Used to think of a tool as long as it can be used, but as a like safe slag, it will not be enough, you have to understand it, deceive it, transform it, improve it!
Previous article about how to take off the peid0.94 version of the shell
[Debugging principle] reverse peid_ shelling
This article on Peid began to reverse the analysis of its principle. At the beginning, from the simplest analysis: How to judge the program has a VC compiler compiled.
Reverse tool: Ollydbg,ida,winhex
Analysis object: Peid v0.94 (Uppeid after perfect shelling)
Test procedure: TraceMe.exe
Open Peid load TraceMe.exe discovery was written for Microsoft Visual C + + 6.0, so open ollydbg directly, find string Microsoft Visual C, Discover string
The two machines come to the place where this character is located
Discover where jumps come from, look up, find the starting part of the function
the same effect can be achieved with IDA.
Directly down and then load our test program with Peid TraceMe.exe, after F9, the program breaks down
Single-step operation, the analysis of the algorithm is written in the following code:
00438C26|. EBX Push00438C27|. A-push EBP00438C28|. all-in-push ESI00438C29|. $ push EDI; Here is the padding of an array00438C2a|. B0 al,0x72 mov; "R"00438C2c|. 884424 2F mov byte ptr ss:[esp+0x2f],al00438C30|. 884424 mov byte ptr ss:[esp+0x31],al00438C34|. 884424 mov byte ptr ss:[esp+0x34],al00438C38|. 884424. mov byte ptr ss:[esp+0x39],al00438c3c|. 884424 3D mov byte ptr ss:[esp+0x3d],al00438C40|. B0 al,0x63 mov00438C42|. 884424-mov byte ptr ss:[esp+0x40],al; "C"00438C46|. 884424 mov byte ptr ss:[esp+0x41],al00438c4a|. B0 mov al,0x7300438C4c|. 884424 mov byte ptr ss:[esp+0x43],al; "S"00438C50|. 884424 ss:[esp+0x44],al mov byte ptr00438C54|. B0 6C mov al,0x6c00438C56|. 884424-mov byte ptr ss:[esp+0x47],al; "L"00438C5a|. 884424 mov byte ptr ss:[esp+0x48],al00438c5e|. 8bb424 A00400>mov esi,dword ptr ss:[esp+0x4a0]00438C65|. 8b46 0C mov eax,dword ptr ds:[esi+0xc]; "PE"00438C68|. 8B56 mov edx,dword ptr ds:[esi+0x18]; . Text00438c6b|. B1 6D mov cl,0x6d00438c6d|. 884C24-mov byte ptr ss:[esp+0x36],cl; "M"00438C71|. 884C24 3E mov byte ptr ss:[esp+0x3e],cl00438C75|. B3 mov bl,0x41; ' A '00438C77|. C64424 2C 7B mov byte ptr ss:[esp+0x2c],0x7b; "G"00438c7c|. C64424 2D 4F mov byte ptr ss:[esp+0x2d],0x4f00438C81|. C64424 2E mov byte ptr ss:[esp+0x2e],0x7500438C86|. C64424 mov byte ptr ss:[esp+0x30],0x5000438c8b|. C64424 6F mov byte ptr ss:[esp+0x32],0x6f00438C90|. C64424 ss:[esp+0x33],0x67 mov byte ptr00438C95|. C64424 mov byte ptr ss:[esp+0x35],0x6100438c9a|. C64424 notoginseng ss:[esp+0x37],0x44 mov byte ptr00438c9f|. C64424, mov byte ptr ss:[esp+0x38],0x6900438CA4|. C64424 3 a 7D mov byte ptr ss:[esp+0x3a],0x7d00438CA9|. C64424 3B 5C mov byte ptr ss:[esp+0x3b],0x5c00438Cae|. 885C24 3C mov byte ptr ss:[esp+0x3c],bl00438CB2|. 885C24 3F mov byte ptr ss:[esp+0x3f],bl00438CB6|. C64424 mov byte ptr ss:[esp+0x42],0x6500438CBB|. C64424 2E mov byte ptr ss:[esp+0x45],0x2e00438CC0|. C64424 ss:[esp+0x46],0x64 mov byte ptr00438CC5|. C64424 4D mov byte ptr ss:[esp+0x18],0x4d00438Cca|. C64424 mov byte ptr ss:[esp+0x19],0x5300438Ccf|. C64424 1 A, mov byte ptr ss:[esp+0x1a],0x4300438CD4|. C64424 1 B, mov byte ptr ss:[esp+0x1b],0x4600438CD9|. 