. NET shell software clisecure debugging notes (ii)

CLI kernel with memory (2)

Today is free, continue to debug the last shell. The shell downloads the address http://www.secureteam.net. The last time did not penetrate the shell of the decryption process, but looked at the location of the virtual method. Today's focus is on the shell decryption process. After the shell is installed, there is a GUI main program, a local DLL. The key to debugging is this local DLL.

This time still down the breakpoint where it hooks the JIT. How do I activate this breakpoint? Just run a method that has no JIT yet. Easy to repeat, fixed here to show about the window. After the F9 run, we interrupt at the entrance of the hook method:

Take a look at the vertebral stack, The value of the 0x79e9776f points to the place where the JIT is invoked in the Mscorwks.dll, while the second 0x790af170 points to the place where the JIT calls Compilemethod, naturally, a call to Compilemethod jumps to the hook's code.

The following code is called Ceeinfo::getmethodmodule to determine whether the current module requires JIT. If it is, continue the decryption process, if not, naturally do not need to decrypt.

012b2a4c |.　　8b45 0C mov eax,dword ptr ss:[ebp+c]
012b2a4f |.　　8B48 mov ecx,dword ptr ds:[eax+4]
012b2a52 |.　　8B51 mov edx,dword ptr ds:[ecx+4]
012b2a55 |.　　8b45 0C mov eax,dword ptr ss:[ebp+c]
012b2a58 |.　　8B48 mov ecx,dword ptr ds:[eax+4]
012b2a5b |.　　8B41 mov eax,dword ptr ds:[ecx+4]
012b2a5e |.　　8b4d 0C mov ecx,dword ptr ss:[ebp+c]
012b2a61 |.　　8d4401 Lea Eax,dword ptr ds:[ecx+eax+>
012b2a65 |.　　8b4d 0C mov ecx,dword ptr ss:[ebp+c]
012b2a68 |.　　8b5411 mov edx,dword ptr ds:[ecx+edx+>
012b2a6c |.　　push EAX
012b2a6d |.　　8B42 mov eax,dword ptr ds:[edx+30]
012b2a70 |.　　FFD0 call eax; Getmethodmodule
012b2a72 |.　　8945 F0 mov dword ptr ss:[ebp-10],eax
012b2a75 |.　　8D4D F0 Lea Ecx,dword ptr ss:[ebp-10]
012b2a78 |.　　I push ecx
012b2a79 |.　　8d55 F8 Lea Edx,dword ptr ss:[ebp-8]
012b2a7c |. Push EDX
012b2a7d |.　　8b8d 7cfff>mov ecx,dword ptr ss:[ebp-84]
012b2a83 |.　　E8 88fefff>call clisec_1.012b2910
012b2a88 |.　　8D45 Lea Eax,dword ptr ss:[ebp-68]
012b2a8b |.　　push EAX
012b2a8c |.　　8b8d 7cfff>mov ecx,dword ptr ss:[ebp-84]
012b2a92 |.　　E8 89fafff>call clisec_1.012b2520
012b2a97 |.　　push EAX
012b2a98 |.　　8D4D F8 Lea Ecx,dword ptr ss:[ebp-8]
012b2a9b |.　　E8 80f7fff>call clisec_1.012b2220
012b2aa0 |.　　0fb6c8 movzx ecx,al
012b2aa3 |.　　85C9 test ecx,ecx
012b2aa5 |. 0f84 35020>je Clisec_1.012b2ce0, Normal (need to decrypt) not jump here

Immediately followed by the name of the code fetch method:

012b2aab |.　　8d55 B4 Lea Edx,dword ptr ss:[ebp-4c]
012b2aae |.　　The push edx
012b2aaf |.　　8B45 mov eax,dword ptr ss:[ebp+10]
012b2ab2 |.　　8B08 mov ecx,dword ptr ds:[eax]
012b2ab4 |.　　I push ecx
012b2ab5 |.　　8b55 0C mov edx,dword ptr ss:[ebp+c]
012b2ab8 |.　　8B42 mov eax,dword ptr ds:[edx+4]
012b2abb |.　　8B48 mov ecx,dword ptr ds:[eax+4]
012b2abe |.　　8b55 0C mov edx,dword ptr ss:[ebp+c]
012b2ac1 |.　　8B42 mov eax,dword ptr ds:[edx+4]
012b2ac4 |.　　8B50 mov edx,dword ptr ds:[eax+4]
012b2ac7 |.　　8b45 0C mov eax,dword ptr ss:[ebp+c]
012b2aca |.　　8d5410 Lea Edx,dword ptr ds:[eax+edx+>
012b2ace |.　　8b45 0C mov eax,dword ptr ss:[ebp+c]
012b2ad1 |.　　8B4C08 mov ecx,dword ptr ds:[eax+ecx+>
012b2ad5 |.　　The push edx
012b2ad6 |.　　8B11 mov edx,dword ptr ds:[ecx]
012b2ad8 |. FFD2 call edx; text:7a0a2503 Ceeinfo::getmethodname