Armadillo V3.60 shelling based on standard shelling

Source: Internet
Author: User

Now, there is no Armadillo3.6 shelling article, so last night the younger sister was idle, so she used Armadillo V3.60 Professional Edition with notepad shell (XP ). I would like to try whether the shell of 3.6 is different. If I take off, I feel that the shell of the Standard Edition is similar to that of the shell of 3.4. So the main method is to use the methods of the previous authors. I will explain the differences. However, the COPYMEM2 method should have changed and is currently under research.
[Debugging environment]: WinXP, Ollydbg1.10b, PEiD, LordPE, ImportREC
Statement: the younger sister uses her own current version for debugging, and the version is GB. If you have any other exceptions during debugging, please specify that the debugging may occasionally cause some inexplicable errors.
[Shelling Process ]:

It is preferred to use the IsDebug 1.4 plug-in to remove the Ollydbg debugger flag. Set ignore all Exception options.
0103A000> 60 PUSHAD
====> After entering OD, It is disconnected here!
Today, I don't need the BP GetModuleHandleA method, because there is always no valid value returned on my machine, so the younger sister uses BP VirtualProtect, although the number of buttons is a little higher, but it is a safe method.
On the OD command line, Type BP VirtualProtect and press enter (case sensitive ). It is normal if no response is made.
Okay. Now let's look for OEP first. F9. If an exception occurs, press shit + f9 twice. Then break down. Press F9 and press F9 five times. A dialog box is displayed, indicating that an error occurs at an address and you do not know how to bypass it. Click OK in the dialog box. Then press shift + f9 over (in fact, this is an AM prompt box for unregistered programs. In 3.4, exceptions may occur five times but will not be stopped. In fact, pay attention to the stack and you can see the information of the base address, because IAT will be encrypted later). Then press f9 and press it 33 times in total, and the program runs. So in order to find the oep, we can press it once, that is, 37 times, so that the program will not run, and we can track the oep step by step. Haha. Okay. Let's try again. Like the previous one, there are 37 F9 requests in total,
Cancel the breakpoint, press ctrl + f9, and run the command to return. As follows:
00AD3462 5E pop esi; kernel32.VirtualProtect
00AD3463 5F POP EDI
00AD3464 5B POP EBX
00AD3465 C9 LEAVE
00AD3466 C3 RETN
You can press f8. Then go to the following:
00AD264D A1 6C5AAE00 mov eax, dword ptr ds: [AE5A6C]
00AD2652 8A80 82370000 mov al, byte ptr ds: [EAX + 3782]
00AD2658 8885 E8D1FFFF mov byte ptr ss: [EBP-2E18], AL
00AD265E 0FB685 E8D1FFFF movzx eax, byte ptr ss: [EBP-2E18]
00AD2665 85C0 test eax, EAX
00AD2667 74 6C je short 00AD26D5
00AD2669 8D85 3CD4FFFF lea eax, dword ptr ss: [EBP-2BC4]
00AD266F 50 PUSH EAX
00AD2670 6A 01 PUSH 1
00AD2672 FFB5 E0FEFFFF push dword ptr ss: [EBP-120]
00AD2678 8B85 1 cebffff mov eax, dword ptr ss: [EBP-14E4]
00AD267E 0385 B8FDFFFF add eax, dword ptr ss: [EBP-248]
00AD2684 50 PUSH EAX
00AD2685 FF15 3481AD00 call dword ptr ds: [AD8134]; kernel32.VirtualProtect
00AD268B C785 40D4FFFF 9> mov dword ptr ss: [EBP-2BC0], 94
00AD2695 8D85 40D4FFFF lea eax, dword ptr ss: [EBP-2BC0]
00AD269B 50 PUSH EAX
00AD269C FF15 C080AD00 call dword ptr ds: [AD80C0]; kernel32.GetVersionExA
00AD26A2 83BD 50D4FFFF 0> cmp dword ptr ss: [EBP-2BB0], 2
00AD26A9 75 2A jnz short 00AD26D5
00AD26AB 8D85 3CD4FFFF lea eax, dword ptr ss: [EBP-2BC4]
00AD26B1 50 PUSH EAX
00AD26B2 8B85 3CD4FFFF mov eax, dword ptr ss: [EBP-2BC4]
00AD26B8 80CC 01 or ah, 1
00AD26BB 50 PUSH EAX
00AD26BC FFB5 E0FEFFFF push dword ptr ss: [EBP-120]
00AD26C2 8B85 1 cebffff mov eax, dword ptr ss: [EBP-14E4]
00AD26C8 0385 B8FDFFFF add eax, dword ptr ss: [EBP-248]
00AD26CE 50 PUSH EAX
00AD26CF FF15 3481AD00 call dword ptr ds: [AD8134]; kernel32.VirtualProtect
00AD26D5 EB 03 jmp short 00AD26DA
00AD26D7 D6 SALC
00AD26D8 D6 SALC
00AD26D9 8DA1 EC4FAE00 lea esp, dword ptr ds: [ECX + AE4FEC]
00AD26DF 8985 38D4FFFF mov dword ptr ss: [EBP-2BC8], EAX
00AD26E5 83BD 38D4FFFF 0> cmp dword ptr ss: [EBP-2BC8], 0
00AD26EC 74 36 je short 00AD2724
00AD26EE 8B85 38D4FFFF mov eax, dword ptr ss: [EBP-2BC8]
00AD26F4 8338 00 cmp dword ptr ds: [EAX], 0
00AD26F7 74 2B je short 00AD2724
00AD26F9 8B85 38D4FFFF mov eax, dword ptr ss: [EBP-2BC8]
00AD26FF 8B00 mov eax, dword ptr ds: [EAX]
00AD2701 8B00 mov eax, dword ptr ds: [EAX]
00AD2703 2B05 5C5AAE00 sub eax, dword ptr ds: [AE5A5C]
00AD2709 8B8D 38D4FFFF mov ecx, dword ptr ss: [EBP-2BC8]
00AD270F 8B09 mov ecx, dword ptr ds: [ECX]
00AD2711 8901 &

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.