About the shelling method of Aspack 2.12 Packers software [text]

In fact, Aspack 2.12 is a relatively simple thing, it can be said, to a large extent, it can be the size of the program compression, easy to publish. Today, from a practical example, how to carry out hand aspack 2.12 shells. Of course, the so-called hand off, not to say that entirely by hand, we also need a certain tool, first of all, Peid, you can download in the script home, mainly used to check the shell of a small tool.

The second is the Dynamic Debugging tool OD (ollydbg), the same tool can be found on the network itself to download. Let's take an example of an ASCII-converted gadget. Because just good is the shell that uses aspack to add. So we're going to take it.

Is the software interface, this time the software size is 846 KB (866,816 bytes) is not feeling very small? We use Peid to view the shell.

Can clearly see is aspack Shell bar. And there is a version, we use OD to open it. For the continuation of the analysis, we can click No. Then we can see the code similar to the following.

We can see that the entrance is stopped Pushad, that is, register pressure unified into the stack operation. Then we can easily use the so-called ESP law to get it done. Click F7, go to the next line, and look at the Register window. The value of the ESP inside.

See that the ESP register is red. We copy the corresponding 0012FFA4 to the hardware breakpoint under our command-line window.

Hardware breakpoint is the HR, then add the address we just copy, and then enter, this time we can re-menu. Debug hardware breakpoint, see the hardware breakpoint we set.

After setting the breakpoint, we press F9 to run the program and it will stop at the breakpoint. Look at the approximate position

Well, we can be happy to see that the occurrence of jnz, is not equal to 0 jump, and is the direction of the red downward jump. Red for the jump has been implemented, the direction is down, is to the address of the place 006af3ba, and then this place push press into an address, retn way back. We remove the hardware breakpoint at this time. Method is debug hardware breakpoint selection Remove the hardware breakpoint that we just added in the HR command. Then we press F7 to step on to push this stack of places. Then we're stepping F7 two times. That's it.

See this place, if you debug more, you must understand that this is the entrance. First you look at the address, jump span is very large. The description of the shell code before execution is complete, now jump to execute the real code. And this code is the compilation code of the typical VC that appears. In place of address 00422240, we choose right button, choose to use ollydump shelling debugging process. The following interface appears

Way to choose freely. I default, we directly click the Shelling button, and then take a shell to complete the EXE name on it. Then we check to see if the shelling is successful and use our Peid to check the shells. The exact effect is as shown

We can see the real language. And the version of the compiler. Then we run our shelling program, and if it's running, it's OK.

Of course if we do not run we need to use the repair tool on the shell after the repair operation, the common repair tool is import fix 1.6. You can download them on the Internet. Repair I will not say, because the shelling after the normal operation. There is no need to fix it. Let's take a look at the size of the program 3.17 MB (3,331,584 bytes) See, this shell of the compression ability is amazing ah hehe. So in general the shell can be classified as a compression shell rather than a cryptographic shell. Because the size of the program is smaller is its main purpose.

Well, a lot of crap, just take notes here. This can be said to be the most basic thing in all the shelling classes, similar to the Hello world we wrote in C. But perfectly formed. As long as you work hard, you can be Daniel. The road long its repair far XI, I will go up and down and quest.

About the shelling method of Aspack 2.12 Packers software [text]