简析 petite 2.3 2种方法脱壳/手脱PEtite 2.x [Level 1/9] -> Ian Luck记录

作者: 不详 2012/3/22 16:50:08

PEID 查壳为PEtite 2.x [Level X] -> Ian Luck 脱这个壳我提供2种方法~

首先将OD中所有异常忽略~,用petite 2.3的GUI来做示范~

1 用ESP定理(通杀)

004E3046 >     B8 00304E00        MOV EAX,petgui.004E3000              ;OD载入地方
004E304B       68 E3644100        PUSH petgui.004164E3
004E3050       64:FF35 0000000>PUSH DWORD PTR FS:[0]
004E3057       64:8925 0000000>MOV DWORD PTR FS:[0],ESP
004E305E       66:9C              PUSHFW                                                 ;还原上面的压栈
004E3060       60                 PUSHAD                                                    ;又将寄存器数据压栈
004E3061       50                 PUSH EAX                                                 ;注意再这的ESP地址跟随到数据窗口在第一个字节上下 硬件访问->WORD型 断点
004E3062       8BD8               MOV EBX,EAX
004E3064       0300               ADD EAX,DWORD PTR DS:[EAX]
004E3066       68 A4A50000        PUSH 0A5A4
004E306B       6A 00              PUSH 0

F9跑起来,出现异常,SHIFT+F9 会断到004E3041

004E3041       66:9D              POPFW                                                 ;恢复开始的堆栈
004E3043       83C4 08            ADD ESP,8
004E3046 >- E9 8CA0F2FF        JMP petgui.0040D0D7                  ;跳到OEP

2分析法(自己取名~~)

004E3046 >     B8 00304E00        MOV EAX,petgui.004E3000                      ;OD载入
004E304B       68 E3644100        PUSH petgui.004164E3
004E3050       64:FF35 0000000>PUSH DWORD PTR FS:[0]
004E3057       64:8925 0000000>MOV DWORD PTR FS:[0],ESP              ;甩出异常处理链,但此时该地址没有解密0级的甩了2次,别的没有跟解压算法,petite 2.3总共有10种压缩方式,没一种都不一样分析起来也很烦琐,有兴趣的朋友可以跟跟~~
004E305E       66:9C              PUSHFW

记住这个地址,按F9出异常,这个时候那个地址已经解密了,在该处下断点~按SHIFT+F9 断到004167B3

004167B3       33C0               XOR EAX,EAX
004167B5       64:8B18            MOV EBX,DWORD PTR FS:[EAX]
004167B8       8B1B               MOV EBX,DWORD PTR DS:[EBX]
004167BA       8D63 AE            LEA ESP,DWORD PTR DS:[EBX-52]
004167BD       61                 POPAD
004167BE       833E 00            CMP DWORD PTR DS:[ESI],0
004167C1     ^ 0F84 B6FDFFFF      JE petgui.0041657D

