| Сейчас на форуме: sashalogout, bartolomeo, artyavmu (+9 невидимых) |
 |
eXeL@B —› Софт, инструменты —› Распаковать за 2 секунды |
| Посл.ответ | Сообщение |
|
|
Создано: 05 декабря 2008 15:04 · Личное сообщение · #1 How to Unpack Various EXE Packers using OllyDBG In fucking alphabetic order even! By mMh (The techniques referenced are at the bottom, dammit!) ---------------------------------------------------------------------- -- ASPack 2.12: Load the exe, you will have to Shift+F9 several times. Upwards of 50 times is normal. Use Ctrl+G ESP BP technique. You'll land on a JNZ. Trace into jump, it is pushing the oep. Trace into the ret. This is the OEP. Dump then fix IAT. Fix dump. done. ---------------------------------------------------------------------- -- EZIP 1.0: You start out on a JMP, trace into it. Ctrl+F9 (exec til ret). Scroll down and you should find a large loop. Past that, there is a JMP EAX. Trace into this JMP, this is the OEP. Dump, fix IAT, fix dump. ---------------------------------------------------------------------- -- Neolite 2.0: Scroll down until you see JMP EAX. Put BP here. Step into JMP. You're at the OEP. Dump and rebuild just as you would with UPX. ---------------------------------------------------------------------- -- PE-PaCK 1.0: You start on a JE with JMP right below it. Trace into the JMP. Now you're on a PUSHAD. Use the Dump window Ctrl+G esp bp. You stop on a JMP EAX. Trace into the JMP and you're at the OEP. Dump, rebuild IAT, fix dump. Done. ---------------------------------------------------------------------- -- Petite 2.2: Trace until you go over the PUSHAD. Click in dump window. Ctrl+G. Type ESP. Select first two bytes in dump, set breakpoint on memory access -> word. Back in CPU window, hit F9. Shift+F9 until you reach POPAD/POPFW. There should be a JMP soon after the POP. Trace into the JMP, this is the OEP. Dump process with LordPE. Open process with imprec. Set correct OEP/IAT autotrace. Hit show invalid. Right click and do a level 1. Fix the dump. ---------------------------------------------------------------------- -- UPX: Scroll down until you reach something that looks like this: 004142C7 > 61 POPAD 004142C8 .-E9 BE6CFFFF JMP wrap.0040AF8B 004142CD 00 DB 00 004142CE 00 DB 00 Set a breakpoint on the JMP and run. Step into the JMP. You're at the OEP. Dump with LordPE. Open process with impRec. Set OEP with the one you just found. Hit IAT AutoSearch. Hit Get Imports. Delete the bad thunks. Fix the dump. Done. ---------------------------------------------------------------------- -- OEP Finding Techniques #1 is just scroll down till u see 0040E23F .-E9 A479FFFF JMP upxs306.00405BE8 0040E244 5CE24000 DD upxs306.0040E25C 0040E248 60E24000 DD upxs306.0040E260 0040E24C C8734000 DD upxs306.004073C8 JMP and some shit with a bunch of 0's. #2 F7 on the PUSHAD goto the dump CTRL + G goto ESP Set a hardware Breakpoint on WORD that will take u straight to the jump #3 F7 onto the PUSHAD ctrl + T COMMAND is one of the following "POPAD" then CTRL + F11 Где взято: www.reteam.org/board/showthread.php?t=406  |
|
eXeL@B —› Софт, инструменты —› Распаковать за 2 секунды |
Для печати