Manual de-FSG shell combat--my Love crack training first lesson Assignment 3

Fly2015

For the FSG shell, has not been contacted before is the first contact, this time to shelling the program is still my love cracking forum to crack the training of 3 of the program. For this shell toss for a while, and later was taken care of.

1. Check the shell

First check the shell for the program (My Love Hack training first lesson three. exe):

Unfortunately, this die is not good , but nothing.

2. shelling

OD Loading the shell of the program for analysis, the following is the entry point assembly code:

At first, this kind of shell program is also unfamiliar, but due to the use of OD is familiar, and combined with the shell program to get the function of the API call address features, quickly found the key point of the program assembly:

Then F2 The breakpoint at the address 004001d1 , and then F9 runs to the address 004001d1 , where the address 0041DDAC is the real OEP Address of the Packers program.

F7 One step follow up to address 0041DDAC , unfortunately did not see the familiar entry point of the assembly code, but do not worry,OD did not display the assembly code correctly, We need to manually disassemble the data for ourselves:

Select the data that is not displayed correctly at address 0041DDAC, then right-click Analyze and analyze the code to display it correctly.

Manually select the analysis code, address 0041DDAC at the display of data, is not very intimate ah, familiar with the entry point assembly code appeared, but do not hurry, this is the first step.

Naturally, the next step is to use the OD plug- in ollydump for the shelling of the program, but this is not a straightforward way of shelling the shell, you need to use the Load PE Perfect shelling with the Recimport tool. Because the IAT Table of the FSG Packers is not sequential, the shelling tool cannot intelligently identify those memory data as the address of the function, So we need to manually identify those that are the address of the function, which are not the address of the function, and then use the tool shelling.

Need to Shell program paused at address 0041DDAC , use the Load pe tool to manually Dump its memory PE image at this time out (completely shelled way),.

note that at this point the program is not running, and the dump program needs to fix the IAT table correctly, It can be run up.

Through the above debugging, understand the program's true OEP RVA address is 001DDAC, using the recimport tool to do the fix to the IAT table of the Dump program .

1. General ways to repair the IAT table:

Manually fill in the 001DDACat the OEP of the recimport tooland click the IAT to automatically search Get Import Table -- fix dump .

The IAT table is repaired after the shelling program runs.

Obviously, the repair of the iat table has not been repaired successfully, if the iat Table Repair successful, the application after the shelling will not appear below this unfriendly interface hint.

2. How to manually repair the IAT table:

Sorry, recimport tool useless to use, through od View memory data discovery, recimport tool pair dump After the program's iat is not completely repaired.

In the recimport tool,theIAT automatically searches the program's import table for a function that is not complete. , the starting RVA address of the Function Import table is 000320BC, and the end RVA address of the Function Import table is 000320BC +200=000322BC also the number of import table functions is 0x200, but after OD Observation found that these two parameters are wrong.

Back in the Od debugger, in the HEX data area,ctrl+g to address 00410000 address, then set how the data is displayed: Long Integer type - how the address is displayed.

OD Data Window - address display mode view:

After manual drag to find the way, found that the shell of the Import table entry RVA address should be 32000 not address 000320BC , and import the end of the table RVA The address is 00032554, so the size of the import table function should be 32554-32000 = 554 (hexadecimal).

The starting RVA addressof the import table:32000.

End RVA address for import table :00032554 , so the size of the import table function should be 32554-32000 = 554 .

After the above analysis and observation, such as filling in the parameters required in the Recimport tool, and then directly click Get import table do not point IAT automatically get otherwise naught.

Click Show Invalid function found, in the obtained import table function has invalid function address, indeed through OD also found the function address is not continuous, some functions are 0x7FFFFFFF is not a valid function address.

Because 0x7FFFFFFF is not a valid function address, these invalid function addresses need to be removed. Right-click these invalid function addresses in the selection and select the cut pointer to remove these invalid function addresses.

Ok, now you can use these remaining valid IAT table export function address to dump program correction dump,.

Run a view of the program that was repaired by a valid IAT.

FSG shelling Analysis document and post-shelling program: http://download.csdn.net/detail/qq1084283172/8883891

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Manual de-FSG shell combat--my Love crack training first lesson Job 3