往下走发现E8 E9 优化

004167D2      /72 15              JB SHORT petgui.004167E9                 ;开始跳到004167开始E9E8 E9 优化
004167D4      |037E 04            ADD EDI,DWORD PTR DS:[ESI+4]
004167D7      |C1F9 02            SAR ECX,2
004167DA      |33C0               XOR EAX,EAX
004167DC      |F3:AB              REP STOS DWORD PTR ES:[EDI]
004167DE      |59                 POP ECX
004167DF      |83E1 03            AND ECX,3
004167E2      |F3:AA              REP STOS BYTE PTR ES:[EDI]
004167E4      |83C6 14            ADD ESI,14
004167E7     ^|EB D5              JMP SHORT petgui.004167BE             ;跳走
004167E9      \8B5E 04            MOV EBX,DWORD PTR DS:[ESI+4]
004167EC       83EB 06            SUB EBX,6
004167EF       33D2               XOR EDX,EDX
004167F1       3BD3               CMP EDX,EBX
004167F3     ^ 7D DF              JGE SHORT petgui.004167D4                   ;优化完了跳到004167D4进行修复引入表
004167F5       8A043A             MOV AL,BYTE PTR DS:[EDX+EDI]
004167F8       42                 INC EDX
004167F9       3C E8              CMP AL,0E8
004167FB       74 12              JE SHORT petgui.0041680F
004167FD       3C E9              CMP AL,0E9
004167FF       74 0E              JE SHORT petgui.0041680F
00416801       3C 0F              CMP AL,0F
00416803     ^ 75 EC              JNZ SHORT petgui.004167F1
00416805       8A043A             MOV AL,BYTE PTR DS:[EDX+EDI]
00416808       24 F0              AND AL,0F0
0041680A       3C 80              CMP AL,80
0041680C     ^ 75 E3              JNZ SHORT petgui.004167F1
0041680E       42                 INC EDX
0041680F       8B043A             MOV EAX,DWORD PTR DS:[EDX+EDI]
00416812       3C 0A              CMP AL,0A
00416814     ^ 75 DB              JNZ SHORT petgui.004167F1
00416816       66:C1E8 08         SHR AX,8
0041681A       C1C0 10            ROL EAX,10
0041681D       86C4               XCHG AH,AL
0041681F       83C2 04            ADD EDX,4
00416822       2BC2               SUB EAX,EDX
00416824       89443A FC          MOV DWORD PTR DS:[EDX+EDI-4],EAX
00416828     ^ EB C7              JMP SHORT petgui.004167F1                 ;此循环为E8 E9优化

004167E7 跳走,往下走,发现解除异常处理连

0041657D       5B                 POP EBX                                     ; petgui.004E304B
0041657E       5A                 POP EDX
0041657F       64:8F05 0000000>POP DWORD PTR FS:[0]
00416586       58                 POP EAX
00416587       6A 03              PUSH 3
00416589       53                 PUSH EBX
0041658A       33DB               XOR EBX,EBX
0041658C       68 3E030000        PUSH 33E
00416591       8B0C24             MOV ECX,DWORD PTR SS:[ESP]
00416594       0FBAE3 00          BT EBX,0


往下走继续解密

004166EA       83C6 04            ADD ESI,4
004166ED     ^ E9 75FFFFFF        JMP petgui.00416667                          ;JMP1
004166F2       5E                 POP ESI
004166F3       83C4 18            ADD ESP,18
004166F6       8B16               MOV EDX,DWORD PTR DS:[ESI]
004166F8       03D5               ADD EDX,EBP
004166FA       8D43 47            LEA EAX,DWORD PTR DS:[EBX+47]
004166FD       8B4C24 04          MOV ECX,DWORD PTR SS:[ESP+4]
00416701       833A 00            CMP DWORD PTR DS:[EDX],0
00416704       74 12              JE SHORT petgui.00416718
00416706       3B1A               CMP EBX,DWORD PTR DS:[EDX]
00416708       8318 00            SBB DWORD PTR DS:[EAX],0
0041670B       390A               CMP DWORD PTR DS:[EDX],ECX
0041670D       8318 00            SBB DWORD PTR DS:[EAX],0
00416710       83C2 04            ADD EDX,4
00416713       C108 03            ROR DWORD PTR DS:[EAX],3
00416716     ^ EB E9              JMP SHORT petgui.00416701                         ;JMP2
00416718       C706 00000000      MOV DWORD PTR DS:[ESI],0
0041671E       5F                 POP EDI
0041671F       83C9 FF            OR ECX,FFFFFFFF
00416722       33C0               XOR EAX,EAX
00416724       F2:AE              REPNE SCAS BYTE PTR ES:[EDI]
00416726       8BCF               MOV ECX,EDI
00416728       83C6 04            ADD ESI,4
0041672B     ^ E9 E3FEFFFF        JMP petgui.00416613                        ;注意最后这个JMP

00416613       833E 00            CMP DWORD PTR DS:[ESI],0
00416616       0F84 0E020000      JE petgui.0041682A                          ;直接到0041682A下断F9

