Locate and extract the signature processed by the eXPressor1.71 shelling software IAT FF15

I recently learned how to shell and found a shelling program eXPressor 1.71 to play !!!! Find eXPressor. v1.4.5 first. I think there may be a single list of programs written by the author. Soon I came to oep to see that its features should be written by vc 6.0 code: 0042C9FE 55 push ebp; kernel32.7C8170770042C9FF 8BEC mov ebp, esp0042CA01 6A FF push-0x10042CA03 68 68594500 push eXPresso.004559680042CA08 68 F0164300 push pushed 64: A1 00000000 mov eax, dword ptr fs: [0] 0042CA13 50 push eax0042CA14 64: 8925 0000000> mov dword ptr fs: [0], esp0042CA1B 83EC 58 sub esp, 0x580042CA1E 53 push ebx0042CA1F 56 push esi0042CA20 57 p Ush edi0042CA21 8965 E8 mov dword ptr ss: [ebp-0x18], esp0042CA24 FF15 5C134500 call dword ptr ds: [0x45135C]; kernel32.GetVersion so from this GetStartupInfoA function to find eXPressor 1.71 oep, at the F2 breakpoint under this function, F9 was disconnected and Ctrl + F9 was taken down in a single step: 0049CB37 FF15 18534C00 call dword ptr ds: [0x4C5318]; kernel32.GetStartupInfoA0049CB3D C745 fc fefffff> mov dword ptr ss: [ebp-0x4],-0x20049CB44 BF 94000000 mov edi, 0x94 look up and you can find that this code is a bit vc 7.0- 8.0 features should be eXPressor 1.71 oep code: 0049CB23 6A 60 push 0x600049CB25 68 681_f00 push Pull E8 95120000 call eXPresso.0049DDC40049CB2F 8365 FC 00 and dword ptr ss: [ebp-0x4], 0x00049CB33 8D45 90 lea eax, dword ptr ss: [ebp-0x70] 0049CB36 50 push pull FF15 18534C00 call dword ptr ds: [0x4C5318]; 0xc745 fc fefffff> mov dword ptr ss: [ebp-0x4],-0x20049CB4 4 BF 94000000 mov edi, pushed 57 edi0049CB4A 6A 00 push 0x00049CB4C 8B1D EC514C00 mov ebx, dword ptr ds: [0x4C51EC] 0049CB52 FFD3 call limit 50 push limit FF15 B0514C00 call dword ptr ds: [0x4C51B0]; ntdll. 2017ff15 18534C00 call dword ptr ds: [0x4C5318]; then, in this location, let's take a look at IAT processing and find the iAT start and end addresses 004C4FFC 201710000004c5000 77DC9BBF ADVAPI32.R EgEnumValueA this is the starting position 00442548 74CA096A oledlg. oleuibusya0044254c 00000000004000050 00000000 this should be the end address. Let's take a look at the code for calling FF 15 Functions: 00400000b FF15 A8534C00 call dword ptr ds: [0x4C53A8]; Listen 8BF0 mov esi, eax00401173 85F6 test esi, esi00401175 74 2D je rj57 push edi00401178 53 push ebx00401179 E8 94EE7400 call 00B50012 see call 00B50012? I have processed FF 15 like this. I want to find the basic information, so I Are you looking for features to process IAT and FF 15. first look for IAT processing. I think everyone knows that the shelling software encrypts some function addresses and replaces the original IAT. so as long as you find the code for filling in the encrypted data, you can proceed !!!!!!!!!!!!!!!!!! 004C5000 77DC9BBF ADVAPI32.RegEnumValueA004C5004 77DA7852 ADVAPI32.RegOpenKeyExA004C5008 00B30C00 reload: I wrote a hardware breakpoint under 004C5008 and ran it. code: 00C117B2/EB 01 jmp X00C117B500C117B4 | 8841 42 mov byte ptr ds: [ecx + 0x42], al00C117B7 837D 10 00 cmp dword ptr ss: [ebp + 0x10], 0x000C117BB ^ 75 EE jnz running 8BC6 mov eax, esi00C117BF 5E pop esi00C117C0 5D pop stopping C3 retn canceling hardware writing breakpoint running F2 under 00C117C1 C3 retn Once again, when the hardware is written to 8841, the Code 00C617B2/EB 01 jmp X00C617B500C617B4 | 42 mov byte ptr ds: [ecx + 0x42]. al00C617B7 837D 10 00 cmp dword ptr ss: [ebp + 0x10], 0x000C617BB ^ 75 EE jnz X00C617AB00C617BD 8BC6 mov eax, esi00C617BF 5E pop esi00C617C0 5D pop ebp00C617C1 C3 retnF8: Code: 00C652B0 59 pop ecx; 59 pop ecx00C652B2 85C0 test eax, limit 75 17 jnz limit 652B6 6A 04 push 0x400C652B8 8D85 4 CFDFFFF lea eax, dword ptr ss: [ebp-0x2B4] 00C652BE 50 push eax00C652BF FFB5 CCFDFFFF push dword ptr ss: [ebp-0x234] 00C652C5 E8 CFC4FFFF call 00C61799 careful analysis of this Code can know that the first pop ecx pops into the API address, the second pop ecx is the encrypted data, 00C652B4 75 17 jnz X00C652CD jump implementation writes the number of encrypted data to IAT. 59 59 85 C0 75 17 6A 04 8D 85 4C fd ff 50 FF B5 cc fd ff extract the signature, C3 E8 ?? ?? ?? ?? 00 00. Extract the returned signature after IAT processing !!!! Then I can write a script to handle IAT. Many cool guys implement the PATH code. 1. the next breakpoint is generated in the IAT processing code segment to determine whether the IAT processing is complete. if the processing is OK, it will jump to FF 15 !! 