簡(jiǎn)析 petite 2.3 2種方法脫殼/手脫P(yáng)Etite 2.x [Level 1/9] -> Ian Luck記錄

PEID 查殼為PEtite 2.x [Level X] -＞ Ian Luck 脫這個(gè)殼我提供2種方法~

首先將OD中所有異常忽略~,用petite 2.3的GUI來做示范~

1 用ESP定理(通殺)

004E3046 ＞     B8 00304E00        MOV EAX,petgui.004E3000              ;OD載入地方
004E304B       68 E3644100        PUSH petgui.004164E3
004E3050       64:FF35 0000000＞PUSH DWORD PTR FS:[0]
004E3057       64:8925 0000000＞MOV DWORD PTR FS:[0],ESP
004E305E       66:9C              PUSHFW                                                 ;還原上面的壓棧
004E3060       60                 PUSHAD                                                    ;又將寄存器數(shù)據(jù)壓棧
004E3061       50                 PUSH EAX                                                 ;注意再這的ESP地址跟隨到數(shù)據(jù)窗口在第一個(gè)字節(jié)上下 硬件訪問-＞W(wǎng)ORD型 斷點(diǎn)
004E3062       8BD8               MOV EBX,EAX
004E3064       0300               ADD EAX,DWORD PTR DS:[EAX]
004E3066       68 A4A50000        PUSH 0A5A4
004E306B       6A 00              PUSH 0

F9跑起來,出現(xiàn)異常,SHIFT+F9 會(huì)斷到004E3041

004E3041       66:9D              POPFW                                                 ;恢復(fù)開始的堆棧
004E3043       83C4 08            ADD ESP,8
004E3046 ＞- E9 8CA0F2FF        JMP petgui.0040D0D7                  ;跳到OEP

2分析法(自己取名~~)

004E3046 ＞     B8 00304E00        MOV EAX,petgui.004E3000                      ;OD載入
004E304B       68 E3644100        PUSH petgui.004164E3
004E3050       64:FF35 0000000＞PUSH DWORD PTR FS:[0]
004E3057       64:8925 0000000＞MOV DWORD PTR FS:[0],ESP              ;甩出異常處理鏈,但此時(shí)該地址沒有解密0級(jí)的甩了2次,別的沒有跟解壓算法,petite 2.3總共有10種壓縮方式,沒一種都不一樣分析起來也很煩瑣,有興趣的朋友可以跟跟~~
004E305E       66:9C              PUSHFW

記住這個(gè)地址,按F9出異常,這個(gè)時(shí)候那個(gè)地址已經(jīng)解密了,在該處下斷點(diǎn)~按SHIFT+F9 斷到004167B3

004167B3       33C0               XOR EAX,EAX
004167B5       64:8B18            MOV EBX,DWORD PTR FS:[EAX]
004167B8       8B1B               MOV EBX,DWORD PTR DS:[EBX]
004167BA       8D63 AE            LEA ESP,DWORD PTR DS:[EBX-52]
004167BD       61                 POPAD
004167BE       833E 00            CMP DWORD PTR DS:[ESI],0
004167C1     ^ 0F84 B6FDFFFF      JE petgui.0041657D

