Basic knowledge of cainiao shelling (I)

Shelling Technology

I. Basic Knowledge
Definition of shell: some computer software also has a program dedicated to protecting the software from unauthorized modification or decompilation. They generally run programs before they get control and then complete their tasks to protect the software. Because this program and the shell of nature have many similarities in functionality, based on naming rules, we call such a program "shell, it is nothing more than protecting and hiding things in the shell. From a technical point of view, the shell is a piece of code executed before the original program. The code of the original program may be compressed and encrypted during shelling ....... When the files after shelling are executed, shell-the code runs before the original program. It restores the compressed and encrypted code to the original program code, and then returns the execution right to the original code. The software shells are classified into encryption shells, compression shells, camouflage shells, and multi-layer shells to hide the real OEP of the Program (entry point to Prevent Cracking ).
1.1.1 shell Loading Process
1. Save the entry function
The shell program first initializes the values of all registers. After the shell is executed, it restores the content of each register and jumps to OEP to execute the program! Usually, the shelling program uses pushad/pushfd to store the site and uses popad/popfd to restore the site. For example, I added an UPX shell to the delphi7.0 program! His portal is the site that is saved using Pushad!
004629D0> 60 pushad // use pushad to save the site
004629D1 BE 00F04300 mov esi, 0043F000
004629D6 8DBE 0020 FCFF lea edi, dword ptr [esi + FFFC2000]
004629DC C787 9CC00400 7> mov dword ptr [edi + 4C09C], 46CD167B
004629E6 57 push edi
004629E7 83CD FF or ebp, FFFFFFFF
004629EA EB 0E jmp short 004629FA
At the end of the UPX shell:
00462B5F 8D87 1F020000 lea eax, dword ptr [edi + 21F]
00462B65 8020 7F and byte ptr [eax], 7F
00462B68 8060 28 7F and byte ptr [eax + 28], 7F
00462B6C 58 pop eax
00462B6D 50 push eax
00462B6E 54 push esp
00462B6F 50 push eax
00462B70 53 push ebx
00462B71 57 push edi
00462B72 FFD5 call ebp
00462B74 58 pop eax
00462B75 61 popad // use popad to restore all registers!
2. Obtain the functions required by the shell.
Generally, only the GetMoudleHandleA, GetProcAddress, and LoadLibrary API functions are available in the input table of the shell! Some even have Kernel32.dll and GetProcAddress. If the shell program needs to load other functions, it can call LoadLibrary to map the DLL to the address space of the calling process, the hinstance value returned by the function is used to identify the file image mapped to the virtual memory address. View MSDN and find the LoadLibrary function prototype:
HINSTANCE LoadLibrary (LPCTSTR lpLibFileName // address of filename of executable module );
When the DLL file has been mapped to the address space of the calling process, you can use GetMoudleHandleA to call the function. The handle of the DLL module that can be activated by calling this function. The function prototype of GetMoudleHandleA is:
HMODULE GetModuleHandle (
Lptstr lpModuleName );
After the Dll module is loaded, you can call the GetProcAddress function to obtain the address of the input function. The prototype of the GetProcAddress function is:
FARPROC GetProcAddress (HMODULE hModule, // handle to DLL module LPCSTR lpProcName // name of function );
After these three functions are called, you can obtain the desired function API. The other APIs used in the shell are basically called using the combination of these three functions! However, for some high-strength encryption shells, the authors may not need to connect to the most basic GetProcAddress, but write a function similar to the GetProcAddress function to replace it, this greatly improves the concealment of function usage!
For example, if I use the UPX shell added by Delphi7.0, let's see if his shell uses the functions we mentioned above:

The UPX shell uses functions such as LoadLibrary and GetProcAddresss, which are similar to the functions we mentioned above!
3. decrypt the data of each section of the shelling Software
The shell will protect the data and code of the blocks of the shelled program, and encrypt the blocks of the shelled program. When the program is executed, the shell will decrypt the encrypted data, so that the encrypted program can run normally! The shell decrypts the block in the order of the encrypted block, and stores the decrypted block data in the appropriate memory location according to the block definition!
4. initialize IAT
When the program shelling, the shelling program constructs an input table by itself, and points the pointer to the input table in the PE header to the input table constructed by itself. Therefore, the PE Loader fills in the input table created by itself, so the original IAT is implemented through the PE Loader, but now only the shell can be used to fill in the PE input table, the shell only needs to scan the structure of the new input table from start to end, re-obtain the address for all the functions introduced by each DLL, and fill in the IAT!
5. Jump to OEP
After the shell is executed, it will jump to the Entry Point of the original program, that is, Entry Point, also known as OEP! When the encryption strength is not a very large shell, there will be a large cross-segment at the end of the shell and jump to OEP, similar to the "Demarcation Line" between a shell and the program entry point "! For example:
00462B74 58 pop eax
00462B75 61 popad
00462B76 8D4424 80 lea eax, dword ptr [esp-80]
00462B7A 6A 00 push 0
00462B7C 39C4 cmp esp, eax
00462B7E ^ 75 FA jnz short 00462B7A
00462B80 83EC 80 sub esp,-80
00462B83 ^ E9 109 FFEFF jmp 0044CA98 // large cross-segment. At this time, the EIP is 00462B83, And the redirection is 0044CA98. This indicates that this is a large cross-segment and a demarcation point!
Some encryption shells will move the entry point of the program to the shell section and clear the Code. This is what we call the "Stolen Code". In this way, the shell and the program will be part of each other, increased the difficulty of shelling. (Of course, we can make up the cleared OEP! Then shell it! Some shells may use virtual machines to exit the portal to the VM, which must be manually repaired !)

Summary:
4. shell loading process: first, save the field = to get the functions required by the shell program (remember these functions) = decrypt data = initialize IAT = jump to OEP = For shelling and repair




Provide an attachment for direct viewing

Http://www.bkjia.com/uploadfile/2012/1202/20121202071728354.zip