Protection   pETITE 2.1  

PACKED PROGRAM

Tools   ProcDump Wdasm SoftIce    
Target   NotePad  

By Christal

Petite is a Win32 (Windows 95/98/2000/NT) executable (EXE/DLL/etc...) compressor. The compressed executables decompress themselves at run time, and can be used just like the original uncompressed versions. Petite also adds virus detection to the compressed executables - they will check themselves for infection every time they are executed.

Petite is not really a protection. Its rule is only to create a executable of smaller size. By way of compressor, it is not as successful as others like ASPACK or Néolite. As most of the programs of this type, you will not obtain String Data References by disassembling the application. In the best of cases (Wdasm 8.5 and Wdasm 6.9) you will have a listing without usual resources, and with Wdasm8.93 you will not obtain everything.

In the family "compressor", it is the easier to modify.

Here are various informations given by WDASM:

Before compression:

Disassembly of File: NOTEPAD.exe
Code Offset = 00000400, Code Size = 00003A00
Data Offset = 00003E00, Data Size = 00000400

Number of Objects = 0006 (dec), Imagebase = 00400000h

Object01: .text    RVA: 00001000 Offset: 00000400 Size: 00003A00 Flags: 60000020
Object02: .bss     RVA: 00005000 Offset: 00000000 Size: 00000000 Flags: C0000080
Object03: .data    RVA: 00006000 Offset: 00003E00 Size: 00000400 Flags: C0000040
Object04: .idata   RVA: 00007000 Offset: 00004200 Size: 00000E00 Flags: 40000040
Object05: .rsrc    RVA: 00008000 Offset: 00005000 Size: 00003200 Flags: 40000040
Object06: .reloc   RVA: 0000C000 Offset: 00008200 Size: 00000A00 Flags: 42000040
Program Entry Point = 00401000 (NOTEPAD.exe File Offset:00004E00)

After compression :

Disassembly of File: Notepad.exe
Code Offset = 00001C00, Code Size = 00002A00
Data Offset = 00000000, Data Size = 00000000

Number of Objects = 0007 (dec), Imagebase = 00400000h

Object01: .text    RVA: 00001000 Offset: 00001C00 Size: 00002A00 Flags: E0000020
Object02: .bss     RVA: 00005000 Offset: 00000000 Size: 00000000 Flags: C0000080
Object03: .data    RVA: 00006000 Offset: 00000000 Size: 00000000 Flags: C0000040
Object04: .rsrc    RVA: 00008000 Offset: 00004600 Size: 00003200 Flags: 40000040
Object05: .reloc   RVA: 0000C000 Offset: 00000000 Size: 00000000 Flags: C2000040
Object06: .petite  RVA: 0000D000 Offset: 00000400 Size: 00001800 Flags: E2000060
Object07:          RVA: 0000F000 Offset: 00000000 Size: 00000000 Flags: C2000080
Program Entry Point = 0040D10B (Notepad.exe File Offset:0000050B)

Like other novelty, you have a section .petite which appears, and where is placed the Entry point of the compressed program and his Loader ( EPL).

To find at which moment the Loader is going to give up the place at the origin program (here, NotePade.exe), I began to trace with F10 as soon as SoftIce's Symbol Loader returned me the hand. Every time when Notepad's screen appeared, I put Breakpoint on the incriminated call ( F9), and I began again since the beginning.

Contrary to other compressor, the relay is spent as this:

0137:0040D1D3  55                  PUSH    EBP
0137:0040D1D4  8BEC                MOV     EBP,ESP
0137:0040D1D6  8807                MOV     [EDI],AL         > NotePad's launch
0137:0040D1D8  81ECD8BA0000        SUB     ESP,0000BAD8
0137:0040D1DE  8D8D887FFFFF        LEA     ECX,[EBP+FFFF7F88]

But attention, you will have 5 passages on this address, with differents values every time. In the fourth passage you will find value 400000 (Image base), and in the fifth, Al will add the value of the entry point of the program of origin: 1000.
400000 + 1000 = 401000 is the classic entry point of the majority of "normal" programs.

