Crack notes 1 commonly used shelling methods

---------------------------------------------------------------------------------
Black Eagle Red Guest Base Animation tutorial
Black Eagle Red Guest base www.3800cc.com
Professional red-passenger safety technology training base
Take more than one minute to learn. Make your life more exciting.
Note: The 10-yuan animation is released free of charge. 20.50.100.200 Yuan Animation is only provided to the VIP members of the site as auxiliary materials.
---------------------------------------------------------------------------------
I. INTRODUCTION

Shell for program authors want to compress the program resources, registration protection purposes, the shell is divided into two types of compression shell and encryption shell
UPX Aspcak telock pelite nspack ...
Armadillo Asprotect acprotect EPE SVKP ...
As the name implies, the compression shell is only to reduce the program volume to the resource compression, the encryption shell is the program input table and so on encryption protection. Of course, the protection of the encryption shell is much stronger!

Ii. common methods of shelling

Pre-knowledge

1.PUSHAD (press stack) represents the entry point of the program,
2.POPAD (out of the stack) represents the exit point of the program, and Pushad want to correspond, generally find this oep is nearby
3.OEP: The entry point of the program, the software shell is hidden OEP (or with a fake oep/foep), as long as we find the program real OEP, you can immediately shelled.

Method One: Single Step tracking method
1. Load with OD, point "do not parse code!" ”
2. Step down to track F8 to achieve a downward jump. That means jumping up doesn't make it come true! (via F4)
3. When the program jumps back (including loops), we press F4 at the next line of code (or right-click Code, select Breakpoint--run to selected)
4. The Green line indicates that the jump is not realized, regardless, the red line indicates that the jump has been realized!
5. If just loading the program, there is a call in the vicinity, we F7 to follow in, or the program is easy to run, so it will soon be able to go to the program Oep
6. At the time of tracking, if run to a call program to run, in this call F7 into
7. There are generally very large jumps (large spans), such as jmp XXXXXX or JE XXXXXX, or a retn that generally will soon go to the oep of the program.

BTW: In some cases can not be traced down, we could find a large jump in the vicinity, right-and "follow", and then F2 down, shift+f9 run stop in the "follow" position, then cancel the breakpoint, continue to F8 single-step tracking. It is generally easy to reach the oep!

Method Two: ESP law
ESP theorem shelling (esp in the Register of OD, we just at the command line of ESP hardware access breakpoint, will come to the OEP of the program!) ）
1. Start with the point F8, and notice that the ESP has no emergent (red) in the upper right-hand corner of the OD register. (This is just a general case, rather the ESP value we choose is the first ESP value after the key sentence)
2. Under command line: DD XXXXXXXX (refers to the ESP address in the current code, or HR XXXXXXXX), press ENTER!
3. Select the broken address, breakpoint---> Hardware--->word breakpoint.
4. Click F9 to run the program, directly to the jump, press F8, to arrive at the program Oep.

Method Three: Memory Mirroring method
1: Open the software with OD!
2: Click on the Options--Debugging options--exception, the inside of the Ignore all √ on! CTRL+F2 overloaded under the program!
3: Press ALT+M, open the memory mirror, find the first of the program. rsrc. Press F2 to break the breakpoint, then press SHIFT+F9 to run to the breakpoint, then press Alt+m to open the memory mirror image, Locate the first. rsrc. Code (that is, 00401000) on the top of the program, and press F2 to place a breakpoint! Then press SHIFT+F9 (or press F9 without exception) to reach the program directly oep!

Method Four: One step to reach Oep
1. Start pressing Ctrl+f, enter: Popad (only for a few shells, including the upx,aspack Shell), then press F2,F9 to run here
2. Come to the big jump, click F8, arrive at oep!

Method Five: The last anomaly method
1: Open the software with OD
2: Click on the Options--Debugging options--exception, the inside of the √ all removed! CTRL+F2 Overloaded under Program
3: The beginning of the program is a jump, here we press SHIFT+F9, until the program runs, note the number of times from the beginning to press SHIFT+F9 to the program run m!
4:CTRL+F2 Reload program, press SHIFT+F9 (this time the number of times to run the program m-1 Times)
5: In the lower right corner of OD we see an "se handle", when we press CTRL+G, enter the address before the SE handle!
6: Press F2 to break the breakpoint! Then press SHIFT+F9 to come to the breakpoint!
7: Remove the breakpoint, press F8 slowly go down!
8: oep! of the Arrival program

Method Six: Simulation tracking method
1: First try to run, follow up the program, see if there is no seh, such as dark piles
2:alt+m Open memory image, find (contains =sfx,imports,relocations)

Memory mirroring, Item 30
Address =0054b000
Size = 00002000 (8192.)
Owner=check 00400000
Section =.aspack
Contains =sfx,imports,relocations
Type =imag 01001002
Visit =r
Initial Access =rwe

3: The address is 0054b000, as we enter TC eip<0054b000 in the command line, enter, is tracking ing.

BTW: When you use this method, you need to understand how he is going to be able to use it.

Method Seven: "SFX" method
1: Set OD, ignore all exceptions, that is, check the Exception tab
2: Switch to the SFX tab, select "Byte mode to track actual ingress (very slow)", OK.
3: Reload the program if it jumps out "compress code?" "Select" No ", OD directly arrives Oep)

BTW: This method should not be abused well, exercise ability is wonderful.

Crack notes 1 commonly used shelling methods