A vmp shelling procedure summarized by myself

This is a step that I will summarize when learning to remove VMP and shelling. According to this step, there should be 70%-80% capable of shelling including VMP1.6-2.0. Don't ask me if you can't take it off. I just started learning. I want to ask someone.

If you want to remove the VMP shell, you must first find a strong OD! As for what version of OD, try a few more by yourself. There are a lot of online apps. Generally, you only need to load the VMP shelling program that you want to remove without shutting down it.
The second is the StrongOD. dll plug-in, which is now used by sea breeze and Moon Shadows. Copy the downloaded package to the plugin folder where your OD program is located. If you do not understand the setting options of StrongOD, you can hook them all.
The next step is to figure out the programming language of the program to be shelled. You can use PEID or fastbench to check the language, if you cannot see it here, you can also judge it by the character strings after OD loading. For example, MSVB ----/VC may appear in the VB program. These are all windows link files required for running the program.
After completing these preparations, we will use OD to load the file. After the file is loaded, search VirtualProtect In the Disassembly window CTRL + G (note that V and P should be capitalized. Do not ask me why you need to search for this ). Generally, the following results are displayed:
7C801AE3 E8 75 FFFFFF call kernel32.VirtualProtectEx
Here we place the F2 breakpoint. Then F9 runs to the breakpoint under us. Next, we need to observe the Stack window. In general, when we run F9 to the breakpoint above us, the following will appear in the stack window:
0012F66C 00401000 | Address = TradeCen.00401000
0012F670 000280D1 | Size = 280D1 (164049 .)
0012F674 00000004 | NewProtect = PAGE_READWRITE
0012F678 0012FF98 \ pOldProtect = 0012FF98
Note that the ADDRESS and NEWPROTECT changes during the next F9 run. Press F9-to speed it up, until the NewProtect item changes to PAGE_READONLY, then the program is released.
0012F66C 0042A000 | Address = TradeCen.0042A000
0012F670 limit 69DE | Size = 69DE (27102 .)
0012F674 00000002 | NewProtect = PAGE_READONLY
0012F678 0012FF98 \ pOldProtect = 0012FF98
Now we can cancel the breakpoint we just placed. The next step is to find OEP. One of my personal experiences when looking for OEP is that OEP is generally close to the ADDRESS above. For example, the above address is 0042A000, And I generally reduced it to 420000 feature segments of the search program. Of course, we can jump directly to 401000 to start searching. Although we search for a large range, the workload is not large because we search for command sequences.
Not to mention that, CTRL + G -- the above address, and then CTRL + S to find the command sequence. The content of the command sequence is the feature segment of the programming language we found. We can select two or three fixed command searches in the feature section. For example, the feature section of VC ++ 6.0 is

0046C07B U> 55 push ebp
0046C07C 8BEC mov ebp, esp
0046C07E 6A FF push-1
0046C080 68 18064C00 push UltraSna.004C0618
0046C085 68 F8364700 push UltraSna.004736F8
0046C08A 64: A1 00000000 mov eax, dword ptr fs: [0]
0046C090 50 push eax
0046C091 64: 8925 00000000 mov dword ptr fs: [0], esp
0046C098 83EC 58 sub esp, 58
0046C09B 53 push ebx
0046C09C 56 push esi
0046C09D 57 push edi
We can only search for the first three commands. Find the ones that match the first three commands, and compare them with the following commands. As long as the command matches, OEP is the same as the address. If the OEP cannot be found near the ADDRESS, you have to use the stupid method to find it from 401000.
After finding the OEP address, right-click OEP and choose "here is a new EIP". Next we can dump it. Generally, it is better to select the OD dump plug-in for shelling. After the loadpe is used for shelling, either the program is not running or the program is not detached. When the OD dump plug-in is used for shelling, the check box before the items in the shelling window (rebuilding the input table) must be removed. This is also the experience summarized by the predecessors.
So far, shelling is over. You can test the program after shelling. If it is running, it is in the range of 70-80%. If it is not running, I am still learning it. Let's discuss it together!
The OEP feature segments of the main programming languages are as follows:
Borland C ++

0040163C B>/EB 10 jmp short Borland _. 0040164E
0040163E | 66: 623A bound di, dword ptr ds: [edx]
00401641 | 43 inc ebx
00401642 | 2B2B sub ebp, dword ptr ds: [ebx]
00401644 | 48 dec eax
00401645 | 4F dec edi
00401646 | 4F dec edi
00401647 | 4B dec ebx
00401648 | 90 nop
00401649-| E9 98E04E00 jmp SHELL32.008EF6E6
0040164E \ A1 8BE04E00 mov eax, dword ptr ds: [4EE08B]
00401653 C1E0 02 shl eax, 2
00401656 A3 8FE04E00 mov dword ptr ds: [4EE08F], eax
0040165B 52 push edx
0040165C 6A 00 push 0
0040165E E8 DFBC0E00 call <jmp. & KERNEL32.GetModuleHandleA>

**************************************** **************************************** **
Delphi

00458650 D> 55 push ebp
00458651 8BEC mov ebp, esp
00458653 83C4 F0 add esp,-10
00458656 B8 70844500 mov eax, Delphi.00458470
0045865B E8 00D6FAFF call delphi.0040560
00458660 A1 58A14500 mov eax, dword ptr ds: [45A158]
00458665 8B00 mov eax, dword ptr ds: [eax]
00458667 E8 E0E1FFFF call Delphi.0045684C
0045866C A1 58A14500 mov eax, dword ptr ds: [45A158]
00458671 8B00 mov eax, dword ptr ds: [eax]
00458673 BA B0864500 mov edx, Delphi.004586B0
00458678 E8 DFDDFFFF call Delphi.0045645C
0045867D 8B0D 48A24500 mov ecx, dword ptr ds: [45A248]; Delphi.0045BC00
00458683 A1 58A14500 mov eax, dword ptr ds: [45A158]
00458688 8B00 mov eax, dword ptr ds: [eax]
0045868A 8B15 EC7D4500 mov edx, dword ptr ds: [457DEC]; Delphi.00457E38
00458690 E8 CFE1FFFF call Delphi.00456864
00458695 A1 58A14500 mov eax, dword ptr ds: [45A158]
0045869A 8B00 mov eax, dword ptr ds: [eax]
0045869C E8 43E2FFFF call Delphi.004568E4
**************************************** **************************************** **
Visual C ++ 6.0

0046C07B U> 55 push ebp
0046C07C 8BEC mov ebp, esp
0046C07E 6A FF push-1
0046C080 68 18064C00 push UltraSna.004C0618
0046C085 68 F8364700 push UltraSna.004736F8
0046C08A 64: A1 00000000 mov eax, dword ptr fs: [0]
0046C090 50 push eax
0046C091 64: 8925 00000000 mov dword ptr fs: [0], esp
0046C098 83EC 58 sub esp, 58
0046C09B 53 push ebx
0046C09C 56 push esi
0046C09D 57 push edi
0046C09E 8965 E8 mov dword ptr ss: [ebp-18], esp
0046C0A1 FF15 74824A00 call dword ptr ds: [<& KERNEL32.GetVersion>]; kernel32.GetVersion
0046C0A7 33D2 xor edx, edx
0046C0A9 8AD4 mov dl, ah
0046C0AB 8915 403F4F00 mov dword ptr ds: [4F3F40], edx
0046C0B1 8BC8 mov ecx, eax
0046C0B3 81E1 FF000000 and ecx, 0FF
0046C0B9 890D 3C3F4F00 mov dword ptr ds: [4F3F3C], ecx
**************************************** **************************************** **
Visual C ++ 7.0

0100739D> $ 6A 70 push 0x70
0100739F. 68 98180001 push notepad1_1001898
010073A4. E8 BF010000 call notepad1_1007568
010073A9. 33DB xor ebx, ebx
**************************************** **************************************** **

Assembly

00401000 million> 6A 00 push 0
00401002 E8 C50A0000 call <jmp. & KERNEL32.GetModuleHandleA>
00401007 A3 0C354000 mov dword ptr ds: [40350C], eax
0040100C E8 B50A0000 call <jmp. & KERNEL32.GetCommandLineA>
00401011 A3 10354000 mov dword ptr ds: [403510], eax
00401016 6A 0A push 0A
00401018 FF35 10354000 push dword ptr ds: [403510]
0040101E 6A 00 push 0
00401020 FF35 0C354000 push dword ptr ds: [40350C]
00401026 E8 06000000 call assembly. 00401031
0040102B 50 push eax
0040102C E8 8F0A0000 call <jmp. & KERNEL32.ExitProcess>
00401031 55 push ebp
00401032 8BEC mov ebp, esp
00401034 83C4 B0 add esp,-50
00401037 C745 D0 30000000 mov dword ptr ss: [ebp-30], 30
0040103E C745 D4 0B000000 mov dword ptr ss: [ebp-2C], 0B
00401045 C745 D8 37114000 mov dword ptr ss: [ebp-28], assembly. 00401137
**************************************** **************************************** **
VB

00401_c V>/$68 147C4000 push VB.00407C14
00401171 |. E8 F0FFFFFF call <jmp. & MSVBVM60. #100>
00401176 |. 0000 add byte ptr ds: [eax], al
00401178 |. 0000 add byte ptr ds: [eax], al
0040117A |. 0000 add byte ptr ds: [eax], al
3000 xor byte ptr ds: [eax], al

 

From: The Blog of Penker's