Home > Cloud Computing > Cloud Security

Simple search method for PECompact OEP

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

========================================================== ======

This method is used in PECompactV1.71, V1.76, and V1.82.

For more information, see the following example.

========================================================== ======

This is the compressed result of 98's calc.exe using PECompact1.82.

010153A0> EB 06 jmp short CALC.010153A8 <= The First Command

010153A2 68 e01_100 PUSH 119E0 <===== this is the RVA address of the program's original OEP

010153A7 C3 RETN

010153A8 9C PUSHFD

010153A9 60 PUSHAD

010153AA E8 02000000 CALL CALC.010153B1

========================================================== ======

========================================================== ======

This is the compressed result of 98's notepad.exe using PECompact1.82.

0040AB20> EB 06 jmp short NOTEPAD.0040AB28 <= The First Command

0040AB22 68 CC100000 PUSH 10CC <===== this is the RVA address of the program's original OEP

0040AB27 C3 RETN

0040AB28 9C PUSHFD

0040AB29 60 PUSHAD

0040AB2A E8 02000000 CALL NOTEPAD.0040AB31

========================================================== ======

========================================================== ======

This is the result of compressing lordpe.exe [rts] Using pecompact1.82.

004239A0> EB 06 jmp short X.004239A8 <= The First Command

004239A2 68 103E0000 PUSH 3E10 <===== this is the RVA address of the program's original OEP

004239A7 C3 RETN

004239A8 9C PUSHFD

004239A9 60 PUSHAD

004239AA E8 02000000 CALL X.004239B1

004239AF 33C0 xor eax, EAX

========================================================== ======

========================================================== ======

This is the result of PECompact1.82.

0043E760> EB 06 jmp short PECOMPAC.0043E768 <= The First Command

0043E762 68 00E00300 PUSH 3E000 <===== this is the RVA address of the program's original OEP

0043E767 C3 RETN

0043E768 9C PUSHFD

0043E769 60 PUSHAD

0043E76A E8 02000000 CALL PECOMPAC.0043E771

0043E76F 33C0 xor eax, EAX

========================================================== ======

========================================================== ======

This is the result of ODBG1.06.

004F8200> EB 06 jmp short X.004F8208 <= The First Command

004F8202 68 00100000 PUSH 1000 <===== this is the RVA address of the program's original OEP

004F8207 C3 RETN

004F8208 9C PUSHFD

004F8209 60 PUSHAD

004F820A E8 02000000 CALL X.004F8211

004F820F 33C0 xor eax, EAX

004F8211 8BC4 mov eax, ESP

========================================================== ======

Obviously, the entry to the original program is

VA = ImageBase + RVA

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;

The following is the case where TRW2000 is used to manually remove PECompact

(Standard TRW2000 V1.22. I 'd like to modify the version)

Load PECompact V1.82

<F8>

Based on the preceding command, 0043E762 68 00E00300 PUSH 3E000

Because ImageBas = 400000, OEP = 43E000

So

Bp if (EIP = 43E000)

G

Pedump c: xx.exe

G

Okay. Check whether C: xx.exe is normal.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
simple search engine simple php search script simple search replace simple search code in php simple php mysql search form simple search engine in php another name for method
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More