DLL obfuscator - what kind of obfuscator is this?

Question

when I am looking for packet editor, I found open project on http://www.packeteditor.com/ when I learn how it works, I see that the application is injecting a dll named WSPE.dat, when I load this WSPE.dat to ida pro, I found it was a dll that has been obfuscated. and it was something like this :

what is that SteveW section? I also see a lot of this obfuscator on other dll, but protectionId scan result it wasn't being packed with this note :

Section [0x0] 'SteveW  ' has a higher physical size than virtual size..

and also this :

Warning : Import Table is bad !!!

here is the dll link : WSPE.dat

It looks like it's just a .text section as it has executable permission. — Paweł Łukasik, Jul 29 '19 at 15:18
Looks like a custom crypter to me, not really obfuscated. sub_6464146E has a small rol/xor/rol loop that's probably decrypting the code. — Johann Aydinbas, Jul 30 '19 at 09:15
I didn't make the DLL open source. I wrote it in MASM (x86 assembly) but the source for it is on a hard drive that I'd have no way to to read anymore. I could write a 64-bit version but it would take quite a while. I haven't worked on the application in a long time. — SteveW, Mar 11 '20 at 03:11

score 1 · Accepted Answer · answered Jan 16 '20 at 03:34

1

I wrote the code for WSPE.dat and can confirm that I custom wrote the encryption based on the supplied name/key plus the 'invalid' PE heading. So, if a user attempts to modify the PE heading on the drive to allow for debugging of the DLL for a dump then it'll fail to properly decrypt in memory.

answered Jan 16 '20 at 03:34

SteveW

26
1

I see, so it's not open source for the wspe.dat right? can't you make x64 version of that dll? – user5962153 Feb 07 '20 at 03:04

DLL obfuscator - what kind of obfuscator is this?

1 Answers1