Remove the pebundle three hundred-3.x-> Jeremy collake shell from Tang poetry 1.2 and extract mid data

[Author] jivi (Qiao Wei)
[Tools] peid 0.94, ollydbg (ollyice), exists, 010 Editor
[J platform] WINXP
[Software name] Tang poetry three hundred first 1.2
[Software Overview] You can see the name.

Two days ago, I went to PPStream to see "xiaomaotianguan". There was a constant piece of music in the past few episodes. It felt quite good and familiar. I thought about the background music of a software that I used a long time ago. This software is our target today: Three hundred Tang Poems (version 1.2, the background music of the new version has been changed ). At that time, I wanted to listen to this song, but I didn't know what the name was. So Baidu, one of them replied that it was a high-altitude stream. I tried it again and couldn't match the number. After searching for a long time, it was fruitless. Later, I thought about the background music of the software, which naturally exists in the software. Fortunately, this software is still relatively easy to use and can be decompressed, in the decompressed folder, we can see that there are a total of six files, one EXE and one Sr. pros Sr. EDT ts. s ts. four EDT files, plus a Help file, it seems that this background music (in mid format) is mostly embedded into the main program. In this case, only/

Okay. The extraction process starts below.
First, check the shell, because no matter whether it is a compressed shell or an encrypted shell, you cannot see the original mid data, and cannot directly extract it. Of course, we hope it is not shelled. But the fact is often unsatisfactory. The result of peid shell query is:
Pebundle 0.2-3.x-> Jeremy collake
Fortunately, this is not a shell. Use the ESP Law (if you do not understand the ESP law, search for it by yourself ).
Od loading (ignore all exceptions) comes here
004a6000> 9C pushfd
004a6001 60 pushad
004a6002 E8 02000000 call 004a6009
004a6007 33c0 XOR eax, eax
004a6009 8bc4 mov eax, ESP
004a600b 83c0 04 add eax, 4
004a600e 93 xchg eax, EBX
004a600f 8be3 mov ESP, EBX
004a6011 8b5b FC mov EBX, dword ptr [ebx-4]
004a6014 81eb 07304000 sub EBX, 00403007
004a601a 87dd xchg EBP, EBX
004a601c 80bd dd3b4000 0> CMP byte PTR [EBP + 403bdd], 0
004a6023 74 21 je short 004a6046
004a6025 8d85 d6384000 Lea eax, dword ptr [EBP + 4038d6]
004a602b 50 push eax
004a602c ff95 b2384000 call dword ptr [EBP + 4038b2]
004a6032 8d8d 2c3a4000 Lea ECx, dword ptr [EBP + 403a2c]
004a6038 51 push ECx
004a6039 50 push eax
004a603a ff95 a2384000 call dword ptr [EBP + 4038a2]
004a6040 8985 3c3a4000 mov dword ptr [EBP + 403a3c], eax
004a6046 8dbd 703e4000 Lea EDI, dword ptr [EBP + 403e70]
004a604c 33c0 XOR eax, eax

It starts with two typical pushfd pushad shell processing modes for protecting the site

Hardware
Enter HW 0012ffc0 in command (why do you need to follow this, and you will know the principle of ESP law) and press Enter.
F9 is disconnected from pushad. Continue to F9 here.
004a6376 C3 retn
004a6377 C8 000000 enter 0, 0
004a637b 57 push EDI
004a637c 56 push ESI
004a637d 8b75 08 mov ESI, dword ptr [EBP + 8]
004a6380 8b7d 0C mov EDI, dword ptr [EBP + C]
004a6383 8a06 mov Al, byte PTR [esi]
004a6385 3C 61 CMP Al, 61
004a6387 72 06 JB short 004a638f
004a6389 3C 7A CMP Al, 7A
004a638b 77 02 ja short 004a638f
004a638d 04 E0 add Al, 0e0
004a638f 8a27 mov ah, byte PTR [EDI]
004a6391 80fc 61 CMP ah, 61
004a6394 72 08 JB short 004a639e
004a6396 80fc 7A CMP ah, 7A
004a6399 77 03 ja short 004a639e
004a639b 80c4 E0 add ah, 0e0
004a639e 46 Inc ESI
004a639f 47 Inc EDI

Continue F9
00496001 60 pushad
00496002 E8 02000000 call 00496009
00496007 33c0 XOR eax, eax
00496009 8bc4 mov eax, ESP
0049600b 83c0 04 add eax, 4
0049600e 93 xchg eax, EBX
0049600f 8be3 mov ESP, EBX
00496011 8b5b FC mov EBX, dword ptr [ebx-4]
00496014 81eb 07304000 sub EBX, 00403007
0049601a 87dd xchg EBP, EBX
0049601c 80bd dd3b4000 0> CMP byte PTR [EBP + 403bdd], 0
00496023 74 21 je short 00496046
00496025 8d85 d6384000 Lea eax, dword ptr [EBP + 4038d6]
0049602b 50 push eax
0049602c ff95 b2384000 call dword ptr [EBP + 4038b2]
00496032 8d8d 2c3a4000 Lea ECx, dword ptr [EBP + 403a2c]
00496038 51 push ECx
00496039 50 push eax

