Citar
Theme: manual unpacking
Packer: Petite v2.3 by Ian Luck
Author: SMoKE
Tools: OllyDbg, ImpRec, OllyDump (or some other dumper)
URL: dont remember
Target: Petite v2.3 (petgui.exe)
Hi, in this time i'll show you how to manualy unpack Petite v2.3 packed program.
I noticed about it few days ago, downloaded and tryed...
i dont do tutorials usually (lazyyyy....), but will today
As target we can take the packer itself, PEiD v0.93 says PEtite 2.2 -> Ian Luck,
but its version 2.3 packed (i hope at least )
Let's start... First load it in your olly and disable all checkboxes in exception
tab in debugger options...
004E3046 MOV EAX, PETGUI.004E3000
004E304B PUSH PETGUI.004164E3
004E3050 PUSH DWORD PTR FS:[0]
004E3057 MOV DWORD PTR FS:[0], ESP
Now we see that program sets exception handler at address 4164E3, let's check it out.
type D 4164E3 (or CTRL+G -> 4164E3 in code window)
004164E3 ADD BYTE PTR DS:[EAX], AL
004164E5 ADD BYTE PTR DS:[EAX], AL
004164E7 ADD BYTE PTR DS:[EAX], AL
004164E9 ADD BYTE PTR DS:[EAX], AL
004164EB ADD BYTE PTR DS:[EAX], AL
its empty and that means loader will fill it later.
(if exception occurs before loader will fill it program will crash hehe )
let's find where it get filled. go to 4164E3, right click -> breakpoint -> memory, on access
press F9, breakpoint occured here
004E3133 XOR EDX, EDX
004E3135 XOR ECX, ECX
004E3137 MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI] (writing to 4164E3 !)
004E3138 XOR BYTE PTR DS:[EDI-1], BL
004E313B DEC EBX
this is the first time, hit F9 several times (or just put simple breakpoint somewhere here)
and watch in hex dump window for address 4164E3, you will see how it gets filled.
so for a last time exception will occur at address
004E3137 MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI]
and this exception program generates for jumping to exception handler, so at that line put
breakpoint on exception handler (goto to 4164E3 and press F2), then press SHIFT+F9 and
you are at the beginning of exception handler
004164E3 CALL PETGUI.00416537
trace into (F7)...
00416537 XOR EAX, EAX
00416539 POP ESI
0041653A MOV EBX, DWORD PTR FS:[EAX]
0041653D MOV EBX, DWORD PTR DS:[EBX]
0041653F LEA ESP, DWORD PTR DS:[EBX-2A]
00416542 POP EBP
00416543 LEA ECX, DWORD PTR DS:[ESI+2CB]
00416549 MOV DWORD PTR DS:[EBX+4], ECX
0041654C MOV DWORD PTR FS:[0], EBX
this code is very important, it restores the stack (ESP) and sets next SEH frame, so your next
exception handler will be at address which points ECX after LEA ECX, DWORD PTR DS:[ESI+2CB]
command, its 4167B3, simply set breakpoint at that address.
trace... and here you are, where loader generates next exception
0041657B JMP EAX ; EAX = 0 !
it trys to jump to address 00000000, press SHIFT+F9 again and you are at exception handler start...
004167B3 XOR EAX, EAX
004167B5 MOV EBX, DWORD PTR FS:[EAX]
004167B8 MOV EBX, DWORD PTR DS:[EBX]
004167BA LEA ESP, DWORD PTR DS:[EBX-52]
004167BD POPAD
004167BE CMP DWORD PTR DS:[ESI], 0
trace again and you will finally jump here...
0041657D POP EBX
0041657E POP EDX
0041657F POP DWORD PTR FS:[0]
00416586 POP EAX
00416587 PUSH 3
00416589 PUSH EBX
0041658A XOR EBX, EBX
then you will see that here goes some kinda checksum calculation for code and PE header parts,
if there will be mismatch message will be shown with text
-------------------------------------
This file has been tampered with and
MAY BE INFECTED BY A VIRUS!
-------------------------------------
(btw, you can patch the checksum jumps, if ya gonna do some inline patch of your proggie)
after checksum pass goes import table patching, and finally we reach this code
0041682A POP ECX
0041682B POP ESI
0041682C STD
0041682D XOR EAX, EAX
0041682F MOV ECX, 357
00416834 CALL petgui.004E303D
trace into the last call (its self modifying...)
004E303D POP EDI
004E303E REP STOS BYTE PTR ES:[EDI]
004E3040 POPAD
004E3041 POPFW
004E3043 ADD ESP, 8
004E3046 JMP petgui.0040D0D7
and here you go.... this is the jump to original entry point
in this case OEP = 40D0D7, jump to OEP and dump it without import rebuilding.
(now you can kill the last section in dumped file, coz its useless anymore,
and decrease output file size)
close ollydbg and run the packed file (petgui.exe), run ImpRec and choose that file,
in OEP edit box type D0D7 and press IAT AutoSearch then press GetImports, now
you will see some invalid imports, press Show Invalid, right click on invalid
function and select Trace Level1 (2 and 3 should work too i guess) from menu, until you
wont get any invalid functions, press Fix Dump and choose your dumped file...
congrats, you just manualy unpacked Petite v2.3
thats it, i know that i explained all this process in very bad and quick english...
forgive me mastah i cant do tutorials very well
0:55 10.04.2005
freenet.am/~softland
smoke@freenet.am
P.S.
hey i found the URL, it was on Petite window
http://www.un4seen.com/petite/
Packer: Petite v2.3 by Ian Luck
Author: SMoKE
Tools: OllyDbg, ImpRec, OllyDump (or some other dumper)
URL: dont remember
Target: Petite v2.3 (petgui.exe)
Hi, in this time i'll show you how to manualy unpack Petite v2.3 packed program.
