论坛风格切换切换到宽版
  • 11002阅读
  • 13回复

用 OllyDBG 手脱 PEtite 壳的一般方法 [复制链接]

上一主题 下一主题
离线chenmy

发帖
2863
金钱
60
威望
6
只看该作者 10 发表于: 2007-05-16
还有外观文件http://www.medsoview.com/han/外观.rar
(实际上是 Dll 文件)
我是中国人·最爱是中文!
离线cao_cong

发帖
403
金钱
40
威望
4
只看该作者 11 发表于: 2007-05-17
附件是主程序+所有皮肤的脱壳文件。这活只能干这一次,东西太多,太累。脑子都脱木掉了。

[attachmentid=23316]
附件: xmplay34.rar (1017 K) 下载次数:14
离线chenmy

发帖
2863
金钱
60
威望
6
只看该作者 12 发表于: 2007-05-18
QUOTE(cao_cong @ 2007年 05月 17日 15时 45分) [snapback]331996[/snapback]
附件是主程序+所有皮肤的脱壳文件。这活只能干这一次,东西太多,太累。脑子都脱木掉了。

太感谢 cao_cong 兄了~~
(以后再也不敢再让你脱外观文件了)

cao_cong 兄脱出来的文件,体积又小,又不会出错!
我是中国人·最爱是中文!
离线tracky

发帖
1807
金钱
10
威望
1
只看该作者 13 发表于: 2007-06-01
QUOTE

unpetite 0.2b

Unpacker for Petite 2.1 and 2.2 coded by mirz .

What's new in version 0.2b:

- I corrected verification of signature ( now it should work fine )
    ; ? = 2 bajty
    ;[PEtite v2.1=B8????6A?68????64FF35????648925????669C6050]
    ;[PEtite v2.2=B8????68????64FF35????648925????669C6050]
- I corrected reconstruction of import symbols ( Now it rebuilds such functions as LeaveCriticalSection etc. )
- unpack dll
- new dialog box
- manifest.xml is from MSDN library.

I tested him on several programs packed by me.

How unpetite 0.2b work:
(files *.exe)
1. run program
2. It stops on access violation
3. then it searches jump to OEP
4. rebuild import symblos
5. dump and save file as unpacked.exe

(files *.dll)
1. ntdll.KiUserException is patched
2. loading of dll
3. It stops on access violation
4. then it searches jump to OEP and reconstruction of ntdll.KiUserException
5. rebuild import symblos
6. dump and save file as unpacked.dll

All notes, problems and errors send under address e-mail mirz@o2.pl .
Don't forget, that program can have some errors else:)

Some programs, which was using for tests:

- xmplay (thx bart)
- Cruehead Crackme1
- hexedit Geoffrey Prewett
- Lit 1.21 Marek Szyku砤
- RegCleaner4.3 by Juoni Vuorio
- CloneCD 5.2.6.1
- Winamp 5.08d
- WinIso v5.3
- WinRar 3.42
╭∩╮(︶︿︶)╭∩╮