[Software Overview]: This shell is generally anti, and uses multiple threads (the first appearance in the shell ?). It processing is acceptable, but the intensity is insufficient. Http://www.lockless.com attention: long time does not update, stability compatibility is not very good, do not recommend commercial software.
[Author's statement]: Crack beginners are only interested and have no other purpose. For errors, please enlighten us!
[Debugging environment]: WinXP, Ollydbg1.09, PEiD, LordPE, ImportREC V1.6
Leaving an article to record your own growth is so complicated and cumbersome that you can thoroughly understand the world of encryption shells by debugging the software. At the same time, it is much easier to write and debug scripts by admiring the Patch Code experts. But I have no patience, so I have to exercise. <If you have a better way to exercise your patience, please PM me, thank you!>
This article mainly explains that except for the K-Protect on Api, all other options are deducted. <The English language is not understood, the translation is inaccurate, O (∩ _ ∩) O Haha ~>, Because K-Protect on API is weak. K-Protect on API is mainly used
Flags-0xff is used to determine whether to encrypt IAT. You only need to find the jump where the Iat is interrupted and patch the redirection code.
How to quickly reach OEP:
When VirtualAlloc F2 is disconnected three times, it is used when Code segment F2 reaches OEP directly <The software only adds K-Protect on API>. If K-Execution is selected, the code is directly interrupted in this option.
K-Execution has a total of five simulated code processing methods <in fact, there are only four, but through the comparison of the asm Compilation Program, the main program will be FF25 type of API is also targeted to FF15, so Patch-related code is also processed>. Because
Only the FF15 code is processed, resulting in incompatibility with other compilation programs. The asm Program is supported by default. <Other programs can be shelled successfully except if the K-Execution option is not checked.>
First simulation method: flags: 0x5 simulation: API
Second simulation method: flags: 0x0 simulation: push [Addr]
Third simulation method: flags: 0x1 simulation: simulate a piece of code, bytes within 0xff.
Fourth simulation method: flags: 0x2 simulation: mov [Addr], 0x?
Fifth simulation method: flags: 0x3 Simulation: cmp [Addr], 0x?
To restore the code, you must find the <offset value> and <Code address type> Of the Addr processing code, and then perform the Patch through the decoding operation of the original program. The workload is a little heavy. I have been studying for several days. It seems that all of them are
Only API processing is explained. The main program has only been sent by fly, but you can run it by dumping the Oep. <Fly pull down and explain (* ^__ ^ *).
OD loading:
Code:
004A4000> 54 push esp
004A4001 E8 00000000 call Krypton.004A4006
004A4006 5D pop ebp
004A4007 8BC5 mov eax, ebp
004A4009 81ED 71444000 sub ebp, Krypton.00404471
004A400F2B85 64604000 sub eax, dword ptr ss: [ebp + 0x406064]
// We mainly need to find the code type and simulation method for handling the FF15 type filling, such as [0xBF0000], and the Addr from Jump to OEP, which is the best Patch point, you can also choose OEP> Patch. the Addr needs to be destroyed by the shell itself
Code.
The Code has been decrypted three times after VirtualAlloc is disconnected. At this time, the memory access breakpoint under the Code segment is directly interrupted in the K-Execution processing process. <Code has been included in instructions>
Code:
004 FEFFD 66: 8138 FF15 cmp word ptr ds: [eax], 0x15FF; Determine if 15FF is not performed
004FF026/0F85 C7000000 jnz 004FF0F3; Addr + 1 Size-1 if not found
004FF054 8378 02 05 cmp dword ptr ds: [eax + 0x2], 0x5; determine whether [FF15 + 0x2] is Flags made of 5 shells <this should also be remembered>
004FF07D/75 74 jnz short 004FF0F3; Determine whether the hop is not 5
004FF0C9 8970 02 mov dword ptr ds: [eax + 0x2], esi; fill in ESI <what we want to record>
004FF11B 40 inc eax; Addr + 1
004FF13F 49 dec ecx; Size-1
004FF161 85C9 test ecx, ecx; test whether the SIZE is zero
004FF18A ^ \ 0F85 4 EFEFFFF jnz 004 FEFDE; fill if equal
The main program processes a total of five 0x15FF types, other asm shelling, and the API is not deformed. After each type is filled, the cmp [Addr] And 0xff will be used to determine whether to check the encryption option for processing. <IAT is also true.
There is Magic JUMP, but the Shell API address has been redirected, and the Patch code needs to be restored.>
The code is not optimized, and there is no time to optimize it. There are too many records to analyze the main program.
