Zero customerDream
This shell is very simple. I just need to look for IAT myself. The software is TrashReg, and it's not good. Why can't I understand it ..
Peid in-depth shell query to obtain Crypto-Lock v2.02 (Eng)-> Ryan Thian
OD loading ..
00412DEC> 60 pushad
00412DED BE b40000000 mov esi, TrashReg.004026B4
00412DF2 8DBE EBAFFFFF lea edi, dword ptr ds: [esi + FFFFAFEB]
00412DF8 57 push edi
00412DF9 83CD FF or ebp, FFFFFFFF
00412DFC EB 10 jmp short TrashReg.00412E0E
00412DFE 90 nop
00412DFF 90 nop
00412E00 90 nop
00412E01 90 nop
00412E02 90 nop
00412E03 90 nop
00412E04 8A06 mov al, byte ptr ds: [esi]
00412E06 46 inc esi
00412e078807 mov byte ptr ds: [edi], al
I am using the memory method. First, Shift + f9is broken under the resources section.
Then shift + F9 is disconnected under the CODE segment and then directly comes to OEP.
00437000 55 push ebp
00437001 8BEC mov ebp, esp
00437003 6A FF push-1
00437005 68 7D1C4000 push TrashReg.00401C7D
0043700A 68 7D1C4000 push TrashReg.00401C7D
0043700F 64: A1 00000000 mov eax, dword ptr fs: [0]
00437015 50 push eax
00437016 64: 8925 0000000> mov dword ptr fs: [0], esp
0043701D 83C4 10 add esp, 10
00437020 B8 00000000 mov eax, 0
00437025 8BE5 mov esp, ebp
00437027 5D pop ebp
00437028 50 push eax
00437029 51 push ecx
0043702A 74 05 je short TrashReg.00437031
0043702C 83C8 07 or eax, 7
0043702F EB 02 jmp short TrashReg.00437033
00437031 31C0 xor eax, eax
Enable LordPE to perform dump... and then IMPORTREC to fix the problem of Automatically Searching for IAT in the sky 37000.
= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/0202312022-0.jpg); "src =" http://www.bkjia.com/uploads/allimg/131120/0202312022-0.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
Don't be depressed. If you fix it easily, the shell will be too simple.
Back to OD .. track 00437031 in the data window to find the pointer .. keep searching up .. 1000 is RVA ..
= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/020231CJ-1.jpg); "src =" http://www.bkjia.com/uploads/allimg/131120/020231CJ-1.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
Enter IMPORTREC. Directly click to obtain the input Table Function
A large number of invalid functions appear.
= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/0202313925-2.jpg); "src =" http://www.bkjia.com/uploads/allimg/131120/0202313925-2.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
Do not cut and delete the repair directly.
Normal program running = 700) window. open (http://www.bkjia.com/uploads/allimg/131120/0202313191-3.gif); "height = 300 src =" http://www.bkjia.com/uploads/allimg/131120/0202313191-3.gif "width = 557 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
Re-shell Microsoft Visual C ++
= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/0202313340-4.gif); "src =" http://www.bkjia.com/uploads/allimg/131120/0202313340-4.gif "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>