http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Translate&no=93 [º¹»ç]
Á˼ÛÇÕ´Ï´Ù.. ´ÊÀºÁÖÁ¦¿¡ ¹ø¿ªµµ ¾È µÇ¾îÀÖ°í..
±×·¸´Ù°í 100% ¿Ïº®ÇÏ°Ô µÈ °Íµµ ¾Æ´Ï°í..
´õ ´ÊÀ¸¸é Àá¼öÅÀ´Ù°í »ý°¢ÇϽDZîºÁ ±×³É ¿Ã¸³´Ï´Ù..¤Ì¤Ì
¹ø¿ª ..¸Ã¾ÆÁֽǺÐ.... ¤Ì¤Ì Á˼ÛÇØ¿ä ¤Ì
==========================================
um... we can have a look at the first section.
And is the first section characteristics is irregular.
Maybe..umm.. ugh there is a background going to open that's first section,
so we need to have write access to it.
um... we cannot look at the first section rawsize
and...um... is ugh.. the file is FAT.
the physical size of the first section is null,
because the null and the FAT to that section.
we can also have a look at the last section as a..
as a Entry Point.. sorry,
And ugh.. Entry Point starting in the last section.
It's means that ugh.. something has happened to the program,
because usually the program stops at the first section.
It can also be a virus.
ugh.. we can also check the section names
and we can find something like **** section names
or um.. aspect sections.
So sometimes it gives you an idea of the record review.
We can also checks Import Table.
And if there is a very few important functions,
it might be because there is a background import table.
And those **** program import table so it might be packed.
we can also check for strings,
ugh.. usually packers um..
pack up the data section
where we find **** strings,
so if you find those strings as well
maybe it's a file ***.
Unless *** is a looking at the Raw Size and..
it in a file that has been packed
so..the physical size is going to be smaller that the **** size.
So, um...
we can see the Entry Point **** ***
and we can see that it's the last section **** address.
You can also see that's the Raw Size is blue here
so this file must not have been packed.
And with this example,
if you look at the last section the Raw Size section here
you can see the characteristic and um..
the last section is executable.
Raw Size sections are usually not executable
so it might be a hint that's the file has been packed.
So now the basic unpacking method
we have to find the original Entry Point first
and this is the *** of the *** program.
So a few ways to find the original Entry Point is to trace until you jump to the real program.
You can also use a static disassembly
***** jump to the first section or
um.. hint to jump to the first section.
Or you can use ********* smart hardware break points.
And you can also use a API functions break point.
Because umm...ugh.. computer programs like c++ programs
are going to use a start up API functions ***
at the Entry Points
where you can adjust the break point of these functions
and... **** program
adjust so you can ****
if you are at the Entry Point.
Once you have found the Entry Point
we have to *** the process to authorized ********
there should have program.
As then you have to Reconstruct import table
so we have a few ways to do it.
You can trust the packer and find ***
the Import Access Table is being ****
and ugh.. *** information or um..
attach to packers represents originate functions.
or if you are lazy you can use a *** tool
is called Import Reconstructor
to ugh.. reconstruct the Import table automatically.
So we are going to do a demonstration *********
So *** *** the program **** packed it **** Entry Points
I'm going to do it **** and hope that ********* effect.
"He's using my laptop for this step of course."
==================================
Áß°£¿¡ ¸¶ÀÌÅ© ¾È ´ë°í ¸»ÇÑ °Íµµ **·Î Ç¥½ÃÇß½À´Ï´Ù. ¾Æ¿¹ µé¸®Áú ¾Ê¾Æ¼..
¹ßÀ½ÀÌ..ºÒ¾î¿¡ °¡±î¿ö¼ dictationµµ Á¤È®ÇÑÁöµµ ¸ð¸£°Ú½À´Ï´Ù.
´Ù½Ã Çѹø Á˼ÛÇÕ´Ï´Ù..¤Ì¤Ì
|
Hit : 2310 Date : 2011/08/26 02:04
|