Continue F9
00496376 C3 retn
00496377 C8 000000 enter 0, 0
0049637b 57 push EDI
0049637c 56 push ESI
0049637d 8b75 08 mov ESI, dword ptr [EBP + 8]
00496380 8b7d 0C mov EDI, dword ptr [EBP + C]
00496383 8a06 mov Al, byte PTR [esi]
00496385 3C 61 CMP Al, 61
00496387 72 06 JB short 0049638f
00496389 3C 7A CMP Al, 7A
0049638b 77 02 ja short 0049638f
0049638d 04 E0 add Al, 0e0
0049638f 8a27 mov ah, byte PTR [EDI]
00496391 80fc 61 CMP ah, 61
00496394 72 08 JB short 0049639e
00496396 80fc 7A CMP ah, 7A
00496399 77 03 ja short 0049639e
0049639b 80c4 E0 add ah, 0e0
0049639e 46 Inc ESI
0049639f 47 Inc EDI
004963a0 837d 10 01 cmp dword ptr [EBP + 10], 1

Continue F9
0042c009 60 pushad
0042c00a E8 02000000 call 0042c011
0042c00f 33c0 XOR eax, eax
0042c011 8bc4 mov eax, ESP
0042c013 83c0 04 add eax, 4
0042c016 93 xchg eax, EBX
0042c017 8be3 mov ESP, EBX
0042c019 8b5b FC mov EBX, dword ptr [ebx-4]
0042c01c 81eb 3f904000 sub EBX, 0040903f
0042c022 87dd xchg EBP, EBX
0042c024 8b85 e6904000 mov eax, dword ptr [EBP + 4090e6]
0042c02a 0185 33904000 add dword ptr [EBP + 409033], eax
0042c030 66: c785 3090400> mov word PTR [EBP + 409030], 9090
0042c039 0185 da904000 add dword ptr [EBP + 4090da], eax
0042c03f 0185 de904000 add dword ptr [EBP + 4090de], eax
0042c045 0185 e2904000 add dword ptr [EBP + 4090e2], eax
0042c04b BB 7b110000 mov EBX, 117b
0042c050 039d ea904000 add EBX, dword ptr [EBP + 4090ea]
0042c056 039d e6904000 add EBX, dword ptr [EBP + 4090e6]
0042c05c 53 push EBX
0042c05d 8bc3 mov eax, EBX
0042c05f 8bfb mov EDI, EBX
0042c061 2D ac904000 sub eax, 004090ac

Continue F9
0042d551 68 6b134000 push 0040136b
0042d556 C2 0400 retn 4
0042d559 8bb5 5b974000 mov ESI, dword ptr [EBP + 40975b]
0042d55f 0bf6 or ESI, ESI
0042d561 74 18 je short 0042d57b
0042d563 8b95 e6904000 mov edX, dword ptr [EBP + 4090e6]
0042d569 03f2 add ESI, EDX
0042d56b E8 0f000000 call 0042d57f
0042d570 72 0b JB short 0042d57d
0042d572 83c6 14 add ESI, 14
0042d575 837e 0C 00 cmp dword ptr [ESI + C], 0
0042d579 ^ 75 F0 jnz short 0042d56b
0042d57b F8 CLC
0042d57c C3 retn
0042d57d F9 STC
0042d57e C3 retn
0042d57f c785 31974000 0> mov dword ptr [EBP + 409731], 0
0042d589 8b0e mov ECx, dword ptr [esi]
0042d58b 8b7e 10 mov EDI, dword ptr [ESI + 10]
0042d58e 0bc9 or ECX, ECx
0042d590 75 02 jnz short 0042d594
0042d592 8bcf mov ECx, EDI

Continue F9
0040136c 8B dB 8b
0040136d EC Db EC
0040136e 6a dB 6a; char 'J'
0040136f FF dB FF
00401370 68 dB 68; char 'H'
00401371 B0 dB B0
00401372 40 dB 40; char '@'
00401373 40 dB 40; char '@'
00401374 00 dB 00
00401375 68 dB 68; char 'H'
00401376 A0 dB A0
00401377 1E dB 1e
00401378 40 dB 40; char '@'
00401379 00 dB 00
0040137a 64 dB 64; char 'd'
0040137b A1 dB A1
0040137c 00 dB 00
0040137d 00 dB 00
0040137e 00 dB 00
0040137f 00 dB 00
00401380 50 dB 50; char 'P'
00401381 64 dB 64; char 'd'
00401382 89 dB 89
00401383 25 dB 25; char '%'