The Patch code is as follows:
Code:
00B60000 60 pushad
00B60001 9C pushfd
00B60002 BE 00104000 mov esi, 0x401000 Code segment Addr
00B60007 BF 00404000 mov edi, 0x404000 Code segment Size
00B6000C 66: 813E FF15 cmp word ptr ds: [esi], 0x15FF
00B60011 0F85 5B020000 jnz 00B60272
00B60017 807E 02 76 cmp byte ptr ds: [esi + 0x2], 0x76 0
00B6001B 74 48 je short 00B60065
00B6001D 807E 04 BF cmp byte ptr ds: [esi + 0x4], 0xBF 1
00B60021 0F84 B2000000 je 00B600D9
00B60027 807E 04 ED cmp byte ptr ds: [esi + 0x4], 0xED 2
00B6002B 0F84 69010000 je 00B6019A
00B60031 807E 04 F5 cmp byte ptr ds: [esi + 0x4], 0xF5 3
00B60035 0F84 97010000 je 00B601D2
00B6003B 807E 02 7A cmp byte ptr ds: [esi + 0x2], 0x7A 5
00B6003F 0F84 CB010000 je 00B60210
00B60045 E9 28020000 jmp 00B60272
00B6004A 90 nop
00B6004B 90 nop
00B6004C 90 nop
00B6004D 90 nop
00B6004E 90 nop
00B6004F 90 nop
00B60050 90 nop
00B60051 90 nop
00B60052 90 nop
00B60053 90 nop
00B60054 90 nop
00B60055 90 nop
00B60056 90 nop
00B60057 90 nop
00B60058 90 nop
00B60059 90 nop
00B6005A 90 nop
00B6005B 90 nop
00B6005C 90 nop
00B6005D 90 nop
00B6005E 90 nop
00B6005F 90 nop
00B60060 90 nop
00B60061 90 nop
00B60062 90 nop
00B60063 90 nop
00B60064 90 nop
00B60065 BD B5860E00 mov ebp, 0xE86B5 offset processed by the code segment
00B6006A 90 nop
00B6006B 90 nop
00B6006C 90 nop
00B6006D 90 nop
00B6006E 90 nop
00B6006F 90 nop
00B60070 90 nop
00B60071 90 nop
00B60072 90 nop
00B60073 90 nop
00B60074 90 nop
00B60075 90 nop
00B60076 90 nop
00B60077 90 nop
00B60078 90 nop
00B60079 90 nop
00B6007A 90 nop
00B6007B 90 nop
00B6007C 90 nop
00B6007D 90 nop
00B6007E 90 nop
00B6007F 90 nop
00B60080 90 nop
00B60081 90 nop
00B60082 90 nop
00B60083 90 nop
00B60084 90 nop
00B60085 90 nop
00B60086 90 nop
00B60087 90 nop
00B60088 90 nop
00B60089 90 nop
00B6008A 90 nop
00B6008B 90 nop
00B6008C 90 nop
00B6008D 90 nop
00B6008E 90 nop
00B6008F 90 nop
00B60090 90 nop
00B60091 90 nop
00B60092 90 nop
00B60093 90 nop
00B60094 90 nop
00B60095 90 nop
00B60096 90 nop
00B60097 90 nop
00B60098 90 nop
00B60099 90 nop
00B6009A 90 nop
00B6009B 90 nop
00B6009C 90 nop
00B6009D 90 nop
00B6009E 90 nop
00B6009F 8D85 09C54100 lea eax, dword ptr ss: [ebp + 0x41C509]
00B600A5 BB C0C44100 mov ebx, 0x41C4C0
00B600AA 03DD add ebx, ebp
00B600AC 8B10 mov edx, dword ptr ds: [eax]
00B600AE 3313 xor edx, dword ptr ds: [ebx]
00B600B0 2BD6 sub edx, esi
00B600B2 85D2 test edx, edx
00B600B4 75 16 jnz short 00B600CC
00B600B6 8B50 04 mov edx, dword ptr ds: [eax + 0x4]
00B600B9 3313 xor edx, dword ptr ds: [ebx]
00B600BB 8916 mov dword ptr ds: [esi], edx
00B600BD 66: 8B50 08 mov dx, word ptr ds: [eax + 0x8]
00B600C1 3313 xor edx, dword ptr ds: [ebx]
00B600C3 66: 8956 04 mov word ptr ds: [esi + 0x4], dx
00B600C7 ^ E9 40 FFFFFF jmp 00B6000C
00B600CC 83C0 0A add eax, 0xA
00B600CF ^ eb db jmp short 00B600AC
00B600D1 E9 9C010000 jmp 00B60272
00B600D6 90 nop
