Documente Academic
Documente Profesional
Documente Cultură
4
EXE Ripper – exe file encoded with
Base64 encoding
Example of usage
1
3. Open unpacked file with Exeinfo Pe and run EXE PE Ripper
2
6. Now you must download bde64.exe from :
http://aluigi.altervista.org/mytoolz.htm
( real link : http://aluigi.altervista.org/mytoolz/bde64.zip )
3
8. Unpacked.exe file it’s a real Windows PE executable fie.
( but this is Window DLL library file )
A.S.L ( c ) 2019
www.exeinfo.xn.pl
4
Exeinfo PE
OPTION - set EP to 1000h
that's all
Exeinfo PE – unprotect exe file from overlay ( xor method )
Protected with - "SkD Undetectabler 2.exe"
1. Protect exe
A.S.L
EXEinfo PE v.0.0.1.9 C - added Resource analysis
- example file packed with Fearz packer 0.3 ( BIG resource size ) hidden data for extract
- standard installer like Installshield or Inno setup ( Small resources ) data in overlay
Exeinfo PE - ver.0.0.5.0
Program GUI main window info ,
mouse click Buttons
1. If you move mouse on this item you get information from exe header
( file alignment and section alignment )
1
2. EP Section – you can Enter Offset and view Entry Point offset + your offset
( Disassemble or Hexadecimal view , example 20h offset )
2
3. [ Image is 32 bit executable ] – if you click here you see : File Characteristics
3
5. View file offset at : 0000
4
Right mouse button click : ( External tools runner for .NET files )
7. [ Overlay ] – if exist overlay data at the end of the file , you can peek
Hexadecimal view
8. [ Date ] – if you one move mouse on item , you see : decoded date
5
But , if you click 2 x left mouse button , you see Date and Time :
10. [ www ] – internet website grabbed from Diagnose and Lamer Info
items
Example screen :
6
11. [ Digital signature ] – if file has digital signature you can see :
Click on icon , result is ( compare size from exe header and from digital signature ) :
Click OK
You see file propriety and you can check digital sig infos.
7
12. [ I ] – Version Info / Manifest view
Left mouse button click : ( view Version info from Resources *if exist )
8
13. [Open File Dialog]
Right mouse button click : ( Run Multi File scan + change directory to
opened file ! – important if you dropped file via : Drag & Drop )
9
This information describes only Basic functions of Main window ( ~ 50% )
A.S.L ( c ) 2018
www.exeinfo.xn.pl
10
Exeinfo PE - ver.0.0.4.2
Many installers use on Exe Header ( Load Config ) area PDB file name.
If .pdb file name not found on this area you can use new search :
“ Tools Menu / Registry Call scanner … RSDS “.
See screenshot :
1
- Search Result – show you all “.pdb ” file names.
- This search you can use if on Header GUI window no string result found.
2
Info : added on ver.0.0.4.2 final
A.S.L ( c ) 2016
www.exeinfo.xn.pl
3
Exeinfo PE - ver.0.0.4.9
How to retrive jpg picture from saved
file - pseudo jpg – real html file
( www: http://photobucked.com )
If you save jpg picture to disk and can’t see this picture ,
please check this file with Exeinfo Pe.
1
- Now Click : CTRL + Right Mouse Button to open selected line - link
A.S.L ( c ) 2018
www.exeinfo.xn.pl
2
Exeinfo PE - ver.0.0.3.6
Usage example :
This example show you how to Open any “www “ address ripped from
executable or data file – via one Mouse click.
1
3. Now - press CTRL Key and click Right Mouse Button on any line with
www , http , https , ftp address.
*Ripper support – http ( Ascii & Unicode ) , ftp , https ( Ascii characters )
A.S.L ( c ) 2014
www.exeinfo.xn.pl
2
Exeinfo PE - 10 hints
1. Executable file detection 4 types - ( EXE 32bit , EXE 64 bit , DLL32 , DLL 64bit )
1
http://www.neevia.com
version
trial
Converter
Personal
Neevia
by
Created
http://www.neevia.com
version
trial
Converter
Personal
Neevia
by
Created
Mouse click on “ Overlay : ” - view overlay data ( start bytes only )
4.
2
http://www.neevia.com
version
trial
Converter
Personal
Neevia
by
Created
Exeinfo PE - ver.0.0.3.2
Ext_detector.dll v.0.5.0
Example :
How to use Universal Ripper
For example we RIP packed DLL file ( aPlib algorithm ) from Test.exe protected with
- Enigma Virtual Box v.5.80 .
1
4. You can open Test_001~rip.M8Z file with Exeinfo Pe.
Example :
A.S.L ( c ) 2012
www.exeinfo.xwp.pl
2
Exeinfo PE - hints
1
Exeinfo PE - ver.0.0.3.4
Example :
How to use :
internal Zlib Unpacker !
This example show you how to unpack .zlib file Ripped via Exeinfo PE .
1
3. And you have unpacked zlib file*** with .UNP extension !.
You must analyse this file and rename to correct extension .bin or .exe .
*** - if file is not zlib archive , you can see : Depacking Error
HINT : If you have zlib file don’t use zlib ripper for unpacking !!!
A.S.L ( c ) 2014
www.exeinfo.xn.pl
2
Exeinfo PE - ver.0.0.3.5
Example :
This example show you how to analyse exe files longer then
Exeinfo Pe buffer ( limit 96 MB) .
1
3. If detector not crash , you have better Diagnose
( work only if file has Big overlay – not work if section sizes Big )
2
3. Now you can reanalyze file
( *on this exe file not work – Big section size , added only for method example )
Bye.
A.S.L ( c ) 2014
www.exeinfo.xn.pl
3
Exeinfo PE - ver.0.0.3.6
Usage example :
I. Method one :
1
II. Method two :
If you need compare more then two files , you can use Multiple file
scanner mode ( F2 key on main Form ).
A.S.L ( c ) 2014
www.exeinfo.xn.pl
2
Exeinfo PE - ver.0.0.3.9
example :
Install Shield v.15 – v.19
How to detect precisely version.
1
- Protection iD v.0.6.6.7 – Detect Wrong Version : 4.0
4. Now you must open this ripped DLL file with Exeinfo PE
2
5. Click on : VERSION INFO Button
A.S.L ( c ) 2015
www.exeinfo.xn.pl