【脱文标题】:ESP定律 - 秒脱Petite2.3之主程序
【菜文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【发布公司】:http://www.un4seen.com/petite/
【软件简介】:Petite is a Win32 (Windows 9x/NT/etc) executable compressor. It allows compression of the whole executable - code, data and resources. Petite automatically decides which parts of the executable can be compressed and which parts need to be left as they are. The compressed output executable can be run as if it was the original uncompressed version.
【调试环境】:WinXP、Ollydbg、PEiD
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【脱壳过程】:
向以往一样,OD忽略一切异常,载入Petite2.3主程序:
004E3046 > B8 00304E00 mov eax,petgui.004E3000 //停在这里,F8,注意寄存器ESP值变化
004E304B 68 E3644100 push petgui.004164E3
004E3050 64:FF35 0000000>push dword ptr fs:[0]
004E3057 64:8925 0000000>mov dword ptr fs:[0],esp
004E305E 66:9C pushfw
004E3060 60 pushad
004E3061 50 push eax
004E3062 8BD8 mov ebx,eax
004E3064 0300 add eax,dword ptr ds:[eax]
004E3066 68 A4A50000 push 0A5A4
004E306B 6A 00 push 0
2次F8后,寄存器变化为:
EAX 004E3000 petgui.004E3000
ECX 0012FFB0
EDX 7C92EB94 ntdll.KiFastSystemCallRet
EBX 7FFDC000
ESP 0012FFC0 //ESP变化为0012FFC0
EBP 0012FFF0
ESI FFFFFFFF
EDI 7C930738 ntdll.7C930738
EIP 004E3050 petgui.004E3050
OD命令下断 hr 0012ffc0 回车,F9运行:
6次后程序来到:
0040D0D7 55 push ebp //OEP
0040D0D8 8BEC mov ebp,esp //断在这里,不过这里不可是程序入口点,向上检查到0040D0D7
0040D0DA 6A FF push -1
0040D0DC 68 E0534100 push petgui.004153E0
0040D0E1 68 A8E74000 push petgui.0040E7A8
0040D0E6 64:A1 00000000 mov eax,dword ptr fs:[0]
0040D0EC 50 push eax
0040D0ED 64:8925 0000000>mov dword ptr fs:[0],esp
0040D0F4 83EC 58 sub esp,58
0040D0F7 53 push ebx
0040D0F8 56 push esi
0040D0F9 57 push edi
0040D0FA 8965 E8 mov dword ptr ss:[ebp-18],esp
脱壳修复:
经过确认 0040D0D7 为程序入口点,这时运行LordPE,dump整个进程,然后运行ImportREC,找到Petite.exe的进程,
输入OEP=0000D0D7,自动搜索IAT,获取输入表,删除5个无效指针,修复抓取文件,OK,Fix Dump~ 运行~~成功!!!
优化一下,916KB-->117KB,程序为Microsoft Visual C++ 6.0编译。
【脱文标题】:ESP定律秒脱Petite2.3之加壳记事本
【菜文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【发布公司】:http://www.un4seen.com/petite/
【软件简介】:Petite is a Win32 (Windows 9x/NT/etc) executable compressor. It allows compression of the whole executable - code, data and resources. Petite automatically decides which parts of the executable can be compressed and which parts need to be left as they are. The compressed output executable can be run as if it was the original uncompressed version.
【调试环境】:WinXP、Ollydbg、PEiD
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【脱壳过程】:
向以往一样,OD忽略一切异常,载入经Petite2.3加壳后的记事本:
01010046 > B8 00000101 mov eax,EEEEEEEE.01010000 //停在这里,F8,注意寄存器ESP值变化
0101004B 68 00860001 push EEEEEEEE.01008600
01010050 64:FF35 0000000>push dword ptr fs:[0]
01010057 64:8925 0000000>mov dword ptr fs:[0],esp
0101005E 66:9C pushfw
01010060 60 pushad
01010061 50 push eax
01010062 8BD8 mov ebx,eax
01010064 0300 add eax,dword ptr ds:[eax]
01010066 68 D4330000 push 33D4
0101006B 6A 00 push 0
2次F8后,寄存器变化为:
EAX 01010000 EEEEEEEE.01010000
ECX 0006FFB0
EDX 7C92EB94 ntdll.KiFastSystemCallRet
EBX 7FFD7000
ESP 0006FFC0 //ESP变化为0006FFC0
EBP 0006FFF0
ESI FFFFFFFF
EDI 7C930738 ntdll.7C930738
EIP 01010050 EEEEEEEE.01010050
OD命令下断 hr 0006ffc0 回车,F9运行:
6次后程序来到:
01006420 55 push ebp //OEP
01006421 8BEC mov ebp,esp //断在这里,不过这里不可是程序入口点,向上检查到01006420
01006423 6A FF push -1
01006425 68 88180001 push EEEEEEEE.01001888
0100642A 68 D0650001 push EEEEEEEE.010065D0
0100642F 64:A1 00000000 mov eax,dword ptr fs:[0]
01006435 50 push eax
01006436 64:8925 0000000>mov dword ptr fs:[0],esp
0100643D 83C4 98 add esp,-68
01006440 53 push ebx
01006441 56 push esi
01006442 57 push edi
01006443 8965 E8 mov dword ptr ss:[ebp-18],esp
01006446 C745 FC 0000000>mov dword ptr ss:[ebp-4],0
0100644D 6A 02 push 2
脱壳修复:
经过确认 01006420 为程序入口点,这时运行LordPE,dump整个进程,然后运行ImportREC,找到NOTEPAD[pack].exe的进程,输入OEP=00006420,自动搜索IAT,获取输入表,删除8个无效指针,修复抓取文件,OK,Fix Dump~ 运行~~成功!!!
==============================
Unpacked by KuNgBiM[DFCG]
2005-05-09
==============================
文章相关:
附件:Petite 2.3.rar
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法