I noticed about it few days ago, downloaded and tryed...
i dont do tutorials usually (lazyyyy....), but will today
As target we can take the packer itself, PEiD v0.93 says PEtite 2.2 -> Ian Luck,
but its version 2.3 packed (i hope at least )
Let's start... First load it in your olly and disable all checkboxes in exception
tab in debugger options...
004E3046 MOV EAX, PETGUI.004E3000
004E304B PUSH PETGUI.004164E3
004E3050 PUSH DWORD PTR FS:[0]
004E3057 MOV DWORD PTR FS:[0], ESP
Now we see that program sets exception handler at address 4164E3, let's check it out.
type D 4164E3 (or CTRL+G -> 4164E3 in code window)
004164E3 ADD BYTE PTR DS:[EAX], AL
004164E5 ADD BYTE PTR DS:[EAX], AL
004164E7 ADD BYTE PTR DS:[EAX], AL
004164E9 ADD BYTE PTR DS:[EAX], AL
004164EB ADD BYTE PTR DS:[EAX], AL
its empty and that means loader will fill it later.
(if exception occurs before loader will fill it program will crash hehe )
let's find where it get filled. go to 4164E3, right click -> breakpoint -> memory, on access
press F9, breakpoint occured here
004E3133 XOR EDX, EDX
004E3135 XOR ECX, ECX
004E3137 MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI] (writing to 4164E3 !)
004E3138 XOR BYTE PTR DS:[EDI-1], BL
004E313B DEC EBX
this is the first time, hit F9 several times (or just put simple breakpoint somewhere here)
and watch in hex dump window for address 4164E3, you will see how it gets filled.
so for a last time exception will occur at address
004E3137 MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI]
and this exception program generates for jumping to exception handler, so at that line put
breakpoint on exception handler (goto to 4164E3 and press F2), then press SHIFT+F9 and
you are at the beginning of exception handler
004164E3 CALL PETGUI.00416537
trace into (F7)...
00416537 XOR EAX, EAX
00416539 POP ESI
0041653A MOV EBX, DWORD PTR FS:[EAX]
0041653D MOV EBX, DWORD PTR DS:[EBX]
0041653F LEA ESP, DWORD PTR DS:[EBX-2A]
00416542 POP EBP
00416543 LEA ECX, DWORD PTR DS:[ESI+2CB]
00416549 MOV DWORD PTR DS:[EBX+4], ECX
0041654C MOV DWORD PTR FS:[0], EBX
this code is very important, it restores the stack (ESP) and sets next SEH frame, so your next
exception handler will be at address which points ECX after LEA ECX, DWORD PTR DS:[ESI+2CB]
command, its 4167B3, simply set breakpoint at that address.
trace... and here you are, where loader generates next exception
0041657B JMP EAX ; EAX = 0 !
it trys to jump to address 00000000, press SHIFT+F9 again and you are at exception handler start...
004167B3 XOR EAX, EAX
004167B5 MOV EBX, DWORD PTR FS:[EAX]
004167B8 MOV EBX, DWORD PTR DS:[EBX]
004167BA LEA ESP, DWORD PTR DS:[EBX-52]
004167BD POPAD
004167BE CMP DWORD PTR DS:[ESI], 0
trace again and you will finally jump here...
0041657D POP EBX
0041657E POP EDX
0041657F POP DWORD PTR FS:[0]
00416586 POP EAX
00416587 PUSH 3
00416589 PUSH EBX
0041658A XOR EBX, EBX
then you will see that here goes some kinda checksum calculation for code and PE header parts,
if there will be mismatch message will be shown with text
-------------------------------------
This file has been tampered with and
MAY BE INFECTED BY A VIRUS!
-------------------------------------
(btw, you can patch the checksum jumps, if ya gonna do some inline patch of your proggie)
after checksum pass goes import table patching, and finally we reach this code
0041682A POP ECX
0041682B POP ESI
0041682C STD
0041682D XOR EAX, EAX
0041682F MOV ECX, 357
00416834 CALL petgui.004E303D
trace into the last call (its self modifying...)
004E303D POP EDI
004E303E REP STOS BYTE PTR ES:[EDI]
004E3040 POPAD
004E3041 POPFW
004E3043 ADD ESP, 8
004E3046 JMP petgui.0040D0D7
and here you go.... this is the jump to original entry point
in this case OEP = 40D0D7, jump to OEP and dump it without import rebuilding.
(now you can kill the last section in dumped file, coz its useless anymore,
and decrease output file size)
close ollydbg and run the packed file (petgui.exe), run ImpRec and choose that file,
in OEP edit box type D0D7 and press IAT AutoSearch then press GetImports, now
you will see some invalid imports, press Show Invalid, right click on invalid
function and select Trace Level1 (2 and 3 should work too i guess) from menu, until you
wont get any invalid functions, press Fix Dump and choose your dumped file...
congrats, you just manualy unpacked Petite v2.3
thats it, i know that i explained all this process in very bad and quick english...
forgive me mastah i cant do tutorials very well
0:55 10.04.2005
freenet.am/~softland
smoke@freenet.am
P.S.
hey i found the URL, it was on Petite window
http://www.un4seen.com/petite/
pero bueno mi duda es q primero 004164E3 no tiene valos y luego toma el valor de un call :S y no c q estoy haciendo mal, espero su ayuda