往下走發(fā)現(xiàn)E8 E9 優(yōu)化

004167D2      /72 15              JB SHORT petgui.004167E9                 ;開始跳到004167開始E9E8 E9 優(yōu)化
004167D4      |037E 04            ADD EDI,DWORD PTR DS:[ESI+4]
004167D7      |C1F9 02            SAR ECX,2
004167DA      |33C0               XOR EAX,EAX
004167DC      |F3:AB              REP STOS DWORD PTR ES:[EDI]
004167DE      |59                 POP ECX
004167DF      |83E1 03            AND ECX,3
004167E2      |F3:AA              REP STOS BYTE PTR ES:[EDI]
004167E4      |83C6 14            ADD ESI,14
004167E7     ^|EB D5              JMP SHORT petgui.004167BE             ;跳走
004167E9      \8B5E 04            MOV EBX,DWORD PTR DS:[ESI+4]
004167EC       83EB 06            SUB EBX,6
004167EF       33D2               XOR EDX,EDX
004167F1       3BD3               CMP EDX,EBX
004167F3     ^ 7D DF              JGE SHORT petgui.004167D4                   ;優(yōu)化完了跳到004167D4進(jìn)行修復(fù)引入表
004167F5       8A043A             MOV AL,BYTE PTR DS:[EDX+EDI]
004167F8       42                 INC EDX
004167F9       3C E8              CMP AL,0E8
004167FB       74 12              JE SHORT petgui.0041680F
004167FD       3C E9              CMP AL,0E9
004167FF       74 0E              JE SHORT petgui.0041680F
00416801       3C 0F              CMP AL,0F
00416803     ^ 75 EC              JNZ SHORT petgui.004167F1
00416805       8A043A             MOV AL,BYTE PTR DS:[EDX+EDI]
00416808       24 F0              AND AL,0F0
0041680A       3C 80              CMP AL,80
0041680C     ^ 75 E3              JNZ SHORT petgui.004167F1
0041680E       42                 INC EDX
0041680F       8B043A             MOV EAX,DWORD PTR DS:[EDX+EDI]
00416812       3C 0A              CMP AL,0A
00416814     ^ 75 DB              JNZ SHORT petgui.004167F1
00416816       66:C1E8 08         SHR AX,8
0041681A       C1C0 10            ROL EAX,10
0041681D       86C4               XCHG AH,AL
0041681F       83C2 04            ADD EDX,4
00416822       2BC2               SUB EAX,EDX
00416824       89443A FC          MOV DWORD PTR DS:[EDX+EDI-4],EAX
00416828     ^ EB C7              JMP SHORT petgui.004167F1                 ;此循環(huán)為E8 E9優(yōu)化

004167E7 跳走,往下走,發(fā)現(xiàn)解除異常處理連

0041657D       5B                 POP EBX                                     ; petgui.004E304B
0041657E       5A                 POP EDX
0041657F       64:8F05 0000000＞POP DWORD PTR FS:[0]
00416586       58                 POP EAX
00416587       6A 03              PUSH 3
00416589       53                 PUSH EBX
0041658A       33DB               XOR EBX,EBX
0041658C       68 3E030000        PUSH 33E
00416591       8B0C24             MOV ECX,DWORD PTR SS:[ESP]
00416594       0FBAE3 00          BT EBX,0

往下走繼續(xù)解密

004166EA       83C6 04            ADD ESI,4
004166ED     ^ E9 75FFFFFF        JMP petgui.00416667                          ;JMP1
004166F2       5E                 POP ESI
004166F3       83C4 18            ADD ESP,18
004166F6       8B16               MOV EDX,DWORD PTR DS:[ESI]
004166F8       03D5               ADD EDX,EBP
004166FA       8D43 47            LEA EAX,DWORD PTR DS:[EBX+47]
004166FD       8B4C24 04          MOV ECX,DWORD PTR SS:[ESP+4]
00416701       833A 00            CMP DWORD PTR DS:[EDX],0
00416704       74 12              JE SHORT petgui.00416718
00416706       3B1A               CMP EBX,DWORD PTR DS:[EDX]
00416708       8318 00            SBB DWORD PTR DS:[EAX],0
0041670B       390A               CMP DWORD PTR DS:[EDX],ECX
0041670D       8318 00            SBB DWORD PTR DS:[EAX],0
00416710       83C2 04            ADD EDX,4
00416713       C108 03            ROR DWORD PTR DS:[EAX],3
00416716     ^ EB E9              JMP SHORT petgui.00416701                         ;JMP2
00416718       C706 00000000      MOV DWORD PTR DS:[ESI],0
0041671E       5F                 POP EDI
0041671F       83C9 FF            OR ECX,FFFFFFFF
00416722       33C0               XOR EAX,EAX
00416724       F2:AE              REPNE SCAS BYTE PTR ES:[EDI]
00416726       8BCF               MOV ECX,EDI
00416728       83C6 04            ADD ESI,4
0041672B     ^ E9 E3FEFFFF        JMP petgui.00416613                        ;注意最后這個(gè)JMP

00416613       833E 00            CMP DWORD PTR DS:[ESI],0
00416616       0F84 0E020000      JE petgui.0041682A                          ;直接到0041682A下斷F9

