PeCompact |
amois |
Program Type: Packer |
Tools: SoftICE, IceDump, PEditor |
|
|
"...Makes programs harder to reverse engineer". They are saying like that. Is it true ?
|
DHTML Menu Builder v3.2 (http://software.xfx.net)
SoftIce Loader --> dmb.exe --> [map32 dmb]
Owner Obj Name Obj# Address Size Type
DMB pec1 0001 016F:00401000 001FE000 CODE RW
DMB .rsrc 0002 0177:005FF000 00021000 IDATA RW
DMB .pec 0003 016F:00620000 00004000 CODE RW
DMB .rxrc 0004 0177:00624000 00001000 IDATA RW
Check first section. [d 401000] --> packed
0030:00401000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
...
0030:005FEFF0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
0030:005FF000 00 00 00 00 89 CC E2 3B-20 00 02 00 01 00 04 00
We try to stop program when it unpacked this section. --> [bpm 5FEFF0]
0030:005FEFE0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
0030:005FEFF0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
0030:005FF000 00 00 00 00 89 CC E2 3B-20 00 02 00 01 00 04 00
Normaly, Unpacking must be done. But, we can see memory with 00 00 00. Program not yet start unpacking.
Anyway, it must be fill real code from 401000. --> [bc*] --> [bpm 401000]
0030:00401000 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
0030:00401010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
There is not valid code. Please try again --> [F5]
0030:00401000 00 AC 10 66 00 00 00 00-00 00 00 00 00 00 00 00
0030:00401010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
Yes, program started to fill real code. Now we are at 621669. I showned Unpacking routine.
016F:006215E4 MOV EBX,[ECX]
016F:006215E6 ADD ECX,04
016F:006215E9 OR EBX,EBX
016F:006215EB JZ 0062166E <-- Is Unpacking complete ?
016F:006215F1 MOV EAX,EBX
016F:006215F3 TEST EBX,80000000
016F:006215F9 JZ 00621613
016F:006215FB AND EBX,0000FFFF
016F:00621601 MOV DWORD PTR [EBP+0040973D],00000001
016F:0062160B MOV [EBP+00409735],EBX
016F:00621611 JMP 00621627
016F:00621627 PUSH ECX
016F:00621628 PUSH EDX
016F:00621629 CMP BYTE PTR [EBP+0040977B],C3
016F:00621630 JZ 00621655
016F:00621655 PUSH EBX
016F:00621656 PUSH DWORD PTR [EBP+00409767]
016F:0062165C CALL [EBP+0040974D]
016F:00621662 POP EDX
016F:00621663 POP ECX
016F:00621664 OR EAX,EAX
016F:00621666 JZ 00621670
016F:00621668 STOSD
016F:00621669 JMP 006215E4 <-- Not yet
016F:0062166E CLC <-- Yes, complete
016F:0062166F RET
We put breakpoint to 62166E, then we can trace. --> [bpx 62166E] --> [F10]
016F:0062166E CLC
016F:0062166F RET
016F:00621590 JB 0062159D
016F:00621592 ADD ESI,14
016F:00621595 CMP DWORD PTR [ESI+0C],00
016F:00621599 JNZ 0062158B
016F:0062159B CLC
016F:0062159C RET
016F:006214D6 JAE 00621543
016F:00621543 CMP BYTE PTR [EBP+00409F7B],C3
016F:0062154A JZ 0062156E
016F:0062156E POPAD
016F:0062156F POPFD
016F:00621570 PUSH EAX
016F:00621571 PUSH 004079E4
016F:00621576 RET 0004
016F:004079E4 PUSH 004332A0 <-- OEP
Now, we found OEP at 4079E4. --> DUMP
There is an easy way to find OEP. When program is loaded by SoftIce Loader, please look 2 rows up.
SoftIce Loader --> dmb.exe
016F:00620000 JMP 00620008
016F:00620002 PUSH 000079E4 <-- OEP = 400000 + 79E4 = 4079E4
016F:00620007 RET
016F:00620008 PUSHFD <-- we are hier
016F:00620009 PUSHAD
016F:0062000A CALL 00620011
Yes, they are right. It's really hard for reversing.
PeCompact v1.67 (latest version) (www.collakesoftware.com)
SoftIce Loader --> pecompact.exe
016F:00425770 JMP 00425778
016F:00425772 PUSH 00025000 <-- OEP = 400000 + 25000 = 425000
016F:00425777 RET
016F:00425778 PUSHFD <-- we are hier
016F:00425779 PUSHAD
016F:0042577A CALL 00425781
Notepad.exe (which is compacted by PeCompact v1.67)
SoftIce Loader --> notepad.exe
0167:0040AC61 PUSH ES
0167:0040AC62 PUSH 000010CC <-- OEP = 400000 + 10CC = 4010CC
0167:0040AC67 RET
0167:0040AC68 PUSHFD <-- we are hier
0167:0040AC69 PUSHAD
0167:0040AC6A CALL 0040AC71
|
If you are earning money by means of software, please buy this software.