Cracking learning notes-single-step tracking practices UPX shelling

Source: Internet
Author: User

Author: gray fox
First Article: gray fox s Blog (Www. HuiHu32.cN)

I have long wanted to learn how to crack it, but the compilation was too bad in the past. I couldn't even remember a few commands. I learned how many times I had to waste it a few times and then I lost it, but it was always so uncomfortable.

Later, I went to the dark group and found that New4, the boss, had a book titled "proficient in hacking-free". In fact, this guy is not very interested in killing-free, because he doesn't play black games at ordinary times, even if you need some tools, you can either write them by yourself or ask your friends for one. No kill can help you. But one day, I suddenly found a guy in the dormitory (claiming to be a non-zero solution, but the old man has always called it a non-pig solution) who bought this book. Haha, I bought it anyway. Let's take a look at it first.

After reading the above, I felt that the boss wrote a good job. It was easy to understand, because the idiot-level cainiao, like me, who used to fear cracking, can understand the previous chapters, I will read it carefully.

In fact, I mainly read the previous articles about shell removal. I did not take it seriously because it was useless ), after returning, I made a detailed video to the boss. After five failures, I finally got the first one: The UPX compression shell & single-step tracking method. Haha, I used to make a problem even when I added a shell.

After the supervisor is shelled, it does not respond. The PEID prompts that the shell has been removed successfully. Note that the book tells you how to restore it manually. But now the book is not in the palm of your hand, you can click it first to write out the Shell Process of cmd.exe in the book. You can also remember it later.

First, use upxshell3.4to shell cmd.exe. The version is UPX 2.92b. Then we use PEID to query the shell result as follows: UPX 0.89.6-1.02/1.05-1.24-> Markus & Laszlo. We can see that it is the shell of UPX, let's take it off.

Use olldbg(in the following simple name: odpscmd cmd.exe. A dark window pops up at the beginning, but it is obviously not completely running. We don't care about it. It directly seems that the OD interface is stopped here:
4AD76100> 60 pushad
We start the single step by pressing F8. When we get here:
4AD76110/EB 10 jmp short 2.16.4ad76122
There is a downward arrow in the row "HEX data" in the second column of OD, pointing to the place to jump to. This function is very useful, because it is forward jump, we don't care, continue F8, another jump was encountered without two steps:
4AD76129 ^ 72 ED jb short 2.16.4ad76118
Note that the arrow points to the top of the page, indicating that you want to jump back (for short, back-to-jump). Of course, you cannot promise it. We will select the next line:
4AD7612B B8 01000000 mov eax, 1
Then press F4. continue f8. then press f8. then press f8. if you jump back (see the arrow pointing), select the last line and then follow F4, we also use F8 to follow the previous hop. Note that not only jmp will jump back, but loop will also jump back. We also need to use F4.
Let's continue with the F8 + F4 keys and come here:
4AD76246 ^ EB E1 jmp short 2.16.4ad76229
4AD76248 FF96 FCC80A00 call dword ptr ds: [esi + AC8FC]
The boss said that both sentences should be skipped with F4. Based on my poor assembly knowledge, I guess that the address to be called for this call is also in front, so I will jump back. Select the next line:
4AD7624E 8BAE F0C80A00 mov ebp, dword ptr ds: [esi + AC8F0]
After pressing step F4, continue to step F8. After that, you will see a series of push operations. It seems that the operation is not far from success. Then you will come to this line in less than a few steps:
4AD7627D 61 popad
The boss said that this is the exit sign of The UPX shell. Haha, the success is just in sight. Continue F8 + F4 and take about five steps. Then we will come here:
4AD7628B-E9 C6EDF8FF jmp 2.16.4ad05056
It can be seen that this is also a jump, but it is not a normal jump, take a closer look at its data, other jumps are an up or down arrow, however, this is a "-" number, which points to the real entry point. When we come here, we press F8, seek again, and jump far and far. Here we are:
4AD05056 6A 28 push 28
Save it.
In this case, we can use PEID to check the shell and check the results: Microsoft Visual C ++. Oh, that's great!
Run "aaa.exe", "cmdname", "cmdname", and "cmdname". A normal Command Prompt window pops up and runs completely normally. Haha, it's a great sense of accomplishment.
However, there is another small problem. I found that the files after shelling are always nearly twice as large as the files before shelling. It's so horrible. Is there a lot of useless information in it? Please explain which one you understand.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.