00B600D7 90 nop
00B600D8 90 nop
00B600D9 56 push esi
00B600DA 57 push edi
00B600DB 56 push esi
00B600DC BD D9947D00 mov ebp, 0x7D94D9 offset processed by code segment
00B600E1 8B4E 02 mov ecx, dword ptr ds: [esi + 0x2]
00B600E4 81E9 running bf00 sub ecx, 0xBF0000
00B600EA 03E9 add ebp, ecx
00B600EC 56 push esi
00B600ED 8B46 F7 mov eax, dword ptr ds: [esi-0x9]
00B600F0 A3 00054500 mov dword ptr ds: [0x450500], eax
00B600F5 8B46 FC mov eax, dword ptr ds: [esi-0x4]
00B600F8 A3 08054500 mov dword ptr ds: [0x450508], eax
00B600FD 90 nop
00B600FE 90 nop
00B600FF 90 nop
00B60100 90 nop
00B60101 8BB5 1F6E4100 mov esi, dword ptr ss: [ebp + 0x416E1F]
00B60107 36: 3135 0805450> xor dword ptr ss: [0x450508], esi
00B6010E 66: 36: 3135 0005> xor word ptr ss: [0x450500], si
00B60116 36: 8B0D 0005450> mov ecx, dword ptr ss: [0x450500]
00B6011D 36: 8B1D 0805450> mov ebx, dword ptr ss: [0x450508]
00B60124 8DBD 48724100 lea edi, dword ptr ss: [ebp + 0x417248]
00B6012A 58 pop eax
00B6012B 83C0 06 add eax, 0x6
00B6012E 8BF0 mov esi, eax
00B60130 F3: A4 rep movs byte ptr es: [edi], byte ptr ds: [>
00B60132 8BCF mov ecx, edi
00B60134 36: 8B1D 0005450> mov ebx, dword ptr ss: [0x450500]
00B6013B 81E3 0000 FFFF and ebx, 0xFFFF0000
00B60141 36: 8B0D 0805450> mov ecx, dword ptr ss: [0x450508]
00B60148 8BF0 mov esi, eax
00B6014A 4E dec esi
00B6014B 46 inc esi
00B6014C C606 90 mov byte ptr ds: [esi], 0x90
00B6014F ^ E0 FA loopdne short 00B6014B
00B60151 36: 8B1D 0005450> mov ebx, dword ptr ss: [0x450500]
00B60158 36: 8B0D 0805450> mov ecx, dword ptr ss: [0x450508]
00B6015F 8DBD 48724100 lea edi, dword ptr ss: [ebp + 0x417248]
00B60165 57 push edi
00B60166 51 push ecx
00B60167 33C0 xor eax, eax
00B60169 66: 8BC3 mov ax, bx
00B6016C F6D9 neg cl
00B6016E 000F add byte ptr ds: [edi], cl
00B60170 300F xor byte ptr ds: [edi], cl
00B60172 D207 rol byte ptr ds: [edi], cl
00B60174 F6D9 neg cl
00B60176 2807 sub byte ptr ds: [edi], al
00B60178 0027 add byte ptr ds: [edi], ah
00B6017A 3007 xor byte ptr ds: [edi], al
00B6017C D207 rol byte ptr ds: [edi], cl
00B6017E 3027 xor byte ptr ds: [edi], ah
00B60180 47 inc edi
00B60181 ^ E0 E9 loopdne short 00B6016C
00B60183 59 pop ecx
00B60184 5E pop esi
00B60185 5F pop edi
00B60186 83E9 06 sub ecx, 0x6
00B60189 F3: A4 rep movs byte ptr es: [edi], byte ptr ds: [>
00B6018B 5F pop edi
00B6018C 5E pop esi
00B6018D 3BF7 cmp esi, edi
00B6018F ^ 0F82 77 FEFFFF jb 00B6000C
00B60195 E9 D8000000 jmp 00B60272
00B6019A BD 7348AB00 mov ebp, 0xAB4873 offset processed by www.2cto.com code segment
00B6019F 8B4E 02 mov ecx, dword ptr ds: [esi + 0x2]
00B601A2 81E9 10000ed00 sub ecx, 0xED0000
00B601A8 03E9 add ebp, ecx
00B601AA 8D85 CDB74100 lea eax, dword ptr ss: [ebp + 0x41B7CD]
00B601B0 8B18 mov ebx, dword ptr ds: [eax]
00B601B2 8B40 04 mov eax, dword ptr ds: [eax + 0x4]
00B601B5 33D8 xor ebx, eax
00B601B7 03C3 add eax, ebx
