Getting started with manual shelling Article 4 Aspack 2.11

Comments: [Untext title] manual shelling entry fourth Aspack 2.11 [untext author] weiyi75 [Dfcg] [author's mailbox] weiyi75@sohu.com [author's homepage] Dfcg official base camp [use tools] Peid, ollydbg [shelling platform] Win2K/XP [software name] NOTEPAD [Software Overview] Aspack 2.11 plus
[Untext title] Getting started with manual shelling Article 4 Aspack 2.11
[Author] weiyi75 [Dfcg]
[Author mailbox] weiyi75@sohu.com
[Author's homepage] official Dfcg base camp
[Tools] Peid, Ollydbg
[Shelling platform] Win2K/XP
[Software name] NOTEPAD
[Software Overview] Aspack 2.11 and Win98 notepad
Software size: 19.6 KB
[Shelling method] ASPack 2.11-> Alexey Solodovnikov
[Shell removal statement] I am a little cainiao and may share my thoughts with you:
Okay. Let's take a look at its features from the Aspack2.11 shell.
First, you must prepare necessary tools,
The Peid shell in the attachment is Aspack2.11.
It is recommended that you use Ollydbg for manual shell removal, which is not recommended for working platforms such as Win2000, WinXp, and Win9x.
When the shell is manually removed, the Olldbg is used to load the program. There will be many loops in the shell program. When dealing with loops, you can only let the program run forward, basically not let it jump back, you need to think out of the loop. Do not use Peid to query entries. You can track entries in one step to improve the capability of manual entry searching.
Load the program with OD.
Confirm an entry warning, and the Od prompts the program to shell. If you choose not to continue the analysis.
Stop here
0040D001 60 pushad first remember that the first sentence of the Aspack shell shelling entry is PUSHAD
The structure of the 0040D002 E9 3D040000 jmp NOTEPAD.0040D444 statement is different from that of Aspack1.08.
0040D444 81DD 719D255> sbb ebp, 55259D71 here.
0040D44A E8 14000000 call NOTEPAD.0040D463 is close to Call, F7, and f8. It should be a deformed Jmp.
0040D44F 47 inc edi
0040D450 DA7C6B E1 fidivr dword ptr ds: [ebx ebp * 2-1>
0040D454 43 inc ebx
0040D455 C547 33 lds eax, fword ptr ds: [edi 33]
0040D458 EC in al, dx
0040D459 46 inc esi
0040D45A 2C D9 sub al, 0D9
0040D45C 64: 2C AF sub al, 0AF
0040D45F 3F aas
0040D460 53 push ebx
0040D461 F8 clc
0040D462 BF BA6755B6 mov edi, B65567BA
0040D467 5A pop edx
0040D463 BA 6755B65A mov edx, 5AB65567 here.
0040D468 81D2 19620C9> adc edx, 9A0C6219
0040D46E 59 pop ecx
0040D46F 80CE E3 or dh, 0E3
0040D472 81C2 A9B064F> add edx, F164B0A9
0040D478 E9 14000000 jmp NOTEPAD.0040D491
0040D491 51 push ecx; NOTEPAD.0040D44F
0040D492 BD 69806869 mov ebp, 69688069
0040D497 0 FBFEF movsx ebp, di
0040D49A 5E pop esi
0040D49B 66: 8BFB mov di, bx
0040D49E E9 14000000 jmp NOTEPAD.0040D4B7
0040D4B7 81C6 3D82E11> add esi, 14E1823D
0040D4BD 80CE 31 or dh, 31
0040D4C0 0FBFF9 movsx edi, cx
0040D4C3 BD 114e421 mov ebp, 1d1_e11
0040D4C8 BB C3802D0F mov ebx, 0F2D80C3
0040D4CD 66: 8BE8 mov bp, ax
0040D4D0 E9 14000000 jmp NOTEPAD.0040D4E9
0040D4E9 81F2 83CB7C9> xor edx, 9F7CCB83
0040D4EF B2 D5 mov dl, 0D5
0040D4F1 0 FBFEA movsx ebp, dx
0040D4F4 8186 AF7D1EE> add dword ptr ds: [esi EB1E7DAF],>
0040D4FE 81D5 99DD7E1> adc ebp, 127EDD99
0040D504 B2 C0 mov dl, 0C0
0040D506 0FBFE9 movsx ebp, cx
0040D509 43 inc ebx
0040D50A 81D9 8F5710F> sbb ecx, F910578F
0040D510 81EE 0200000> sub esi, 2
0040D516 81EE 0200000> sub esi, 2
0040D51C 0 FBFFA movsx edi, dx
0040D51F B2 9B mov dl, 9B
0040D521 81FB D1812D0> cmp ebx, 0F2D81D1
0040D527 ^ 0F85 C4FFFFF> jnz NOTEPAD.0040D4F1 jump back
0040D52D 66: 8BD5 mov dx, bp F4 here
0040D530 81D9 4192AA9> sbb ecx, 90AA9241
0040D536 ^ E9 00 FFFFFF jmp NOTEPAD.0040D43B jump back
0040D53B A9 55C3500F test eax and 0F50C355 F4 won't work here, so they ran.
Ctrl F2.
Unable to get the next sentence, no way, let 0040D536 ^ E9 00 FFFFFF jmp NOTEPAD.0040D43B jump back
0040D43B ^ \ E9 C7FBFFFF jmp NOTEPAD.0040D007 here, jump back
0040D440 0000 add byte ptr ds: [eax], al cannot be F4 here, but can only let it jump back.
0040D001 N> 60 pushad
0040D002 E9 3D040000 jmp NOTEPAD.0040D444
0040D007 E8 24040000 call NOTEPAD.0040D430 jump here, isn't this the third code at the entrance?
