Another method for finding the Stolen code of Asp1.2X

Advanced WMA Workshop 2.04b simple SHELL CRACKING

The program shelling with asp1.24rc4 and using the time protection of Shell

Author: lordor
QQ: 88378557
Mail: lordor # 163.com
From: www.digitalnuke.com
Note: The method for finding the Stolen code of asp1.24RC4 is still being studied if this method is useful for more than 1.3.
Free reprint, please save

 

1. Search for pseudo OEP
Use od to load the program, set the memory to no hooks, and hide the od as follows:
AWMAWork.> PUSH AWMAWork.00632001 ==> stop here and check the register value.
--------------
ECX 0012FFB0
EDX 7FFE0304
EBX 7FFDF000
ESP 0012FFC4 ==> note this
EBP 0012FFF0 ==>
ESI 00000024
EDI 1, 00000000
EIP 00401000 AWMAWork. <ModuleEntryPoint>
--------------

After 26 seh, the feature code here is as follows:
00CB39EC xor dword ptr ds: [EAX], EAX ==> stop here
00CB39EE pop dword ptr fs: [0]
00CB39F5 POP EAX
00CB39F6 cmp dword ptr ds: [CB7EB0], 0
00CB39FD je short 00CB3A13
00CB39FF PUSH 0C
00CB3A01 mov ecx, 0CB7EB0
00CB3A06 lea eax, dword ptr ss: [EBP-8]
00CB3A09 mov edx, 4
00CB3A0E CALL 00CB0B40
00CB3A13 push dword ptr ss: [EBP-4]
00CB3A16 push dword ptr ss: [EBP-8]
00CB3A19 mov eax, dword ptr ss: [EBP-C]
00CB3A1C cmp dword ptr ds: [EAX], 0
00CB3A1F je short 00CB3A23
00CB3A21 push dword ptr ds: [EAX]
00CB3A23 push dword ptr ss: [EBP-10]
00CB3A26 push dword ptr ss: [EBP-14]
00CB3A29 RETN ==> here, shift + F9 runs here

 

Open the "Memory Map" Window
In the "code" section of AWMAWorkshop, "Set break-on access" (Press F2). After the shell code is executed, after decompression, the content of the Code segment will stop.
After setting, press F9 and it will be here
0047DB94 PUSH AWMAWork.0047DCEC; JMP to MSVCR70. _ effect_handler3
0047DB99 mov eax, dword ptr fs: [0]
0047DB9F PUSH EAX
0047DBA0 mov eax, dword ptr ss: [ESP + 10]
0047DBA4 mov dword ptr ss: [ESP + 10], EBP
0047DBA8 lea ebp, dword ptr ss: [ESP + 10]
0047 dbac sub esp, EAX ==> here, a local address is assigned to the stack, and eax is the number of pushed immediately.
0047 dbae push ebx ***
0047 dbaf push esi ***
0047DBB0 push edi ***
0047DBB1 mov eax, dword ptr ss: [EBP-8]
0047DBB4 mov dword ptr ss: [EBP-18], ESP
0047DBB7 push eax ***
0047DBB8 mov eax, dword ptr ss: [EBP-4]
0047 dbbb mov dword ptr ss: [EBP-4],-1
0047DBC2 mov dword ptr ss: [EBP-8], EAX
0047DBC5 lea eax, dword ptr ss: [EBP-10]
0047DBC8 mov dword ptr fs: [0], EAX
0047 dbce retn ==> stop here
0047 dbcf mov ecx, dword ptr ss: [EBP-10]
0047DBD2 mov dword ptr fs: [0], ECX
0047DBD9 POP ECX
0047 DBDA POP EDI
0047 DBDB POP ESI
Dbdc pop ebx 0047
0047 DBDD LEAVE
0047 DBDE PUSH ECX

We can see that this is the first call code of VC7. Let's take a look at the register value and pay attention to the several statements (here there are only four sentences) pushed on ***. It will be used later:
------------
ECX 0012FFB0
EDX 7FFE0304
EBX 7FFDF000
ESP 0012FF30 ==> note the following:
EBP 0012FFC0
ESI 00000000
EDI 1, 00000000
EIP 0047 DBCE AWMAWork.0047DBCE