00B601B9 C746 FE C705000> mov dword ptr ds: [esi-0x2], 0x5C7
00B601C0 891E mov dword ptr ds: [esi], ebx
00B601C2 8946 04 mov dword ptr ds: [esi + 0x4], eax
00B601C5 3BF7 cmp esi, edi
00B601C7 ^ 0F82 3 FFEFFFF jb 00B6000C
00B601CD E9 A0000000 jmp 00B60272
00B601D2 56 push esi
00B601D3 BD 2748B300 mov ebp, 0xB34827 offset processed by the code segment
00B601D8 8B4E 02 mov ecx, dword ptr ds: [esi + 0x2]
00B601DB 81E9 running F500 sub ecx, 0xF50000
00B601E1 03E9 add ebp, ecx
00B601E3 8D85 F7B74100 lea eax, dword ptr ss: [ebp + 0x41B7F7]
00B601E9 8B18 mov ebx, dword ptr ds: [eax]
00B601EB 8B40 04 mov eax, dword ptr ds: [eax + 0x4]
00B601EE 33D8 xor ebx, eax
00B601F0 03C3 add eax, ebx
00B601F2 25 0000 FFFF and eax, 0xFFFF0000
00B601F7 C1E8 18 shr eax, 0x18
00B601FA 5E pop esi
00B601FB 66: C706 833D mov word ptr ds: [esi], 0x3D83
00B60200 895E 02 mov dword ptr ds: [esi + 0x2], ebx
00B60203 8946 08 mov dword ptr ds: [esi + 0x8], eax
00B60206 3BF7 cmp esi, edi
00B60208 ^ 0F82 FEFDFFFF jb 00B6000C
00B6020E EB 62 jmp short 00B60272
00B60210 56 push esi
00B60211 57 push edi
00B60212 BD B5860E00 mov ebp, 0xE86B5 offset processed by code segment
00B60217 8t8 mov edx, dword ptr ds: [esi]
00B60219 56 push esi
00B6021A 8D85 7D614200 lea eax, dword ptr ss: [ebp + 0x000017d]
00B60220 BB 4D614200 mov ebx, 0x000014d
00B60225 03DD add ebx, ebp
00B60227 8B10 mov edx, dword ptr ds: [eax]
00B60229 3313 xor edx, dword ptr ds: [ebx]
00B6022B 2BD6 sub edx, esi
00B6022D 85D2 test edx, edx
00B6022F 75 4F jnz short 00B60280
00B60231 8B50 04 mov edx, dword ptr ds: [eax + 0x4]
00B60234 3313 xor edx, dword ptr ds: [ebx]
00B60236 84D2 test dl, dl
00B60238 75 32 jnz short 00B6026C
00B6023A bf01000000 mov edi, 0x1
00B6023F C1EA 10 shr edx, 0x10
00B60242 8BCA mov ecx, edx
00B60244 66: 8B50 08 mov dx, word ptr ds: [eax + 0x8]
00B60248 3313 xor edx, dword ptr ds: [ebx]
00B6024A 81E2 FFFF0000 and edx, 0 xFFFF
00B60250 C1E2 10 shl edx, 0x10
00B60253 09CA or edx, ecx
00B60255 59 pop ecx
00B60256 66: C701 FF25 mov word ptr ds: [ecx], 0x25FF
00B6025B 90 nop
00B6025C 90 nop
00B6025D 8951 02 mov dword ptr ds: [ecx + 0x2], edx
00B60260 5F pop edi
00B60261 5E pop esi
00B60262 3BF7 cmp esi, edi
00B60264 ^ 0F82 A7FDFFFF jb 00B60011
00B6026A EB 11 jmp short 00B6027D
00B6026C 33FF xor edi, edi
00B6026E 90 nop
00B6026F 90 nop
00B60270 ^ eb cd jmp short 00B6023F
00B60272 83C6 01 add esi, 0x1
00B60275 3BF7 cmp esi, edi
00B60277 ^ 0F82 8 FFDFFFF jb 00B6000C
00B6027D 9D popfd
00B6027E 61 popad
00B6027F C3 retn
00B60280 83C0 0A add eax, 0xA
00B60283 ^ EB A2 jmp short 00B60227
After the code is executed, use IR in OEP Dump to repair the input table. <The input table does not need IR to be repaired. For details, see the analysis.>
Thank you:
Loveboom, fly, CCDebuger...
[ATTACH] kryton main program {shelled} [/ATTACH]
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
