Manual shelling Advanced Administrative Tools 4.0a

Author: Cloud Number 9
Email: cloudnumber9@sina.com
Copyright Disclaimer: This article can be freely reproduced and referenced, but cannot be used for commercial purposes. Complete the reprinting.
Purpose: I haven't cracked the software for a long time. I saw some shell tutorials on xuanyuan by chance,
Then I found the software to practice it. I did not expect to have encountered a big problem, and I was fully utilized.
A week. I used the ProcDump script to take off the shell and later found that
Then I read a lot of articles and spent many nights to solve the problem.
I think the spirit of cracker is to share software, knowledge, happiness, and pride.
This is the sole purpose of writing this article.
Writing Date: The first dragon boat festival in the new century, 6th June, 2000.

Shelling software: AATools 4.0a build 4.0.0.596
File Size: 752,128 bytes
Software features: I did not pay too much attention, just to practice shell.
Company: G-lock software, http://www.glocksoft.com
Shelling date: June 3rd, 2000

Cracking environment: Windows Me (English Version), MMX 200, 64 M.
Tools used: Trw2000 V1.21, ProcDump 1.6.2, topo, UltraEdit 7.0, W32dsm89.
---------------------------------------------------------------------------

Use ProcDump to check the PE Header of AATools.exe.
Entry Point: 00222001
Size of Image: 00239000
Image Base: 00400000

Run trw2k. The starting code is as follows:
--------- AATOOLS !. Data -----------------------
: 00622001 60 PUSHA
: 00622002 e80000000 CALL 00622008
: 00622007 90 NOP

Follow F8 and I can see that this program has struggled to dynamically generate code in the memory,
The following CODE is displayed after converting from. data to the unknown space of the segments and finally to. CODE:
--------- AATOOLS !. CODE + 1754C0 -----------------------
: 005764C0 55 push ebp
: 005764C1 8BEC mov ebp, esp
: 005764C3 83C4F4 add esp, FFFFFFF4
: 005764C6 53 push ebx
: 005764C7 B8705E5700 mov eax, 00575E70
: 005764CC E8CF0EE9FF call 004073A0
: 005764D1 8B1D84A85700 mov ebx, dword ptr [0057A884]

After Continuous testing, it is confirmed that the program has been completely shelled. Cs: 5764c0 is the new entry point of the program.
Because I have not registered the trw2k, I manually shell it,
E cs: eip eb fe 90
G
Then run ProcDump to shell out. The file size should be 2135 kb.
(If you select the rebuild new import table option in ProcDump, the file after shelling
The size is 2138 kb, which is the same as that of script shelling)

The PE Header becomes:
Name Virtual Size Virtual Offset Raw Size Raw Offset
CODE 00176000 00001000 001755B8 00000600
DATA 00004000 00177000 bytes 3b30 00175C00
BSS 00002000 0017B000 00000000 0017B000
. Idata 00004000 0017D000 00000B04 00179800
. Tls 00001000 00181000 00000000 00181000
. Rdata 00001000 00182000 00000010 0017A400
. Reloc 00019000 00183000 00000000 0017A600
. Rsrc 00086000 0019C000 00085BD0 0017A600
. Data 00016000 00222000 000158AC 00200200
. Data 00001000 00238000 00000000 00215C00

Change eb fe 90 in the case of shelling to 55 8B EC, and change Entry Point to 1764C0.
But the file still cannot run.

Trace the data through trw2k,
: 004073A0 50 push eax
: 004073A1 6A00 push 00000000
: 004073A3 E8F8FEFFFF call 004072A0
: 004073A8 BA00715700 mov edx, 00577100
: 004073AD 52 push edx
: 004073AE 8905DCB45700 mov dword ptr [0057B4DC], eax
: 004073B4 894204 mov dword ptr [edx + 04], eax
: 004073B7 C7420800000000 mov [edx + 08], 00000000
: 004073BE C7420C00000000 mov [edx + 0C], 00000000
: 004073C5 E88AFFFFFF call 00407354
: 004073CA 5A pop edx
: 004073CB 58 pop eax
: 004073CC E827C8FFFF call 00403BF8
: 004073D1 C3 ret

Where:
: 0057D1C0 00 00 00 00 00 00 00 00 00 00 8C 54 3B 01
: 0057D1D0 98 54 3B 01 A4 54 3B 01 B0 54 3B 01 BC 54 3B 01

: 004072A0 FF25E4D25700 jmp dword ptr [0057D2E4]

The data in cs: 0057d2e4 is:
: 0057D2E0 14 57 3B 01 20 57 3B 01

Cs: 013b5720 code:
: 013B5720 E9C91FBBBE JMP KERNEL32! GetModuleHandleA
: 013B5725 1000

: 013B572C E99E1FBBBE JMP KERNEL32! GetModuleFileNameA
: 013B5731 1000

A special piece of code will be found when you continue tracking:
: 004013D0 FF258CD25700 jmp dword ptr [0057D28C]

The data in cs: 0057d28c is:
: 0057D28C C4 56 3B 01