Here, we start to look at the data window, which has already appeared clearly. It should be the next instruction of OEP, but since it is the next instruction of OEP, of course it should be code, but looking at the above pile of things, it is clearly data, and the obvious software author uses the instructions here.
Remove the spending command. Right-click the OD code window and choose "Remove the spending command" and click "obsidium ".
Prompt to remove a flower command, then look at the code window. This is the case.
0040136c 8bec mov EBP, ESP
0040136e 6a FF push-1
00401370 68 b0404000 push 004040b0
00401375 68 a01e4000 push 00401ea0
0040137a 64: A1 0000000> mov eax, dword ptr fs: [0]
00401380 50 push eax
00401381 64: 8925 00000> mov dword ptr fs: [0], ESP
00401388 83ec 58 sub ESP, 58
0040138b 53 push EBX
0040138c 56 push ESI
0040138d 57 push EDI
0040138e 8965 E8 mov dword ptr [ebp-18], ESP
00401391 ff15 30404000 call dword ptr [404030]; kernel32.getversion
00401397 33d2 XOR edX, EDX
00401399 8ad4 mov DL, ah
0040139b 8915 d4554000 mov dword ptr [4055d4], EDX
004013a1 8bc8 mov ECx, eax
004013a3 81e1 ff000000 and ECx, 0ff
004013a9 890d d0554000 mov dword ptr [4055d0], ECx
004013af c1e1 08 SHL ECx, 8
004013b2 03ca add ECx, EDX
004013b4 890d cc554000 mov dword ptr [4055cc], ECx

It seems that the second sentence of OEP is no doubt.
Then the OEP is actually 136b (disconnected at 0040136c. Check the address of the first line of the code above. Then, of course, the OEP is his last command minus the base address (00400000), that is, 136b).
After confirming the OEP, the next step is dump. Od has a plug-in to dump. Lordpe + importrec will not be used here.
Select plug-in-ollydump-dump debugged process and fill in 136b in the Modify column of the pop-up form (when you open the plug-in, it is your current disconnected location by default, that is, 136c, you need to modify) Click dump and enter a name to save it. In this example, aaa.exe is entered. This file is stored in the directory of the original program. peid=aaa.exe is used here. vc6.0 has changed. It seems that the shell has been taken off and runs properly. This step is complete.

After shelling, the next step is to extract data. Data Extraction, especially resource files, is indispensable. Use exescopeto open aaa.exe. Expand resource-> RC data-> 200, and then the hexadecimal and ansicc data appear on the right. Click File> export. Select a folder and select a text file. Here, select the desktop and the file name is AAA. RC. In addition to rcdata, the resource in this file is the icon, and the Mid is basically highly likely in the RC data. But be sure. With the hexadecimal editing tool, 010 Editor opens AAA. Rc. (Of course, it doesn't matter if you prefer ultraeditor. (I was going to check what rcdata reader is available on the Internet, but I did not find it for a long time, so I had to manually extract the mid file from the RC data.
Before extraction, you must understand the mid file format.

Each mid file starts with the following content. Their hexadecimal code is: "4D 54 68 64 00 00 00 06 ff nn dd ".
The first four ASCII characters, "mthd", are used to identify whether the mid file is used. The next four bytes indicate the number of bytes in the description part of the file header. The Mid File Header occupies 6 bytes, so here it must be "00 00 00 06". The following is the meaning of the remaining part (File Header ).
FF: the specified mid format 00 00 indicates that a single audio track 00 01 multiple audio tracks are synchronized 00 02 Multiple audio tracks are not synchronized
Nn indicates the number of mid tracks
Dd specifies the tick value of a quartile to control the rhythm.
The above is the mid file header. The data zone is followed by the file header.
Mid data is composed of several sub-data in the same format. These Sub-data records all information of a single track in the format of multiple audio tracks. Simply append the data to the back of the previous audio track, but do not forget to change the NN (number of tracks) in the file header ).

Audio tracks start with "4D 54 72 6B". It is actually an ASCII character "mtrk", followed by a four-byte integer, which indicates the number of bytes of the track, this does not include the first 4 bytes and the first 4 bytes.
Okay, I know the above knowledge. Other formats are useless for mid extraction. I will not introduce them here.
We can see from the above introduction. The mid file starts with "mthd. In this case, we just opened aaa.exe and searched for "MSPs". Note that the case sensitivity is correct. Found one. At 13f3a, we can see that the four bytes are exactly 00 00 06, And the next two bytes are taken according to the previous introduction. This refers to a single track, the next two bytes 00 01 indicate that there is only one orbit. The next two bytes 00 61 refer to the tick value (rhythm) of the four-note notes. The header file is complete and then enters the data area to see whether the first four bytes are mtrk. because it is a single track, only this mtrk will appear. we only need to extract the first part of the Mid and the data of this audio track. To extract audio track data, you have to continue reading the data just now. After mtrk is 00 00 17 80, we can see from the previous introduction that this value indicates the data volume of the audio track, that is, 1780 (hexadecimal) starting after the four bytes) bytes are the audio track data. So we can calculate the position of the end of the audio track data area (that is, the end of the MID, because the mid only has one audio track. The first position after these four bytes is 13f50, so 13f50 + 1780 = 156d0
Then the data of this mid file is naturally from 13f3a to 156d0. In the editor, select this area Ctrl + C. Click file-> Create and paste the file, and press Ctrl + S to save it as AAA. Mid. the AAA. Mid music has been opened. All work is done here