EDX EAX=0x2f0
0x00405045 3945E4 CMP [EBP-0x1c], EAX
0x00405048 7D07 JGE 0x9
0x0040504A B801000000 MOV EAX, 0x1 EAX=0x1
0x0040504F EB2E JMP 0x30
0x0040507F C9 LEAVE Breakpoint 1 hit by instruction at 0x00405080 (thread 4564) ESP=0x62f93c *ESP=0x402788 EBP=0x62f968
0x00405080 C3 RET
ActionDispatcher: stopping trace.
Here the jge
at the end corresponds to the source abs(dy) > my
which shows that the checks for excessive movement between subsequent calls to GetCursorPos
is failing, despite there being no automated interaction at all!
I am currently stumped as to why this is occurring which has temporarily scuppered my attempts to fix this with changes to human.py
.
One of the few
pafish
sandbox detections that fire on CAPE isSandbox traced by missing mouse movement or supernatural speed
The source code for this detection is https://github.com/a0rtega/pafish/blob/b497899ff355ea7b9ecc1f5cd34a9fd1def02aec/pafish/rtt.c#L72