|
Título: PEtite 2.3 Publicado por: esse en 27 Abril 2006, 01:39 am quisiera ver si me podrian ayudar , a desempacar un programa protegido con petite 2.3 encontre este manual
Citar Theme: manual unpacking Packer: Petite v2.3 by Ian Luck Author: SMoKE Tools: OllyDbg, ImpRec, OllyDump (or some other dumper) URL: dont remember :) Target: Petite v2.3 (petgui.exe) Hi, in this time i'll show you how to manualy unpack Petite v2.3 packed program. I noticed about it few days ago, downloaded and tryed... i dont do tutorials usually (lazyyyy....), but will today :) As target we can take the packer itself, PEiD v0.93 says PEtite 2.2 -> Ian Luck, but its version 2.3 packed (i hope at least :P) Let's start... First load it in your olly and disable all checkboxes in exception tab in debugger options... 004E3046 MOV EAX, PETGUI.004E3000 004E304B PUSH PETGUI.004164E3 004E3050 PUSH DWORD PTR FS:[0] 004E3057 MOV DWORD PTR FS:[0], ESP Now we see that program sets exception handler at address 4164E3, let's check it out. type D 4164E3 (or CTRL+G -> 4164E3 in code window) 004164E3 ADD BYTE PTR DS:[EAX], AL 004164E5 ADD BYTE PTR DS:[EAX], AL 004164E7 ADD BYTE PTR DS:[EAX], AL 004164E9 ADD BYTE PTR DS:[EAX], AL 004164EB ADD BYTE PTR DS:[EAX], AL its empty and that means loader will fill it later. (if exception occurs before loader will fill it program will crash hehe :)) let's find where it get filled. go to 4164E3, right click -> breakpoint -> memory, on access press F9, breakpoint occured here 004E3133 XOR EDX, EDX 004E3135 XOR ECX, ECX 004E3137 MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI] (writing to 4164E3 !) 004E3138 XOR BYTE PTR DS:[EDI-1], BL 004E313B DEC EBX this is the first time, hit F9 several times (or just put simple breakpoint somewhere here) and watch in hex dump window for address 4164E3, you will see how it gets filled. so for a last time exception will occur at address 004E3137 MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI] and this exception program generates for jumping to exception handler, so at that line put breakpoint on exception handler (goto to 4164E3 and press F2), then press SHIFT+F9 and you are at the beginning of exception handler 004164E3 CALL PETGUI.00416537 trace into (F7)... 00416537 XOR EAX, EAX 00416539 POP ESI 0041653A MOV EBX, DWORD PTR FS:[EAX] 0041653D MOV EBX, DWORD PTR DS:[EBX] 0041653F LEA ESP, DWORD PTR DS:[EBX-2A] 00416542 POP EBP 00416543 LEA ECX, DWORD PTR DS:[ESI+2CB] 00416549 MOV DWORD PTR DS:[EBX+4], ECX 0041654C MOV DWORD PTR FS:[0], EBX this code is very important, it restores the stack (ESP) and sets next SEH frame, so your next exception handler will be at address which points ECX after LEA ECX, DWORD PTR DS:[ESI+2CB] command, its 4167B3, simply set breakpoint at that address. trace... and here you are, where loader generates next exception 0041657B JMP EAX ; EAX = 0 ! it trys to jump to address 00000000, press SHIFT+F9 again and you are at exception handler start... 004167B3 XOR EAX, EAX 004167B5 MOV EBX, DWORD PTR FS:[EAX] 004167B8 MOV EBX, DWORD PTR DS:[EBX] 004167BA LEA ESP, DWORD PTR DS:[EBX-52] 004167BD POPAD 004167BE CMP DWORD PTR DS:[ESI], 0 trace again and you will finally jump here... 0041657D POP EBX 0041657E POP EDX 0041657F POP DWORD PTR FS:[0] 00416586 POP EAX 00416587 PUSH 3 00416589 PUSH EBX 0041658A XOR EBX, EBX then you will see that here goes some kinda checksum calculation for code and PE header parts, if there will be mismatch message will be shown with text ------------------------------------- This file has been tampered with and MAY BE INFECTED BY A VIRUS! ------------------------------------- (btw, you can patch the checksum jumps, if ya gonna do some inline patch of your proggie) after checksum pass goes import table patching, and finally we reach this code 0041682A POP ECX 0041682B POP ESI 0041682C STD 0041682D XOR EAX, EAX 0041682F MOV ECX, 357 00416834 CALL petgui.004E303D trace into the last call (its self modifying...) 004E303D POP EDI 004E303E REP STOS BYTE PTR ES:[EDI] 004E3040 POPAD 004E3041 POPFW 004E3043 ADD ESP, 8 004E3046 JMP petgui.0040D0D7 and here you go.... this is the jump to original entry point in this case OEP = 40D0D7, jump to OEP and dump it without import rebuilding. (now you can kill the last section in dumped file, coz its useless anymore, and decrease output file size) close ollydbg and run the packed file (petgui.exe), run ImpRec and choose that file, in OEP edit box type D0D7 and press IAT AutoSearch then press GetImports, now you will see some invalid imports, press Show Invalid, right click on invalid function and select Trace Level1 (2 and 3 should work too i guess) from menu, until you wont get any invalid functions, press Fix Dump and choose your dumped file... congrats, you just manualy unpacked Petite v2.3 :) thats it, i know that i explained all this process in very bad and quick english... forgive me mastah i cant do tutorials very well :) 0:55 10.04.2005 freenet.am/~softland smoke@freenet.am P.S. hey i found the URL, it was on Petite window :P http://www.un4seen.com/petite/ pero bueno mi duda es q primero 004164E3 no tiene valos y luego toma el valor de un call :S y no c q estoy haciendo mal, espero su ayuda ;) Título: Re: PEtite 2.3 Publicado por: tena en 28 Abril 2006, 05:37 am No me acuerdo muy bien pero creo que Petite sobreescribe el EP del packer por el OEP.
Para desempacarlo puedes hacer lo siguiente: 1- Ejecuta el programa 2- Con el Procdump busca el proceso del programa y le haces un dump full. 3- Con eso ya estari "Listo", probalo haber si anda. Sino anda puedes intentar arrglarle la IAT con el Impert Reconstructor. Saludos TENA Título: Re: PEtite 2.3 Publicado por: esse en 10 Mayo 2006, 23:21 pm lo intente pero no funciona, alguien tiene un manual de como ir recontruir un iat??
|