0fb740 movzx eax,word ptr ds:[eax+0x6]; PE rear offset 6 position as number of blocks00438Cdd|. 8d0c80 Lea Ecx,dword ptr ds:[eax+eax*4]; Number of blocks *5=0x1400438CE0|. 8b6cca E8 mov ebp,dword ptr ds:[edx+ecx*8-0x18]; . Text segment address + number of blocks *40-0x18 = 1000 (last segment size)00438Des|. 8d44ca D8 Lea Eax,dword ptr ds:[edx+ecx*8-0x28]; Last segment Address (". rsrc"segment Address")00438CE8|. 8b78 mov edi,dword ptr ds:[eax+0x14]; Gets the offset of the last segment (. rsrc)00438CEB|. 8B46 mov eax,dword ptr ds:[esi+0x4]; Last section end offset00438CEE|. 03FD Add EDI,EBP00438CF0|. 8bac24 9c0400>mov ebp,dword ptr ss:[esp+0x49c]; A value in an array00438CF7|. 8d8f 00390000 Lea Ecx,dword ptr ds:[edi+0x3900]00438Cfd|. 3BC1 CMP eax,ecx00438CFF|. 1 a JNB xuppeid.00438d1b00438D01|. 8B55 mov edx,[arg.7]; Get program RVA00438D04|. 85D2 test Edx,edx; Determine if it is 000438D06|. Je xuppeid.00438d1b00438D08|. 8B4E mov ecx,dword ptr ds:[esi+0x18]; Text Segment00438d0b|. 8b79 mov edi,dword ptr ds:[ecx+0x14]; The offset of the text segment in the file00438d0e|. 0379 add Edi,dword ptr ds:[ecx+0x10]; Offset +text segment in file block size =text end offset00438D11|. 3bd7 CMP Edx,edi00438D13|. 0f82 E4020000 JB Uppeid.00438ffd; Jump (Make sure the OEP is in the text segment) (a feature of the VC)
In the code above 00438D01 my comment is to get the program RVA
00438D01 |. 8B55 20 mov edx,[arg.7] ; 获得程序rva
This place is not directly analyzed, and it is found that the arg.7 address is 00471018 each time the program is loaded.
Right-click on the Data window to follow, record the address, and reload the program in 00471018 places under Memory Access breakpoint, F9 run after loading TraceMe.exe, broken down in the following place:
and directly follow in the data window, and did not find any clue, go up the back code, find the first place to assign to EAX here:
Following in the data window:
Familiar with the PE structure see A0130000 that place is not in the image_nt_headers part of the Image_optional_header offset to 16 position, and this position corresponds to the address of the entrypoint, So this place is supposed to be the RVA of the program (OEP)
Then this analysis is only part of the analysis of the VC code, then will not be judged before? Let's look at the stack at the time of the VC decision.
Right-click Follow, found to return to the code space just assigned to RVA, the previous code snippet is actually in the program's offset, the base address to this function, and then judge, the following code snippet is basically the function pointer array of the subscript stored in an array, and then call the relevant function to confirm the program type.
Last night analysis of general loading traceme when the computer card is dead, instant is very angry, there is no analysis, interested in Daniel can be analyzed pointer array that place
Analysis of a point, the other analysis of the idea is almost like this, Daniel do not spray!
Debug principle-Reverse peid-to determine VC