Teach you step-by-step encryption and decryption technology-compression and shelling (4) (1)

Fifth section Shell Advanced 1, Know import table author: [YAtEs] [Jamesluton@hotmail.com] Translator: HYING[CCG] Title: PE Input Table Description There are a lot of articles about PE file, but I intend to write an article about the input table, Because it is useful for cracking. I think the best way to explain it is to give an example you can follow me gradually, step-by-step thinking, and finally you will fully understand that I chose a small program I just downloaded, it is compiled with TASM, there is a relatively small input table, so I think it should be a good example. Okay, let's get started. First we have to find the input table, its address is placed in the PE file head offset 80, so we use the 16 editor to open our EXE file, we first have to find the PE file header starting point, this is very simple, because it always starts with pe,0,0, we can find it at offset 100. In the general WIN32 program in the file header offset is placed in the file 0x3c, where we can usually see 00 01 00 00, because the data storage is low in front, high in the rear, so flip over the actual is 00000100, as we said before. Next we can find in the PE file our input table, 100+80=180 in the offset 180 we see 0030 0000, flip it, it should be 00003000, which means that the input table in memory 3000, we have to convert it to file offset. In general, the input table is always at the beginning of a paragraph, we can use the PE editor to view the virtual offset, looking for 3000 and the original offset found. Very simple. Open We see:-code 00001000 00001000 00000200 00000600-data 00001000 00002000 00000200, 00000800 idata 00001000 00003000 00000 00000a00. reloc 00001000 00004000 00000200 00000c00 find out. The virtual offset of the idata segment is 3000, the original offset is a00,3000-a00=2600, we have to remember 2600, To convert other offsets later. If you don't find the virtual offset of the input table, look for the closest segment. When we come to the offset A00, we see what is called the Image_import_descriptors (IID), which uses 5 fields to represent the information of each called DLL and ends with NULL. *********************************************The structure of the Image_import_descriptor (IID) contains the following 5 fields: Originalfirstthunk, TimeDateStamp, Forwarderchain, Name, firstthunk originalfirstthunk This field points to a 132-bit RVA offset address string that ends at 00, and each address in this address string describes an input function, which is in the same order as the input table. TimeDateStamp is a 32-digit time marker that has special uses. Forwarderchain Enter the 32-bit index of the list of functions. The 32-bit RVA address of the name DLL file name (a 00-terminated ASCII string). Firstthunk This field points to a 132-digit RVA offset string that ends at 00, and each address in this address string describes an input function whose order in the input table is variable. Okay, do you understand? Let's see how many iid we have, they start at the offset A00 3c30 0000/0000 0000/0000 0000/8c30 0000/6430 0000 {orignalfirstthunk} {TimeDateStamp} {F Orwardchain} {Name} {Thunk] 5c30 0000/0000 0000/0000 0000/9930 0000/8430 0000 {orignalfirstthunk} {timedates Tamp} {Forwardchain} {Name} {first Thunk} 0000 0000/0000 0000/0000 0000/0000 0000/0000 0000 per one-third is a demarcation, and we know that each IID contains The invocation information of a DLL, now we have 2 iid, so we estimate that this program calls 2 DLLs. Even I can bet you can figure out what we're going to find. The fourth field of each IID represents the name, through which we can know the name of the function being invoked. The first IID's name field is 8c30 0000, which is flipped over to address 0000308C, minus 2600 to get the original offset, 308c-2600=A8C, come to the file offset a8c, what do we see? Ah ha! The original call is KERNEL32.dll. Well, next we're going to find the function called in KERNEL32.dll. Back to the first IID. The Firstthunk field contains flags of the called function names, originalfirstthunk only firstthunk backups, and even some programs do not, so we usually look at Firstthunk, which is initialized when the program is run. KERNEL32.dll firstthunk field value is 6430 0000, flip Over is address 00003064, minus 2600 A64, at the offset A64 is our image_thunk_data, it stores a bunch of addresses, End with a string of 00. As follows: A430 0000/b230 0000/c030 0000/ce30 0000/de30 0000/ea30 0000/f630 0000/0000 0000 Usually in a complete program. We now have 7 function calls, let's look at two of them: DE30 0000 After the flip is 30DE, minus 2600 is equal to ADE, look at the offset Ade the string is ReadFile, EA30 0000 Flip is 30EA, minus 2600 after equals AEA, The string at the offset AEA is WriteFile, and you may notice that there are 2 bytes of 00 in front of the function name, which is used as a hint. It's easy, you can try it on your own. Back to A00, look at the call to the second DLL 5c30 0000/0000 0000/0000 0000/9930 0000/8430 {0000} {Orignalfirstthunk} {TimeDateStamp in} {name} {first Thunk} to find its DLL filename. 9930 Flip to 3099-2600 =a99, find USER32.dll at offset A99. Then look at the Firstthunk field value: 8430 flip to 3084-2600=a84, offset A84 saved address is 08310000, flip 3108-2600=b08, offset B08 string is messageboxa. See, then you can use it on your own EXE file. Summary: The address of the input table is stored at the first +80 offset of the PE file, and the input table contains the function name and firstthunk of each function called by the DLL, usually with forward chain and TImestamp. When the program is run, the system calls GetProcAddress, takes the function name as a parameter, in exchange for the real function entry address, and writes the input table in memory. When you shell a program you may notice that you have an initialized firstthunk. For example, on my WIN98, the entry address for the function GetProcAddress is AE6DF7BF, at 98, All KERNEL32.dll function call addresses look like the address: XXXXF7BF, if you see this in the input table, you can use orignal thunk to rebuild it, or rebuild the PE program. 1 2 3 4 5 6 7 next page >> content navigation to force (0 votes) (0 Votes) nonsense (0 Votes) The professional (0 votes) The title party (0 Votes) passed (0 Votes) The original text: teach you step-by-step encryption and decryption technology--compression and shelling (4) (1) Return to network security home