PeSpin 1.3 - eXeL@B

Сейчас на форуме: vsv1, NIKOLA, r0lka, johnniewalker (+5 невидимых)

Посл.ответ	Сообщение
Bit-hack Ранг: 303.7 (мудрец), 4thx Активность: 0.19↘0 Статус: Участник tPORt Manager	Создано: 02 августа 2005 12:31 · Личное сообщение · #1 Вот, недавно cyberbob зарелизил, сейчас с наномитами. pespin.w.interia.pl/pespin13.rar Вот статья по распаковке: 1. Open the program in Olly. 2. Right-Click and Go-To->expression: WaitForDebugEvent 3. You are here: Code: 7C57FA26 > 55 PUSH EBP 7C57FA27 8BEC MOV EBP,ESP ***SET BP HERE 7C57FA29 81EC 9C000000 SUB ESP,9C 7C57FA2F 53 PUSH EBX 7C57FA30 56 PUSH ESI 7C57FA31 57 PUSH EDI 4. Set a BP on the second instruction, will detect you if you set it on the first one. 5. When you break first time, look at your registers: Code: EAX 004142D8 PESpin.004142D8 ECX 0012FFE0 EDX 00130608 EBX 00415696 PESpin.00415696 ESP 0012FF90 ASCII "Tó" EBP 0000F354 ESI 00415642 PESpin.00415642 EDI 00415686 PESpin.00415686 FOLLOW IN DUMP**** EIP 7C57FA27 KERNEL32.7C57FA27 6. Select the EDI register and Right-Click->Follow in Dump. 7. You will be here in your dump window: Code: 00415686 4C 00 00 00 50 00 00 00 38 01 00 00 BC 05 00 00 L...P...8..¼.. 00415696 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 004156A6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 004156B6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 004156C6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 8. Keep an eye on this area. 9. Press RUN to continue program execution. 10. When you break again your dump window will look something like this: Code: 00415686 4C 00 00 00 50 00 00 00 50 01 00 00 C8 03 00 00 L...P...P..È.. 00415696 03 00 00 00 50 01 00 00 C8 03 00 00 64 00 00 00 ...P..È..d... 004156A6 60 00 00 00 5C 00 00 00 00 00 40 00 00 00 00 00 `...\.....@..... 004156B6 00 00 00 00 00 E0 FD 7F D4 20 41 00 00 00 00 00 .....àý�Ô A..... 004156C6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 11. Look at this: Code: 004156B6 00 00 00 00 00 E0 FD 7F D4 20 41 00 00 00 00 00 .....àý�Ô A..... 12. D4 20 41 00 => 4120D4... That's interesting, that is the ep for this program. (Don't be confused that is not our oep) 13. Press Run a few more times until the address dissapears. Your dump window will look like this now: Code: 00415686 4C 00 00 00 50 00 00 00 38 01 00 00 E8 04 00 00 L...P...8..è.. 00415696 01 00 00 00 38 01 00 00 E8 04 00 00 03 00 00 80 ...8..è....€ 004156A6 00 00 00 00 00 00 00 00 3C 19 F9 77 03 00 00 00 ........<ùw... 004156B6 00 00 00 00 09 00 00 00 00 00 00 00 DC 9C DA B9 ............ÜœÚ¹ 14. Press Run one more time and your dump window will now look like this: Code: 00415686 4C 00 00 00 50 00 00 00 38 01 00 00 E8 04 00 00 L...P...8..è.. 00415696 01 00 00 00 38 01 00 00 E8 04 00 00 04 00 00 80 ...8..è....€ 004156A6 00 00 00 00 00 00 00 00 F2 5A 41 00 00 00 00 00 ........òZA..... 004156B6 01 00 57 7C 30 53 96 FF 00 00 00 40 B8 03 00 00 .W\|0S–ÿ...@¸.. 15. Look at this line: Code: 004156A6 00 00 00 00 00 00 00 00 F2 5A 41 00 00 00 00 00 16. F2 5A 41 00 => 145AF2 17. An interesting, and valid address. If you keep pressing run you will break continuosly on this location. 18. Keeping a log of all the addresses you get this list: Code: 415AF2 412524 4126D0 414De9 414d62 414905 412A86 401016 41638B 4098F8 40993E 409992 4099BA 4099C7 4099Cd 4099D7 4099DD 4099E7 4099F1 409C72 409c7D 409CAc 409Ce6 409d16 409DB5 19. To verify that some of these may be your nanomites. The instruction used to raise an exception in pespin to return control to parent is: lea eax,eax which is hexadecimal 8DC0 20. Run pespin. and open lordpe. You will see 2 instances of pespin running. Choose the one with the imagesize of FFFFFFFF. 21. Right-Click in LordPe and choose "Correct ImageSize". Then "Dump Full" 22. Open the dumped file with a hexeditor and go to the locations on the list. Starting at 4098F8 you will see the 8DC0 bytes. 23. So we find that many of the locations in the list are indeed our nanomite locations. 24. Back in Olly set HW BP -> on access ->Word on location 004156AE 25. Restart Pespin and Run until you break. 26. The first times you break it is not important. Keep pressing Run until you break in Kernel32. 27. You will be here: Code: 7C57FAF7 8B4D C0 MOV ECX,DWORD PTR SS:[EBP-40] 7C57FAFA 894B 1C MOV DWORD PTR DS:[EBX+1C],ECX 7C57FAFD 8B4D C4 MOV ECX,DWORD PTR SS:[EBP-3C] 7C57FB00 894B 20 MOV DWORD PTR DS:[EBX+20],ECX 7C57FB03 8B4D CC MOV ECX,DWORD PTR SS:[EBP-34] 7C57FB06 894B 28 MOV DWORD PTR DS:[EBX+28],ECX 28. Execute-Till Return. And step into the RETN. 29. You will be here: Code: 00415C6F 0BC0 OR EAX,EAX 00415C71 0F84 16060000 JE PESpin.0041628D 00415C77 8B85 42634000 MOV EAX,DWORD PTR SS:[EBP+406342] 00415C7D 35 C19B54D3 XOR EAX,D3549BC1 00415C82 3D C29B54D3 CMP EAX,D3549BC2 00415C87 0F84 D4050000 JE PESpin.00416261 00415C8D 3D C09B54D3 CMP EAX,D3549BC0 00415C92 74 50 JE SHORT PESpin.00415CE4 00415C94 3D C49B54D3 CMP EAX,D3549BC4 00415C99 0F84 EE050000 JE PESpin.0041628D 00415C9F 3D C39B54D3 CMP EAX,D3549BC3 00415CA4 0F84 33050000 JE PESpin.004161DD 00415CAA 3D C59B54D3 CMP EAX,D3549BC5 00415CAF 0F84 69050000 JE PESpin.0041621E 00415CB5 B8 127DB87E MOV EAX,7EB87D12 30. Which I think is related to the nanomite hashes that Softworm wrote about in his tutorial.

Ara Ранг: 1288.1 (!!!!), 273thx Активность: 1.29↘0 Статус: Участник	Создано: 02 августа 2005 14:25 · Личное сообщение · #2 Хмм, разве теперь статьи постят прям на форум? Достаточно было б дать ссылку или файл в аттач.

Для печати