Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   PESPIN unpack (https://forum.exetools.com/showthread.php?t=5812)

taos 11-04-2004 15:00
PESPIN unpack
 
Hi!!!
I'm trying to unpack this progg
http://www.planetsquires.com/files/firefly_109.zip
It has 2 exe's, 1 packed with Armadillo (firefly.exe) that makes the "enter key" procedure and if you're in trial mode or enter the right key then launch the another EXE file (ffengine.exe) packed with PESPIN. If you run the second EXE directly it shows a msgbox "must be started using firefly.exe".
I think that it uses getcommandline with a specific string.
I'm trying to unpack the ffengine.EXE packed with PESPIN 0.3-0.4 (PeId info) and forget the first EXE and I'm using 2 methods:
a)Despinner 0.3: When open the packed EXE I get a GPF (XP SP2).
b)PESpin v0.3 Stolen Code Finder Olly script: I don't understand how it works.

anyone knows any tut about MANUAL unpacking PESPIN 0.3-0.4?

Regards

hosiminh 11-04-2004 16:29
Damn i am writting this second time 'coz my comp didn't respond :eek:

Well , let's go :

In Ollydbg select
Debugging option > SFX > Trace real entry bytewise

Pass all exceptions with Shift+F9

Example of OEP with Stolen bytes:
004010CD 0000 ADD BYTE PTR DS:[EAX],AL
004010CF 0000 ADD BYTE PTR DS:[EAX],AL
004010D1 0000 ADD BYTE PTR DS:[EAX],AL
004010D3 0000 ADD BYTE PTR DS:[EAX],AL
004010D5 0000 ADD BYTE PTR DS:[EAX],AL
004010D7 0000 ADD BYTE PTR DS:[EAX],AL
004010D9 0000 ADD BYTE PTR DS:[EAX],AL
004010DB 0000 ADD BYTE PTR DS:[EAX],AL
004010DD 0000 ADD BYTE PTR DS:[EAX],AL
004010DF 75 13 JNZ SHORT NOTEPAD.004010F4 ; Real entry point of SFX code


Ollydbg stops at 004010DF . Those ADD BYTE PTR DS:[EAX],AL are Stolen bytes


I think you can get Original bytes like with Aspr (Trace Esp==Ebp) and fix the OEP of dumped file.

But if there is no Stolen bytes , Ollydbg stops at the OEP :)


IAT fixing:

In Imprec you will have to manually input infos about RVA , Size , 'coz Imprec itseft won't find anything .
Do a Binary Search in Ollydbg for FF25 , right click FOLLOW IN DUMP-MEMORY ADDRESS on any of them and in the dump we have the iat table. Now you only have to find the beginning and finish of the IAT in order to get it's Size ;)

Example of those FF25 :
00404E72 - FF25 14654000 JMP NEAR DWORD PTR DS:[406514] ; COMDLG32.CommDlgExtendedError
00404E78 - FF25 10654000 JMP NEAR DWORD PTR DS:[406510] ; COMDLG32.GetSaveFileNameA
00404E7E - FF25 0C654000 JMP NEAR DWORD PTR DS:[40650C] ; COMDLG32.PageSetupDlgA




I think your target has Stolen bytes ;)

taos 11-04-2004 19:06
thank you for your post.
I will try with your info.


All times are GMT +8. The time now is 02:53.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX