Hi all Je voudrais ajouter une modeste contribution a l'exellent travail de Pulsar & Christal sur PEshield V0.25. Ceci est une precision sur le traitement de l'Import par ce Crypteur. Tout d'abord une fois depacke,decrypte quand on arrive au debut du traitement de la table d'import, on voie que les noms de fonction dans la table sont crypte ex: 0167:00406DB0 5A 65 6C 5B 69 7D 7B 6F-43 65 72 00 81 00 5A 6F Zel[i}{oCer...Zo 0167:00406DC0 6F 43 79 7D 64 66 6D 41-6D 79 4A 00 94 00 4A 60 oCy}dfmAmyJ...J` 0167:00406DD0 75 47 7A 6D 6E 40 7D 7C-53 00 41 44 56 41 50 49 uGzmn@}|S.ADVAPI 0167:00406DE0 33 32 2E 64 6C 6C 00 00-00 00 00 00 00 00 00 00 32.dll.......... Les noms de dll sont en clair. A la fin du traitement la section import est inutilisable !! Il y a des 400000 (en fait la base) un peu partout et des 'ZZZZZZZZZ' sur le reste :-((( Voici le code de ce traitement avec les overwrites des differentes partie de la section d'import : A noter que cet exemple est fait a partir de Notepad, peshielde sans option. EAX=0000658A EBX=6B69E809 ECX=00400000 EDX=00406000 ESI=0040D010 EDI=0040D484 EBP=0040E000 ESP=0076FF7C EIP=0040EAED o d I s z a p c CS=015F DS=0167 SS=0167 ES=0167 FS=3E1F GS=0000 -------------------------------------------------------------------------PROT32- 015F:0040EACE 8BF0 MOV ESI,EAX 015F:0040EAD0 89857F120000 MOV [EBP+0000127F],EAX 015F:0040EAD6 8B8DA7120000 MOV ECX,[EBP+000012A7] 015F:0040EADC 8B9527120000 MOV EDX,[EBP+00001227] 015F:0040EAE2 8B420C MOV EAX,[EDX+0C] 015F:0040EAE5 0BC0 OR EAX,EAX 015F:0040EAE7 0F84F3000000 JZ 0040EBE0 015F:0040EAED 894A0C MOV [EDX+0C],ECX <--------- Overwrite 015F:0040EAF0 03852B120000 ADD EAX,[EBP+0000122B] 015F:0040EAF6 52 PUSH EDX 015F:0040EAF7 51 PUSH ECX 015F:0040EAF8 50 PUSH EAX 015F:0040EAF9 50 PUSH EAX 015F:0040EAFA C6851D12000000 MOV BYTE PTR [EBP+0000121D],00 015F:0040EB01 8B18 MOV EBX,[EAX] 015F:0040EB03 81E3DFDFDF00 AND EBX,00DFDFDF 015F:0040EB09 81FB4D464300 CMP EBX,0043464D 015F:0040EB0F 7518 JNZ 0040EB29 015F:0040EB11 8B5805 MOV EBX,[EAX+05] 015F:0040EB14 81E3FFDFDFDF AND EBX,DFDFDFFF 015F:0040EB1A 81FB2E444C4C CMP EBX,4C4C442E 015F:0040EB20 7507 JNZ 0040EB29 015F:0040EB22 C6851D12000001 MOV BYTE PTR [EBP+0000121D],01 015F:0040EB29 8BD8 MOV EBX,EAX 015F:0040EB2B E8DDFBFFFF CALL 0040E70D 015F:0040EB30 5B POP EBX 015F:0040EB31 59 POP ECX 015F:0040EB32 5A POP EDX 015F:0040EB33 0BC0 OR EAX,EAX 015F:0040EB35 7512 JNZ 0040EB49 015F:0040EB37 52 PUSH EDX 015F:0040EB38 51 PUSH ECX 015F:0040EB39 53 PUSH EBX 015F:0040EB3A E8D9FBFFFF CALL 0040E718 <------- appel loadlibrarya 015F:0040EB3F 0BC0 OR EAX,EAX 015F:0040EB41 0F8442FCFFFF JZ 0040E789 015F:0040EB47 59 POP ECX 015F:0040EB48 5A POP EDX 015F:0040EB49 E8EF000000 CALL 0040EC3D <-------------- ZZZZZZZZZ 015F:0040EB4E 8985AE0B0000 MOV [EBP+00000BAE],EAX sur le dll 015F:0040EB54 8B32 MOV ESI,[EDX] 015F:0040EB56 890A MOV [EDX],ECX <--------- Overwrite 015F:0040EB58 8B7A10 MOV EDI,[EDX+10] 015F:0040EB5B 894A10 MOV [EDX+10],ECX <--------- Overwrite 015F:0040EB5E 0BF6 OR ESI,ESI 015F:0040EB60 7502 JNZ 0040EB64 015F:0040EB62 8BF7 MOV ESI,EDI 015F:0040EB64 03B52B120000 ADD ESI,[EBP+0000122B] 015F:0040EB6A 03BD2B120000 ADD EDI,[EBP+0000122B] 015F:0040EB70 8B06 MOV EAX,[ESI] 015F:0040EB72 0BC0 OR EAX,EAX 015F:0040EB74 7462 JZ 0040EBD8 015F:0040EB76 890E MOV [ESI],ECX <--------- Overwrite 015F:0040EB78 7905 JNS 0040EB7F 015F:0040EB7A 0FB7C0 MOVZX EAX,AX 015F:0040EB7D EB26 JMP 0040EBA5 015F:0040EB7F 03852B120000 ADD EAX,[EBP+0000122B] 015F:0040EB85 66C7000000 MOV WORD PTR [EAX],0000 015F:0040EB8A 40 INC EAX 015F:0040EB8B 40 INC EAX 015F:0040EB8C 53 PUSH EBX 015F:0040EB8D 56 PUSH ESI 015F:0040EB8E 50 PUSH EAX 015F:0040EB8F 8B9D87120000 MOV EBX,[EBP+00001287] 015F:0040EB95 8BF0 MOV ESI,EAX 015F:0040EB97 E8A8030000 CALL 0040EF44 <------------- Decrypt Function 015F:0040EB9C 899D87120000 MOV [EBP+00001287],EBX name 015F:0040EBA2 58 POP EAX 015F:0040EBA3 5E POP ESI 015F:0040EBA4 5B POP EBX 015F:0040EBA5 50 PUSH EAX 015F:0040EBA6 52 PUSH EDX 015F:0040EBA7 56 PUSH ESI 015F:0040EBA8 57 PUSH EDI 015F:0040EBA9 51 PUSH ECX 015F:0040EBAA 53 PUSH EBX 015F:0040EBAB 50 PUSH EAX 015F:0040EBAC 50 PUSH EAX 015F:0040EBAD 6878563412 PUSH 12345678 015F:0040EBB2 E86CFBFFFF CALL 0040E723 <----------- appel getprocaddress 015F:0040EBB7 5B POP EBX 015F:0040EBB8 0BC0 OR EAX,EAX 015F:0040EBBA 0F8412FCFFFF JZ 0040E7D2 015F:0040EBC0 E878000000 CALL 0040EC3D <-------------- ZZZZZZZZZ 015F:0040EBC5 5B POP EBX 015F:0040EBC6 59 POP ECX 015F:0040EBC7 5F POP EDI 015F:0040EBC8 E887000000 CALL 0040EC54 015F:0040EBCD 5E POP ESI 015F:0040EBCE 5A POP EDX 015F:0040EBCF 5B POP EBX 015F:0040EBD0 83C604 ADD ESI,04 015F:0040EBD3 83C704 ADD EDI,04 015F:0040EBD6 EB98 JMP 0040EB70 015F:0040EBD8 83C214 ADD EDX,14 015F:0040EBDB E902FFFFFF JMP 0040EAE2 015F:0040EBE0 EB01 JMP 0040EBE3 015F:0040EBE2 EA8B8547120000 JMP 0000:1247858B 015F:0040EBE9 EB02 JMP 0040EBED 015F:0040EBEB EA0433859F1200 JMP 0012:9F853304 015F:0040EBF2 00EB ADD BL,CH 015F:0040EBF4 02CD ADD CL,CH 015F:0040EBF6 2003 AND [EBX],AL 015F:0040EBF8 85A7120000EB TEST [EDI+EB000012],ESP 015F:0040EBFE 01E9 ADD ECX,EBP 015F:0040EC00 8944241C MOV [ESP+1C],EAX 015F:0040EC04 EB03 JMP 0040EC09 015F:0040EC06 CD20 INT 20 VXDJmp 3DBD,0D04 -------------------------------------------------------------------------------- Il suffit de remplacer les overwrites par des nop ainsi que les overwrites 'ZZZZZZZ' pour avoir une table propre. Poser un bpx en 0040EBE0,c'est la fin du traitement et vous pouvez dumper la table ! A noter qu'un peu plus loin il y a le jump eax avec le bon EIP. Un bon dump a ce moment la et votre prog est clean !. J'espere que ce petit ajout sera d'une quelconque utilite. SV s.-v@caramail.com