Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page PESPIN unpack
Register Forum Rules FAQ Calendar

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-04-2004, 15:00
taos's Avatar
taos taos is offline
The Art Of Silence
  
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 137 Times in 36 Posts
taos Reputation: 54
PESPIN unpack
Hi!!!
I'm trying to unpack this progg
http://www.planetsquires.com/files/firefly_109.zip
It has 2 exe's, 1 packed with Armadillo (firefly.exe) that makes the "enter key" procedure and if you're in trial mode or enter the right key then launch the another EXE file (ffengine.exe) packed with PESPIN. If you run the second EXE directly it shows a msgbox "must be started using firefly.exe".
I think that it uses getcommandline with a specific string.
I'm trying to unpack the ffengine.EXE packed with PESPIN 0.3-0.4 (PeId info) and forget the first EXE and I'm using 2 methods:
a)Despinner 0.3: When open the packed EXE I get a GPF (XP SP2).
b)PESpin v0.3 Stolen Code Finder Olly script: I don't understand how it works.

anyone knows any tut about MANUAL unpacking PESPIN 0.3-0.4?

Regards
Reply With Quote
  #2  
Old 11-04-2004, 16:29
hosiminh hosiminh is offline
Friend
  
Join Date: Aug 2004
Posts: 202
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
Damn i am writting this second time 'coz my comp didn't respond

Well , let's go :

In Ollydbg select
Debugging option > SFX > Trace real entry bytewise

Pass all exceptions with Shift+F9

Example of OEP with Stolen bytes:
004010CD 0000 ADD BYTE PTR DS:[EAX],AL
004010CF 0000 ADD BYTE PTR DS:[EAX],AL
004010D1 0000 ADD BYTE PTR DS:[EAX],AL
004010D3 0000 ADD BYTE PTR DS:[EAX],AL
004010D5 0000 ADD BYTE PTR DS:[EAX],AL
004010D7 0000 ADD BYTE PTR DS:[EAX],AL
004010D9 0000 ADD BYTE PTR DS:[EAX],AL
004010DB 0000 ADD BYTE PTR DS:[EAX],AL
004010DD 0000 ADD BYTE PTR DS:[EAX],AL
004010DF 75 13 JNZ SHORT NOTEPAD.004010F4 ; Real entry point of SFX code


Ollydbg stops at 004010DF . Those ADD BYTE PTR DS:[EAX],AL are Stolen bytes


I think you can get Original bytes like with Aspr (Trace Esp==Ebp) and fix the OEP of dumped file.

But if there is no Stolen bytes , Ollydbg stops at the OEP


IAT fixing:

In Imprec you will have to manually input infos about RVA , Size , 'coz Imprec itseft won't find anything .
Do a Binary Search in Ollydbg for FF25 , right click FOLLOW IN DUMP-MEMORY ADDRESS on any of them and in the dump we have the iat table. Now you only have to find the beginning and finish of the IAT in order to get it's Size

Example of those FF25 :
00404E72 - FF25 14654000 JMP NEAR DWORD PTR DS:[406514] ; COMDLG32.CommDlgExtendedError
00404E78 - FF25 10654000 JMP NEAR DWORD PTR DS:[406510] ; COMDLG32.GetSaveFileNameA
00404E7E - FF25 0C654000 JMP NEAR DWORD PTR DS:[40650C] ; COMDLG32.PageSetupDlgA




I think your target has Stolen bytes
Last edited by hosiminh; 11-04-2004 at 16:36.
Reply With Quote
  #3  
Old 11-04-2004, 19:06
taos's Avatar
taos taos is offline
The Art Of Silence
  
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 137 Times in 36 Posts
taos Reputation: 54
thank you for your post.
I will try with your info.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
PESpin x64 cyberbob x64 OS 13 01-20-2022 15:53


All times are GMT +8. The time now is 04:14.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )