Manual off Pecompact 2.20 shell-My love crack training First class elective assignment four

Source: Internet
Author: User

Fly2015

Pecompact Shell is not heard of the shell, the need to shelling the program is my love crack training of the first lesson of elective assignment four. Recently a bit addicted to shelling, of course, also suffered from shelling frustrated frustration, but the more fortunate to have this shell to engage.

The shell procedure is checked.

The tool die Display program adds the pecompact shell, and the original shell-less program is written in Microsoft Visual C/s + + , which is for finding the original program's True OEP is very helpful.



OD loaded into the shell of the program for analysis, the Packers program entry point assembly code.


F8 walked a few steps, pit Ah, the author of the shell set an exception in the code, for example, the instructions identified in the F8 will cause a single step to trigger the assignment to address 0 exception, even if the two instructions Nop out of the command in the back. F8 single-step tracking also triggers an exception.


In order to shelled the shell, it is necessary to avoid the problem of abnormal triggering instructions. Can't you handle it? There are ways to avoid abnormal problems, fortunately, the author of the shell is more kind.

Since the F8 single-step method can not be processed, it would like another way to shell procedures for shelling. ctrl+f2 again loaded the shell program for debugging analysis, and in functions virtualprotecta and virtualprotectexa set breakpoints (directly using the OD provided by API Set Breakpoints plugin in API set breakpoints on the function),.


F9 Run 4 times, at this time the state of the program in OD. Pit Ah, this shell of the iat table inadvertently was the leak,the initial address of theiat table VA is 432000 .


alt+f9 Let the program from the system pro-empty back to the user program's temporary NULL, stop in the user program's instruction code.


ctrl+f9 Executes the function at the Retn instruction,F8 steps back into the caller function of the previous layer.


ctrl+f9 executes the function again at the Retn instruction,F8 steps back into the caller function of the previous layer.

Very close to the shelling, the intuition tells the address 00455d8e in jmp eax eax saved value is the original program real OEP address.


At address 00455d8e F2 Breakpoint,f4/f9 run here, get Eax=0041ddac is the original program real OEP 's VA address.


F7 Single Step to address 0041DDAC , select some memory data,CTRL + A analysis of memory data, finally met the light.


OK, the original program OEP found, using the Load PE and recimport tools or Scylla Tools for the perfect shelling of the program,theIAT table repair is also relatively smooth.


Run a post-shelling procedure to prove successful shelling.


Manual de-pecompact 2.20 shell Document analysis and post-shelling procedure: http://download.csdn.net/detail/qq1084283172/8900459


Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Manual off Pecompact 2.20 shell-My love crack training First class elective assignment four

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.