------------
F8.
0047D8C5 RETN 10
0047D8C8 add byte ptr ds: [EAX], AL
0047D8CA add byte ptr ds: [EAX], AL
0047D8CC add byte ptr ds: [EAX], AL
0047D8CE NOP => flower command, nop drop
0047D8CF CALL AWMAWork.0047DB94
0047D8D4 xor ebx, EBX ==> here, we can see that the previous call (0047DB94) has been running in the shell.
0047D8D6 PUSH EBX
0047D8D7 mov edi, dword ptr ds: [4820FC]
0047D8DD CALL EDI
0047D8DF cmp word ptr ds: [EAX], 5A4D
0047D8E4 jnz short AWMAWork.0047D905
0047D8E6 mov ecx, dword ptr ds: [EAX + 3C]
0047D8E9 add ecx, EAX

2. Search for stolen code and DUMP the program

We can see that 0047D8C8 add byte ptr ds: [EAX]. AL is the real OEP, and two sentences of code have been extracted from it,
Maybe you will ask, how do I know?
The methods for retrieving extracted Code are as follows:
1. TC tracking
2. The method of restoring stolen code introduced by tDasm
3. I still don't understand the cdi method introduced by the FLY dude.
4. blowfish introduces the stack creation method, which is very good.

My method is based on the blowfish method plus: refer to the entry code generated by similar compilers.

Okay. Let's open a VC7 program and check the code at the entry.
Service. <> PUSH 74
0040270F PUSH Service.00403BF8
00402714 CALL Service.0040290C
00402719 xor ebx, EBX ==> the following statements are the same:
0040271B mov dword ptr ss: [EBP-20], EBX
0040271E push ebx;/pModule => NULL
0040271F mov edi, dword ptr ds: [<& KERNEL32.GetModu>; | kernel32.GetModuleHandleA
00402725 call edi; GetModuleHandleA
00402727 cmp word ptr ds: [EAX], 5A4D
0040272C jnz short Service.0040274D
0040272E mov ecx, dword ptr ds: [EAX + 3C]
00402731 add ecx, EAX
00402733 cmp dword ptr ds: [ECX], 4550
00402739 jnz short Service.0040274D

So the key is to try to add the extracted two sentences of code. First, we can infer the form of the two sentences:
Push immediate count
Push address

So how can we get the immediate number and address?

Check the STACK content to confirm.

First, let's take a look at the ESP ==0012ffc4, EBP = 0012FFF0,
Let's take a look at the STACK content after the pseudo OEP:
0012FF34 00000000 ==> current esp
0012FF38 00000000
0012FF3C 7FFDF000
0012FF40 00CA0000
0012FF44 00C80000
0012FF48 0000000C
0012FF4C 00CD1F70
0012FF50 0012FF60
0012FF54 00CCDD95 RETURN to 00CCDD95 from 00CCDDA0
0012FF58 00CCDDF3 RETURN to 00CCDDF3 from 00 CCDDFD
0012FF5C 00CCDDD6 RETURN to 00CCDDD6 from 00CCDDE8
0012FF60 00400000 AWMAWork.00400000
0012FF64 C0F1DD1F
0012FF68 0012FFA4
0012FF6C 00CA0000
0012FF70 00C80000
0012FF74 00CB4138
0012FF78 00CD1DA0
0012FF7C 00CCDD50
0012FF80 00400000 AWMAWork.00400000
0012FF84 00632880 AWMAWork.00632880
0012FF88 00CCDE87 RETURN to 00CCDE87 from 00CCDE93
0012FF8C 5FCEDFF7
0012FF90 00000369
0012FF94 0080FD60
0012FF98 FDC7616E
0012FF9C 0012FFF0
0012FFA0 0012FFB0
0012FFA4 00000000
0012FFA8 0012FF34
0012 FFAC 0012FFE0
0012FFB0 0012FFE0 Pointer to next SEH record
0012FFB4 0047 dcec se handler
0012FFB8 0049E9C0 AWMAWork.0049E9C0
0012 FFBC FFFFFFFF
0012FFC0 0012FFF0 ==> note the following:
0012FFC4 77E5EB69 RETURN to kernel32.77E5EB69

 

Among them (0012FFB8 0049E9C0 AWMAWork.0049E9C0) 0049E9C0 is the push of the second sentence,
Now let's determine the immediate number.
0012FFC0-0012FF34 = 8c. Is this an immediate number? No