[Debugging environment]: WinXP, Ollydbg1.10C, WinHex, LordPE, UPXAngela, ImportREC
---------------------------------
[Shelling Process ]:
In fact, this article is just an Ollydbg version of UPX in "encryption and decryption" 2nd.
It is very convenient for Ollydbg1.10C and UPXAngela to remove the upx dll.
---------------------------------
1. Get the relocated table RVA and OEP
Code :--------------------------------------------------------------------------------
003B8100 807C24 08 01 cmp byte ptr ss: [esp + 8], 1 // stop
003B8105 0F85 7D010000 jnz EdrLib.003B8288
--------------------------------------------------------------------------------
No trace is required. Ctrl + S searches the command sequence at the current position:
Code :--------------------------------------------------------------------------------
Xchg ah, al
Rol eax, 10
Xchg ah, al
Add eax, esi
--------------------------------------------------------------------------------
Locate at 003B826D, disconnect at mov al, byte ptr ds: 003B825E of [edi], run F9, and disconnect
Code :--------------------------------------------------------------------------------
003B825E 8A07 mov al, byte ptr ds: [edi]
// EDI = 003B7318-current base address 003B0000 = 00007318★This is the RVA of the relocation table.
003B8260 47 inc edi
003B8261 09C0 or eax, eax
003B8263 74 22 je short EdrLib.003B8287
// Jump after data processing is relocated
003B8265 3C EF cmp al, 0EF
003B8267 77 11 ja short EdrLib.003B827A
003B8269 01C3 add ebx, eax
003B826B 8B03 mov eax, dword ptr ds: [ebx]
003B826D 86C4 xchg ah, al // find here
003B826F C1C0 10 rol eax, 10
003B8272 86C4 xchg ah, al
003B8274 01F0 add eax, esi
003B8276 8903 mov dword ptr ds: [ebx], eax
003B8278 EB E2 jmp short EdrLib.003B825C
003B827A 24 0F and al, 0F
003B827C C1E0 10 shl eax, 10
003B827F 66: 8B07 mov ax, word ptr ds: [edi]
003B8282 83C7 02 add edi, 2
003B8285 EB E2 jmp short EdrLib.003B8269
--------------------------------------------------------------------------------
Disconnected at 003B8287, F9 running, disconnected, and relocated data processing completed
When we interrupt at 003B8287, EDI = 003B74EA is the end address of the relocation table.
Code :--------------------------------------------------------------------------------
003B8287 61 popad
// At this time, EDI = 003B74EA★
003B8288 E9 3C8FFFFF jmp EdrLib.003B11C9
// Fly to the bright spot!
--------------------------------------------------------------------------------
Code :--------------------------------------------------------------------------------
003B11C9 55 push ebp // OEP★
003B11CA 8BEC mov ebp, esp
003B11CC 53 push ebx
003B11CD 8B5D 08 mov ebx, dword ptr ss: [ebp + 8]
003B11D0 56 push esi
003B11D1 8B75 0C mov esi, dword ptr ss: [ebp + C]
003B11D4 57 push edi
003B11D5 8B7D 10 mov edi, dword ptr ss: [ebp + 10]
003B11D8 85F6 test esi, esi
003B11DA 75 09 jnz short EdrLib.003B11E5
--------------------------------------------------------------------------------
Use lordpeto select the loaddll.exe process of ollydbg, select EdrLib. dll in the list below, and then completely shell the process to get dumped. dll.
---------------------------------
Ii. Input table
You can call an API from a program, for example:
Code :--------------------------------------------------------------------------------
003B10FD FF15 20403B00 call dword ptr ds: [3B4020]; kernel32.GetVersion
--------------------------------------------------------------------------------
Follow 3B4020 in the bucket. Many function addresses are displayed in the upper and lower part of the bucket. Obviously, you can find the start and end addresses of IAT:
Code :--------------------------------------------------------------------------------
003B3FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003B4000 1D 51 C4 77 1C 3A C4 77 3E E7 C4 77 CC D2 C4 77. Q. w... w>... w
003B40B0 CE 7C E5 77 05 74 E5 77 F9 81 E5 77 EB 41 E4 77 .. |. w. t. w... w. A. w
003B40C0 66 C8 E5 77 3E 18 F6 77 00 00 00 00 00 00 00 00 f... w> ........
--------------------------------------------------------------------------------
Start address = 003B4000
End address = 003B40C9
Run ImportREC. Note: remove the option "use PE radical from disk!
Select the loaddll.exe process of ollydbg, click "select DLL", select EdrLib. dll, fill in RVA = 00004000, size = 000000C8, and click "Get Import" to obtain the input table. Change OEP = 201711c9, FixDump!
---------------------------------
Iii. relocation table repair + PE correction
UPX destroys the relocation table. In the first step, we have obtained the address of the relocation table. Use WinHex to open dumped _. dll, copy the hexadecimal value between and 40c9, and save it as fly. bin.
Run upxangela.exe, a tool for repairing the upxshell dllrelocation table written by Xue, to open fly. bin, and quickly prompt that the pediy. binfile is successfully created!
Find the block blank code from dumped _. dll, such as starting at 6000 of UPX1. Enough. The Data Length in pediy. bin is 3B0.
Use WinHex to copy all hexadecimal values in pediy. bin and write them to 6000 of dumped _. dll.
Use LordPE to modify the RVA = 00006000 and the size = 000003B0 of the dumped _. dll relocation table and save it.
Use LordPE to modify the base address of dumped _. dll to 003B0000, OK, and complete shelling.