0041682A       59                 POP ECX                                     ; petgui.004E30D7
0041682B       5E                 POP ESI
0041682C       FD                 STD
0041682D       33C0               XOR EAX,EAX
0041682F       B9 57030000        MOV ECX,357
00416834       E8 04C80C00        CALL petgui.004E303D                       ;F7进去就和ESP最后跑的地方一样了

004E303D       5F                 POP EDI                                     ; petgui.00416839
004E303E       F3:AA              REP STOS BYTE PTR ES:[EDI]
004E3040       61                 POPAD
004E3041       66:9D              POPFW
004E3043       83C4 08            ADD ESP,8
004E3046 >- E9 8CA0F2FF        JMP petgui.0040D0D7                    ;跳到OEP

这两种方法DUMP后用ImportREC修复即可~~

///////////////////////////////////////////////////////////////////////////////////

手脱PEtite 2.x [Level 1/9] -> Ian Luck记录

使用Peid查壳显示为:

PEtite 2.x [Level 1/9] -> Ian Luck

进入主题,载入目标程序于OD中进行脱壳

【方法一:使用ESP定律】
00592046 e> B8 00205900         mov eax,easysetu.00592000
0059204B     68 68365400         push easysetu.00543668
00592050     64:FF35 00000000    push dword ptr fs:[0]
00592057     64:8925 00000000    mov dword ptr fs:[0],esp
0059205E     66:9C               pushfw
00592060     60                  pushad
00592061     50                  push eax //F8单步到此,使用ESP定律

来到这里------------->

00592041     66:9D               popfw
00592043     83C4 08             add esp,8
00592046 e>- E9 0D96FAFF         jmp easysetu.0053B658 //跳向程序的OEP

0053B658     55                  push ebp //程序的OEP,DUMP下来
0053B659     8BEC                mov ebp,esp
0053B65B     83C4 F4             add esp,-0C
0053B65E     B8 C8B25300         mov eax,easysetu.0053B2C8
0053B663     E8 D8BBECFF         call easysetu.00407240
【方法二:内存镜像法】
打开内存镜像----------->(也可在两个CODE区段下断,Shitf+F9后也来到下面代码:比较灵活,很多区段可选择)

下面分别在
项目 28

地址=0054B000
大小=00012000 (73728.)
Owner=easysetu 00400000
区段=.000000
类型=Imag 01001002
访问=R
初始访问=RWE

项目 24

地址=00544000
大小=00002000 (8192.)
Owner=easysetu 00400000
区段=
包含=code
类型=Imag 01001002
访问=R
初始访问=RWE //这里其实是第二个code区段

F2下断,Shitf+F9共两次后来到这里

0040724E     8905 D8445400       mov dword ptr ds:[5444D8],eax  
00407254     8942 04             mov dword ptr ds:[edx+4],eax
00407257     C742 08 00000000    mov dword ptr ds:[edx+8],0
0040725E     C742 0C 00000000    mov dword ptr ds:[edx+C],0
00407265     E8 8AFFFFFF         call easysetu.004071F4
0040726A     5A                  pop edx
0040726B     58                  pop eax
0040726C     E8 4FC9FFFF         call easysetu.00403BC0
00407271     C3                  retn //返回到0053B668

0053B658     55                  push ebp   //OEP,在此新建EIP,脱壳之
0053B659     8BEC                mov ebp,esp
0053B65B     83C4 F4             add esp,-0C
0053B65E     B8 C8B25300         mov eax,easysetu.0053B2C8
0053B663     E8 D8BBECFF         call easysetu.00407240
0053B668     A1 80345400         mov eax,dword ptr ds:[543480]//熟悉几种语言入口特征后往上找

接下来是修复,程序,使用IMporREC修复,很多无效指针,使用跟踪级别一反汇编即可修复,至此程序完成脱壳。
使用Peid再次查壳显示为:
Borland Delphi 4.0 - 5.0

特别推荐

玩家留言 跟帖评论
查看更多评论