2. my signature locates the first pop ecx and stores the ecx value in the mid. 3. the value of ECX after the second pop ecx execution is encrypted data, so we need to write the data we just saved back 4. to skip to implementation, you need to set eax to 0 to complete IAT processing code: var addr1var addrvar addr2var addr3var addr4var addr5mov addr4, 004C4FFC var midbcbphwcall ///////////////////////////////////// //////////////////////////////////////// //////////////////////////////////////// ////// bpwm 401000,1 estobpmcGMEMI eip, MEMORYBASE cmp $ RESULT, 0je exitmov addr1, $ RESULT Find addr1, # region # cmp $ RESULT, 0je exitmov addr, $ RESULTbphws addr, "x" estofind eip, # C3E8 ???????? 0000 # cmp $ RESULT, 0je exitmov addr2, $ RESULTbp addr2 // This loop is fixed IATloop: estocmp eip, addr2 je IATENDstomov mid, ecxstomov ecx, midmov eax, 0jmp loopIATEND: bc addr2 // After the FF 15 function is processed, exit: ret is called. Next, let's look for the key of the FF 15 function and extract the signature, let's take a look at this code: 004020. B FF15 A8534C00 call dword ptr ds: [0x4C53A8]; 4158bf0 mov esi, eax00401173 85F6 test esi, esi00401175 74 2D je limit 57 push edi00401178 53 push ebx00401179 E8 94EE7400 call 00B50012 shelling program write FF 15 function calls in the form of call 00B50012. reload it. In the number of windows, Cetl + G is sent to 00401179 00401179 20171000000000040117d 0000000000401181 0000000000401185 0000000000401189 20171000000000040119d 201710000004011a1 0000000000401191. Write the hardware at the 0000000000401195 address !!!! F9 running, disconnected code: 00B017B2/EB 01 jmp X00B017B500B017B4 | 8841 42 mov byte ptr ds: [ecx + 0x42], al00B017B7 837D 10 00 cmp dword ptr ss: [ebp + 0x10], 0x000B017BB ^ 75 EE jnz X00B017AB00B017BD 8BC6 mov eax, esi00B017BF 5E pop esi00B017C0 5D pop ebp00B017C1 C3 retn cancel breakpoint, and 00B017C1 F2 breakpoint disappears after running and writes to the next memory on 00401179 will be broken in code: 00B0323D C600 E8 mov byte ptr ds: [eax], 0xE800B03240 8B45 D4 mov eax, dword ptr ss: [ebp-0x2C] 00B03243 40 inc eax00B03244 8945 D0 mov dword ptr ss: [ebp-0x30], %50 push eax00B03248 E8 03000000 call %01eb add ebx, %0b8b 04240FB6 or ecx, dword ptr ds: [ebx + 0xB60F2404] 00B03255 0001 add byte ptr ds: [ecx], al00B03257 04 24 add al, 0x2400B03259 C3 retnF7 the Code comes after a few steps: 00C9325B 58 pop eax; 4158b45 D4 mov eax, dword ptr ss: [ebp-0x2C] -------> 00C9325F 83C0 05 add eax, 0x5 00C93262 8B4D F0 mov ecx, dword ptr ss: [ebp-0x10]; the EBP-10 is stored in the encrypted address ///////////////////////////////// ////// follow the EBP Stack window, the EBP-18> 7C80BD09 memory-18 stores the API address $-1C> 00BF0000 $-18> 7C80BD09 kernel32.SizeofResource $-14> 00000012 $-10> 00BF0012 $-C> 00000000 $ -8> 00b000054 $-4> 00000000 $ ==>> 0012FFC0 ///////////////////////// /// // code: 00C93265 2BC8 sub ecx, eax 00C93267 8B45 D0 mov eax, dword ptr ss: [ebp-0x30] 00C9326A 8908 mov dword ptr ds: [eax], ecx <------------------ 00C9326C EB 01 jmp X00C9326F after analyzing the preceding section, the CALL [xxxxxxxx] becomes the CAll xxxxxxxx00C9326C. After the address is reached, you can go to 00401179 and you will find that the CAll xx no write operation is performed on 00401179 again. therefore, I chose to restore FF 15 in 00C9326C EB 01 jmp X00C9326F. This should be an ideal time. Then I should write the script code: IATEND: bc addr2 // processing FF 15 function tuned dizzy forgot to extract the pattern to 00C9325B extracted/58 8B 45 D4 83 C0 05 8B 4D F0 2B C8 8B 45 D0 89 08 find addr1, # signature # cmp $ RESULT, 0je exitmov addr, $ RESULTbphws addr, "x" // you can set a breakpoint at the OEP. Its function is to determine whether FF15 has been processed and bphws 0049CB23 has been completed, "x" loop1: estocmp eip, 0049CB23je exitstosub eax, 1mov addr3, Region: add addr4, 4cmp [addr4], 0je loop2cmp addr4, 004da-4cje loop1mov addr5, [ebp-18] cmp [addr4], addr5jnz loop2mov [addr3], # FF15 # mov [addr3 + 2], addr4mov addr4, 004C4FFC jmp loop1 exit: ret hehao analysis is complete, the script is OK, go to OD, test the script, LordPEC shell, ImportREC, fix it



EXPressor1.71 Script: http://www.bkjia.com/uploadfile/2012/1119/20121119122719629.rar