Peid off-pecompact shell 0 basic practice

Recently, I sent a peid shell check tool to everyone. Maybe the newbie doesn't know what this is.

Let's take a look at its usage.

Peid is now the most popular shell check tool. The so-called "shell" is to put a "shield" on the program, which can be divided into two types: the compression shell and the protective shell.

The protective shell can protect the program from being directly viewed by The Decompilation tool and play a obfuscation role.
The compression shell can reduce the volume of the source program and implement encryption.

Therefore, there are many types of shells, such as common UPX and ASPack.

Of course, the shell can be added or "detached ". Haha.

Well, let's not talk much about it. Next I will use peid to demonstrate how to check the shell, shell the shell, and restore the original look of the program.


Sometimes, if we want to decompile a program, we will find the following prompt:

The system prompts "corrupted resources (which may be compressed or encrypted files )".

Almost all such programs are shelled.

Here, the demo program is peid itself (because it is also shelled, And I just used it for demonstration. Haha ).

First, open the peid shell check tool:


Then, drag and drop the program (in this case, peid) to open the shell. The following result is displayed:


I didn't tell you what tool or language the software was written with. Obviously, this program is shelled.
Pay attention to the area marked by the Red Arrow and directly find the shell type: "pecompact 2.x-> Jeremy collake ".
That is, the shell of the added "pecompact 2. x" version.

This shell is a compressed shell. How can this shell be detached? Simply use the shell removal tool of the corresponding type.

Here, we use the "pecompact 2. x" Shelling tool to shell it.
Here I am using the pecompact 2. x-3.x shelling machine, open the tool:


Select the program to be shelled for browsing. Here I use the peid demo, browse the file, or drag the file directly into the tool:


Then select "Shelling ":


Then we will find that a file with the same name will be created in the program directory that you shell:


The following "unpackaged" is the source program file obtained after shelling. It can run properly:


Open peid, check the program after shelling, and view the result:


The program query result is "Microsoft Visual C ++ 7.0 ".

OK. This indicates that the shelling is successful! Haha.

Also, pay attention to the volume of the source program and the program after shelling, and you will find a lot different. This is a typical compressed shell.

The tools used in the tutorial can be found in the software tool download section of "my little station-solitary film technology.

This tool is very easy to use. I will give you some time to record a manual shelling video tutorial later. The tutorial has no technical content, but I hope you will like it. It is an encouragement. Haha.

If you do not understand the tool or need it, you can leave a message.

 

Peid off-pecompact shell 0 basic practice