PETITE signature, in the version 2.1 can so be 8B EC 88, but with the particularity of multiple passages, and that is a problem to ProcDump to realize a discompressed Dump.
Leaving of the principle that the entry point of the greatest number of programs is almost always 401000, here is what I propose to you, to allow you to patch the original application:

1 To find some the place

To avoid long and boring searches, I often squat in a small end of the icon of the application. In the fact or brought modifications are "discreet", the icon is there only very little affected, and I doubt that whoever can realize it...
To find the bytes which compose it, it is enough to use a editor of resources (like Borland resources WorkShop), and to double-click on the name of the icon: you will obtain from it the string, and that you will have only to find by means in a hexadecimal editor like Hiew to know the offset of it.

In this particular case, I am going to install my future patch in 00408770:

0137:00408770 FF00                INC DWORD PTR [EAX]
0137:00408772 0003                ADD [EBX],AL
0137:00408774 800000              ADD BYTE PTR [EAX],00
0137:00408777 0300                ADD EAX,[EAX]
0137:00408779 0000                ADD [EAX],AL
0137:0040877B 0300                ADD EAX,[EAX]
0137:0040877D 0000                ADD [EAX],AL


2-Rediriger towards this place:

0137:0040D1D3  E998B5FFFF          JMP     00408770        > by a jmp
0137:0040D1D8  81ECD8BA0000        SUB     ESP,0000BAD8
0137:0040D1DE  8D8D887FFFFF        LEA     ECX,[EBP+FFFF7F88]

3- The patch:

0137:0040876A  0003                ADD     [EBX],AL        > code of the icon
0137:0040876C  FF00                INC     DWORD PTR [EAX] > code of the icon
0137:0040876E  0003                ADD     [EBX],AL        > code of the icon
0137:00408770  55                  PUSH    EBP             > restoration
0137:00408771  8BEC                MOV     EBP,ESP         > crushed bytes
0137:00408773  81FF00004000        CMP     EDI,00400000    > edi = 400000 ?
0137:00408779  7512                JNZ     0040878D        > if not, continue
0137:0040877B  66C705381E40006A00  MOV     WORD PTR [00401E38],006A > yes-> modify
0137:00408784  8807                MOV     [EDI],AL        > restoration
0137:00408786  E94D4A0000          JMP     0040D1D8        > return ...
0137:0040878B  03C0                ADD     EAX,EAX         > empty place
0137:0040878D  8807                MOV     [EDI],AL        > restoration of
0137:0040878F  E9444A0000          JMP     0040D1D8        > bytes crushed and return 
0137:00408794  E000                LOOPNZ  00408796        > code of the icon
0137:00408796  0003                ADD     [EBX],AL        > code of the icon
0137:00408798  E000                LOOPNZ  0040879A        > code of the icon

Some explanations:

In 00408770 and 00408771, the patch restores codes crushed by Jmp 00408770 in 0040D1D3.
In 00408773 test controls that Edi contains, or not, value 400000 (remember, it is the value of the image base, that last passage in 0040D1D3 is found in Edi in front)
In 0040877B if Edi = 400000, the patch modifies bytes at the address that you aimed at, application being discompressed.
In 00408784 you restore bytes crushed by the jump, and you spend the relay to NotePad, Esi being equal to 401000 now.
In 0040878D you restore codes crushed by the jmp 00408770 in 0040D1D3
In 0040878F you return to PETITE Loader, just like that...

As you were able to see it, this operation does not present any particular difficulties, and PETITE is the compressor the easiest by far to modify.
There will be possibly a matter: if you modify the characteristics of the sections of the application compressed, you will not be able to launch program, that this considering this intervention as being the track of a viral infection. On the other hand your patch will not put him the smallest problem.

Bonne journée

Christal