Demo of manual shell Removal

Text/figure wast
We usually need to shell the Chinese software and decryption software, because most of the software has shelling. "Shell" is a program dedicated to protecting the software from unauthorized modification or decompilation. They generally run programs before they get control and then complete their tasks to protect the software. The shell software cannot see its real hexadecimal code when tracking, so it can protect the software.
The main purpose of shelling the software is to achieve the goal of compressing the EXE file. Although the hard disk capacity is already large, however, the program "Weight Loss" is still a good way to save space, there is also convenient network transmission; the second is the purpose of encryption, some copyright information needs to be protected and cannot be changed at will, such as the author's name and software name. Most programs are shelled to prevent reverse tracing, prevent programs from being tracked and debugged, and prevent program algorithms from being statically analyzed by others.
/Shelling technology.
Common shelling Software and Its Features
Some software is used for encryption. They can compress executable files and encrypt information to implement two "shell" functions. Such software is called shelling software. The stuff added to the software is the "shell" we have discussed. But one thing you need to understand is that the shelling software is different from the general Winzip, Winrar and other compression software, and the files after the shelling can be directly run, that is, after shelling, it is still an executable file, which is decompressed in the memory. software such as Winzip can only decompress the file to the hard disk, but restore the compressed file to the original file. The following software is a common shelling software:
1. UPX: UPX has the shelling and shelling functions. The well-known streamer 4.5 Is the shell that it is used for. The shelling method is as follows: Let the software (such as xx.exe.pdf and upx.exe) located in the same directory and run the "run" in the Windows Start Menu ", type "upx-d xx.exe.
2. Telock: Telock features include Softice protection, re-coverage, Reloc segment, ITA relocation, etc. 4.7 of the traffic is the shell of Telock. In general, we can directly remove: Teunlock.exe with a tool and do not need to recreate the resource table.
3. PECompact compression: it has no built-in shelling. This compression is highly secure and Unpecompact can be used to remove its shell. Unpecompact is a silly software, which is similar to AspackDie. After running it, select the software to be shelled.
4. ASPack: ASPack can compress Windows 32Bit EXE files and DLL files. It can compress executable files to about 50% of the original file size. ASPack does not have built-in decompression functions, that is, ASPack cannot be used to shell software compressed by ASPack. Simple shelling can be performed by Aspackdie or CASPR.
5. Petite: efficient and protective compression without built-in decompression. You can use the PTCLIENT software for simple shell removal.
How to Shell
We can use the software to know what the encryption software is like. Commonly used software: Blast Wave 2000 v0.2.exe(d.boyimpact 20000000fi.exeand typ.exe, FileInfo, which are used to detect software shelling or program entry points. Usually, you can quickly and accurately find the shelling method. For example, FI.exe is verified by using a feature code inherent in the program after shelling. However, some shelling methods use the SMC (Self Modifying Code) technology to change the program after shelling, so that the common shell checking software cannot find out. However, this is not commonly used, and it is difficult to implement the technology.
Simple Description of SMC technology: in general, it is to find a "Blank Space" that is not used by the original program, and these "Blank Space" cannot be overwritten after the program is mapped into the memory. Then add your own code to the "Open Space". This code is called a patch. When the program is decompressed in the memory, before the program jumps to the real entry point, let the program jump to the patch code to execute the patch, and then return to the original entry to continue working normally. The QQ patch by Zou Dan, a master, uses this technology.
Common Software for manual shell Removal
For shelling, we can adopt automatic shelling and manual shelling. Automatic shelling is to use the corresponding shelling program to shell the encrypted program. Generally, the shell of a certain compression tool will have the corresponding shell removal tool. Therefore, as long as a newer shell removal tool is found, the general shell can be easily removed. You must first know which shelling software is used for encryption, and then use the File detection tool. Manual shelling means that you do not use the automatic shelling tool, but use the dynamic debugging tool SOFTICE or TRW2000 For shelling. Manual shelling is difficult. The following software is generally used:
1. SoftICE: Soft-ICE is currently recognized as the best tracking and debugging tool. Using Soft-ICE, you can easily track software errors or monitor software errors for debugging, it has versions on DOS, Windows3.1, Windows 95/98/NT/2000/XP platforms. It is a tool used to debug, track, and debug software. It becomes the most terrible cracking tool in the hands of Cracker.
2. TRW 2000: Trw2000 is a debugging software compiled by the Chinese. It is fully compatible with various commands of Soft-ICE. Many software can detect the existence of Soft-ICE, TRW2000 detection is much worse, so it has become the favorite of decryption experts. TRW2000 is specially optimized for software cracking. It tracks debugging programs in Windows and has stronger tracking functions. It can set various breakpoints and more breakpoint types; it can remove the encrypted shell like some shelling tools and automatically generate EXE files, so it has stronger cracking capabilities. : Http://www.pediy.com/tools/debuggers/trw2000/trw1.2x/ptrw1.22.zip. 1.
1
3. ProcDump: Procdump is a shell removal tool used to handle software shelling. It can peel off many shells and restore the file's original face, so it is much easier to modify the file content. Because it also allows users to write their own script files, it can take off the shell of the new shell software. It is also an excellent PE format modification tool and an essential tool for shelling (2 ). : Http://www.pediy.com/tools/unpack/procdump/pdump32.zip.