0041682A       59                 POP ECX                                     ; petgui.004E30D7
0041682B       5E                 POP ESI
0041682C       FD                 STD
0041682D       33C0               XOR EAX,EAX
0041682F       B9 57030000        MOV ECX,357
00416834       E8 04C80C00        CALL petgui.004E303D                       ;F7進(jìn)去就和ESP最后跑的地方一樣了

004E303D       5F                 POP EDI                                     ; petgui.00416839
004E303E       F3:AA              REP STOS BYTE PTR ES:[EDI]
004E3040       61                 POPAD
004E3041       66:9D              POPFW
004E3043       83C4 08            ADD ESP,8
004E3046 ＞- E9 8CA0F2FF        JMP petgui.0040D0D7                    ;跳到OEP

這兩種方法DUMP后用ImportREC修復(fù)即可~~

///////////////////////////////////////////////////////////////////////////////////

手脫P(yáng)Etite 2.x [Level 1/9] -> Ian Luck記錄

使用Peid查殼顯示為：

PEtite 2.x [Level 1/9] -> Ian Luck

進(jìn)入主題，載入目標(biāo)程序于OD中進(jìn)行脫殼

【方法一：使用ESP定律】
00592046 e> B8 00205900         mov eax,easysetu.00592000
0059204B     68 68365400         push easysetu.00543668
00592050     64:FF35 00000000    push dword ptr fs:[0]
00592057     64:8925 00000000    mov dword ptr fs:[0],esp
0059205E     66:9C               pushfw
00592060     60                  pushad
00592061     50                  push eax //F8單步到此，使用ESP定律

來到這里------------->

00592041     66:9D               popfw
00592043     83C4 08             add esp,8
00592046 e>- E9 0D96FAFF         jmp easysetu.0053B658 //跳向程序的OEP

0053B658     55                  push ebp //程序的OEP,DUMP下來
0053B659     8BEC                mov ebp,esp
0053B65B     83C4 F4             add esp,-0C
0053B65E     B8 C8B25300         mov eax,easysetu.0053B2C8
0053B663     E8 D8BBECFF         call easysetu.00407240
【方法二：內(nèi)存鏡像法】
打開內(nèi)存鏡像----------->（也可在兩個(gè)CODE區(qū)段下斷，Shitf+F9后也來到下面代碼：比較靈活，很多區(qū)段可選擇）

下面分別在
項(xiàng)目 28

地址=0054B000
大小=00012000 (73728.)
Owner=easysetu 00400000
區(qū)段=.000000
類型=Imag 01001002
訪問=R
初始訪問=RWE

項(xiàng)目 24

地址=00544000
大小=00002000 (8192.)
Owner=easysetu 00400000
區(qū)段=
包含=code
類型=Imag 01001002
訪問=R
初始訪問=RWE //這里其實(shí)是第二個(gè)code區(qū)段

F2下斷，Shitf+F9共兩次后來到這里

0040724E     8905 D8445400       mov dword ptr ds:[5444D8],eax  
00407254     8942 04             mov dword ptr ds:[edx+4],eax
00407257     C742 08 00000000    mov dword ptr ds:[edx+8],0
0040725E     C742 0C 00000000    mov dword ptr ds:[edx+C],0
00407265     E8 8AFFFFFF         call easysetu.004071F4
0040726A     5A                  pop edx
0040726B     58                  pop eax
0040726C     E8 4FC9FFFF         call easysetu.00403BC0
00407271     C3                  retn //返回到0053B668

0053B658     55                  push ebp   //OEP，在此新建EIP，脫殼之
0053B659     8BEC                mov ebp,esp
0053B65B     83C4 F4             add esp,-0C
0053B65E     B8 C8B25300         mov eax,easysetu.0053B2C8
0053B663     E8 D8BBECFF         call easysetu.00407240
0053B668     A1 80345400         mov eax,dword ptr ds:[543480]//熟悉幾種語言入口特征后往上找

接下來是修復(fù)，程序，使用IMporREC修復(fù)，很多無效指針，使用跟蹤級(jí)別一反匯編即可修復(fù)，至此程序完成脫殼。
使用Peid再次查殼顯示為：
Borland Delphi 4.0 - 5.0