Getting started with shelling

Preface
I have been learning Crack for almost two months. During this period, I learned much more than I had learned in any past year (especially about computer programs and systems)

It was also the last month that I learned to shell out. I started to ask about the method of learning to shell out. Most of the answers were to read the book of snow boss, and no one answered it positively. as a result, I tried to find out my own ideas. I guess the old guys take it for granted. It is more appropriate for us to say nothing about our side dishes.
Here I will make an axe to the door. In fact, it is mainly to help some friends get to the door faster and not just show pictures and tigers. These are also the answers to the questions I originally asked, these are basic things. If not, please correct them.

I would like to thank Mr. Xue for providing such a good forum for your study and exchange. I also wrote a good book to guide cainiao like me, I would also like to thank many experts on the Internet for making their own shell notes. I would like to express my special thanks to the heXer boss for his careful guidance on this cainiao!

By the way, shelling requires special interest and patience. If you don't have patience, you will ......;)

After a bunch of nonsense, let's go to the topic below :)
In combination with the new KG of the doll Wom, it is generally a simple analysis method for a shell.

1. Find OEP
The general process of shelling is: Shell check-> Search for OEP-> Dump-> repair
There is nothing to say about shell check. FI and PEiD, unfortunately neither FI nor PEiD can recognize this shell :)

The general idea of searching for OEP is as follows:
Let's first look at whether the shell is an encrypted shell or a compressed shell. It is easier to compress the shell. Generally, there is no exception. After finding the corresponding popad, you can go to the portal. The way to jump to the portal is generally
1. jmp OEP
2. push OEP
Ret
3. call OEP
Of course there are others, such as je OEP, which are usually large jumps between segments. The OD Disassembly window contains the content of the same segment, so it is better to determine whether it is a jump between segments.
"Here I will talk about the common methods of F8 (Step Over) and F7 (Step in). Generally, f8. however, some calls are deformed Jmp, in this case, the F7 generation is required. A simple method to differentiate whether Jmp is deformed is to compare the target address of the call with the current address. If the two are very close, Jmp is changed, use F7 』
For the encrypted shell, my method is generally to load with OD, hook all exceptions (do not ignore any exceptions, sometimes due to excessive exceptions, You can properly ignore some exceptions), run, counting how many Shift + F9 programs are used, obviously, after the last exception, the program will jump from the shell to the OEP and start to execute. This is a key to finding OEP, for this shell, we can see that it is an encrypted shell. Shift + F9 runs after 16 times and comes back. Shift + F1 will arrive here after 15 times.
0042CBD3 ^ 73 DC jnb short kill_luj.0042CBB1
0042CBD5 CD 20 int 20
0042CBD7 64: 67: 8F06 0000 pop dword ptr fs: [0] <--- here
The general solution is to find a pop fs: a breakpoint at [0] or a breakpoint at [esp + 4]. It will be better if you learn how to process SEH.
0012FF58 0012FFE0 Pointer to next SEH record
0012FF5C 0042CBB7 SE handler <--- the Anti-Debug code is generally included here.
0012FF60 0042CB8A RETURN to kill_luj.0042CB8A from kill_luj.0042CB90
My first choice is to use F7 patiently after being disconnected at 0042CBD7, because there are too many calls due to deformation ..., the key is to jump back and find a proper position to jump out of the loop. If you are patient, you can go to OEP like this ;)
Of course, you can also use another good thing, Trace. In the Command, a tc eip <42b000 (42b000 is the starting position of the current segment, and the scroll bar can be dragged to the top of it, generally, the base address of the program compilation is 400000). OK. Wait a moment and we will stop here. (if it is ASPr, it may take several minutes)
00419F68 55 push ebp <---- stop here
00419F69 8BEC mov ebp, esp
00419F6B 83C4 F0 add esp,-10
Haha, OEP found it ;)
Of course, you can find the OEP using PEiD, and compare it. Is it the same? D. For OEP found using PEiD, you can directly G to OEP.

Now we can Dump it. Use LordPE to Dump it. Because there is Anti-Dump, we need to first Correct Imagesize and then Dump it.

Ii. IAT repair
Since the encryption shell is relocated to the input table, the current file cannot be used normally. Our goal is to restore it. First Use ImportREC and fill in the correct OEP, IAT AutoSearch, Get Import, invalid values: Show Invalid, right-click Trace Level1 (Disasm), and fail !! It seems that only you have recovered. Write down the IAT address 0001C128
Well, run it again. Go to Expression in the OD Dump window, to 0041C128, staring at it silently counting how many times Shift + F9 was pressed, and after 13th times it was found that 0041C128 had changed, in addition, just like at the end of the OEP, it can be seen that the IAT is also damaged by the Shell fix, so we will try again, Shift + F9 12 times later, skip the exception according to the method described above, here we can choose to use Memory breakpoint or Hardware breakpoint at 0041C128, such as Memory, On Write, On Access, Hardware, On Access, etc. I use Memory On Write, after decoding IAT several times in the shell (changed several times at 0041C128), we can go here
0042C7C7 60 pushad
0042C7C8 8327 00 and dword ptr ds: [edi], 0 <---- stop here
0042C7CB 8B85 5B314000 mov eax, dword ptr ss: [ebp + 40315B]
0042C7D1 40 inc eax
0042C7D2 0F84 A8000000 je kill_luj.0042C880
0042C7D8 80A5 04294000 FF and byte ptr ss: [ebp + 402904], 0FF
0042C7DF 0F84 9B000000 je kill_luj.0042C880 <---- this address jump will not be damaged
0042C7E5 80A5 05294000 FF and byte ptr ss: [ebp + 402905], 0FF
0042C7EC 0F84 8E000000 je kill_luj.0042C880
0042C7F2 8B85 5F314000 mov eax, dword ptr ss: [ebp + 40315F]
0042C7F8 8907 mov dword ptr ds: [edi], eax <----- see here, it is damaged ;)
Let's take a look at the eax value,
Eax 77F525CA ntdll. DeleteCriticalSection
Pretty good: D, IAT redirection has been found. Where can I fix IAT properly ?? After several more times, you will find that
0042C880 61 popad <--- the je in front jumps to this
0042C881 3107 xor dword ptr ds: [edi], eax <--- OK, this is the case.
0042C883 58 pop eax
Therefore, if je is changed to jmp, IAT will not be damaged, and you can use ImportREC to fix it at OEP.
What I am talking about here seems very easy. In fact, these things need to be followed up. Below are some key points I have found:

Decoding IAT 0042c3ef for the first time
Decodes Dll Name 0042c4ea-> decodes the correct Dll Name
Clear dll Name 0042c645-> Clear Dll Name
0042c6ac-> decode the correct First Thunk
0042c66d-> decode the correct First Thunk
Finally, the IAT 0042c693-> decoded the correct RVA pointing to the function name.
ReDirect 0042c7c8-> Import redirection, where 0 is required
0042c7f8-> Import redirection, which points to the shell
Normal 0042c881->