2
4. Shock Wave 2000: you can easily find any encryption shell entry point, including ASProtect and phantom encryption shells (3 ). Shock Wave 2000: http://www.pediy.com/tools/unpack/bw/bw2k02.zip.

3
5. language2000: You can monitor what software is used for the target software and what software is used to add the shell. As long as you load and run the program with Language2000, you can clearly understand it, (4 ).

4
Language2000: http://www.fpxxp.com/1/ha_?age2k451144_yy.zip.
Basic concepts of manual shelling
Base Address: the starting address of the EXE or DLL program loaded into the memory. It is an important concept in Win32. In Windows NT, the default value is 10000 h. For DLL, the default value is 400000 h. In Windows 95, cmdh cannot be used to load 32-bit execution files because the address is in the linear address area shared by all processes, therefore, Microsoft changes the default base address of the Win32 executable file to 400000 h.
RVA: relative virtual address, which is the offset of an item relative to the file image address. For example, the loader loads a PE file into the virtual address space. In memory starting from 10000h, if the starting address of a table in the PE is 10464 h in the image, the RVA of this table is 464 h. Virtual Address (RVA) = offset address + base address (ImageBase ).
Entry Point: the Entry Point. After the program restores the original program, it starts to jump to the execution of the restored program. At this time, the address is the value of the Entry Point.
General steps for manual shelling
1. Determine the shell Type
Generally, after obtaining the software, you can use tools such as FileInfo, gtw, and TYP32 to detect the file type, and then take measures to find out the shell.
2. determine the Entry Point
For beginners, it is difficult to locate the entry point after the program is shelled, but after skill, it is very convenient to search for the entry point. Most PE shelling programs add one or more segments to the encrypted program. So it is possible to see a cross-segment JMP. For example, if UPX uses a cross-segment JMP, ASPACK uses a cross-segment JMP twice. This kind of judgment is generally to track the analysis program and find the entry point. If you use TRW2000, you can also try the command PNEWSEC, which can interrupt TRW2000 to the entry point (PNEWSEC: run until a new Section of the PE program memory is entered ). In addition, the shock wave 2000 of D. boy can be used to easily find the entry point of any encrypted shell.
3. Copy the restored files in the memory.
After finding the entry point, you can use the full dump function of Procdump to capture the entire file in the memory. If you use TRW2000, you can also use the command Makepe. Meaning: Extract an instruction name PE-format EXE file from the memory. The current EIP will become a new program entry, and the Import table of the generated file has been regenerated, the generated PE file can run on any platform or microcomputer.
4. Fixed the file just dumped.
If you use the full dump function of Procdump to shell files, you must use PE editing tools such as Procdump or PEditor to modify the Entry Point ).
Complete example of manual shelling
Let's take the legendary black eyes as an example to illustrate how to manually shell. Legend black eye is the latest legendary game account stealing tool. It accurately captures the region, user name, password, IP address, and logon time of the legend game logon, stores the data in the specified file, and sends the data to the specified email address, it automatically runs on the background after each boot. The software uses ASPACK 2.001 shelling.
1. Find the shelling entry point. Run bw2000.exe, click Track in BW2000, and then run ASPack2.12 compressed notepad. At this time, we can see the shell adding Entry Point 00366fe in BW2000;
2. Execute the program to the entry point. Run trw2000. click "browser.exe" to find the legendary master program mireye.exe, and press Ctrl + N to enter trw2000. In TRW2000, run the command g 000000fe (execute to the offset address 000000fe ). You will see the following code:
017F: 0020.e3 50 push eax; real portal offset, EAX = 00055C14H
017F: 000000e4 010000e0374400 add eax, [EBP + 004437E0]; offset plus base address 00400000 H
017F: 0