0040D00C/EB 00 jmp short NOTEPAD.0040D00E also jumps next door.
0040D00E \ BB 30394400 mov ebx, 443930
0040D013 03DD add ebx, ebp
0040D015 2B9D D03F440> sub ebx, dword ptr ss: [ebp 443FD>
0040D01B 83BD FC49440> cmp dword ptr ss: [ebp 4449FC], 0
0040D022 899D FC49440> mov dword ptr ss: [ebp 4449FC], e>
0040D028 0F85 6603000> jnz NOTEPAD.0040D394
0040D02E C785 3339440> mov dword ptr ss: [ebp 443933], 0
0040D038 8D85 044A440> lea eax, dword ptr ss: [ebp 444A0>
0040D03E 50 push eax
0040D03F FF95 004B440> call dword ptr ss: [ebp 444B00]; Note: kernel32.GetModuleHandleA
0040D045 8985 004A440> mov dword ptr ss: [ebp 444A00], e>
0040D04B 8BF8 mov edi, eax
0040D04D 8D9D 114A440> lea ebx, dword ptr ss: [ebp 444A1>
0040D053 53 push ebx
0040D054 50 push eax
0040D055 FF95 FC4A440> call dword ptr ss: [ebp 444AFC]; Note: kernel32.GetProcAddress
0040D05B 8985 FC3F440> mov dword ptr ss: [ebp 443FFC], e>
0040D061 8D9D 1E4A440> lea ebx, dword ptr ss: [ebp 444A1>
0040D067 53 push ebx
0040D068 57 push edi
0040D069 FF95 FC4A440> call dword ptr ss: [ebp 444AFC] Note: kernel32.GetProcAddress
0040D06F 8985 0040440> mov dword ptr ss: [ebp 444000], e>
0040D075 8D85 B539440> lea eax, dword ptr ss: [ebp 4439B>
0040D07B FFE0 jmp eax; NOTEPAD.0040D085
0040D085 8B9D D83F440> mov ebx, dword ptr ss: [ebp 443FD>
0040D08B 0BDB or ebx, ebx
0040D08D 74 0A je short NOTEPAD.0040D099 hop
0040D08F 8B03 mov eax, dword ptr ds: [ebx]
0040D091 8785 DC3F440> xchg dword ptr ss: [ebp 443FDC],>
0040D097 8903 mov dword ptr ds: [ebx], eax
0040D099 8DB5 1940440> lea esi, dword ptr ss: [ebp 44401>
0040D09F 833E 00 cmp dword ptr ds: [esi], 0
0040D0A2 0F84 1F01000> je NOTEPAD.0040D1C7
........................................ ....
0040D0F8 50 push eax
0040D0F9 53 push ebx
0040D0FA E8 DA060000 call NOTEPAD.0040D7D9 back Call, F8 rest assured.
0040D0FF 80BD 1040440> cmp byte ptr ss: [ebp 444010], 0
0040D106 75 5E jnz short NOTEPAD.0040D166
0040D108 FE85 1040440> inc byte ptr ss: [ebp 444010]
0040D10E 8B3E mov edi, dword ptr ds: [esi]
0040D110 03BD FC49440> add edi, dword ptr ss: [ebp 4449F>
0040D116 FF37 push dword ptr ds: [edi]
0040D118 C607 C3 mov byte ptr ds: [edi], 0C3
0040D11B FFD7 call edi
........................................ .........
0040D141 43 inc ebx
0040D142 49 dec ecx
0040D143 ^ EB jmp short NOTEPAD.0040D130 jump back.
0040D145 8B06 mov eax, dword ptr ds: [esi] F4.
0040D147 EB 00 jmp short NOTEPAD.0040D149
0040D149 803E 00 cmp byte ptr ds: [esi], 0
0040D14C ^ 75 F3 jnz short NOTEPAD.0040D141 jump back.
0040D14E 24 00 and al, 0 F4.
0040D150 C1C0 18 rol eax, 18
0040D153 2BC3 sub eax, ebx
0040D15A 83C6 04 add esi, 4
0040D15D 83E9 05 sub ecx, 5
0040D160 ^ eb ce jmp short NOTEPAD.0040D130 jump back.
0040D162 5B pop ebx F4; NOTEPAD.00401000
0040D163 5E pop esi
0040D164 59 pop ecx
0040D165 58 pop eax
0040D166 8BC8 mov ecx, eax
0040D168 8B3E mov edi, dword ptr ds: [esi]
0040D196 83C6 08 add esi, 8
0040D199 833E 00 cmp dword ptr ds: [esi], 0
0040D19C ^ 0F85 26 FFFFF> jnz NOTEPAD.0040D0C8 jump back
0040D1A2 68 00800000 push 8000 F4
0040D1A7 6A 00 push 0
0040D1A9 FFB5 F83F440> push dword ptr ss: [ebp 443FF8]
0040D1AF FF95 0040440> call dword ptr ss: [ebp 444000]
0040D25E/74 11 je short NOTEPAD.0040D271 hop.
0040D260 | 03F2 add esi, edx
0040D271 8BB5 B139440> mov esi, dword ptr ss: [ebp 4439B>
0040D277 8B95 FC49440> mov edx, dword ptr ss: [ebp 4449F>
0040D27D 03F2 add esi, edx
0040D27F 8B46 0C mov eax, dword ptr ds: [esi C]
0040D282 85C0 test eax, eax
0040D284 0F84 0A01000> je NOTEPAD.0040D394
0040D28F FF95 004B440> call dword ptr ss: [ebp 444B00]; kernel32.GetModuleHandleA
0040D295 85C0 test eax, eax
0040D297 75 07 jnz short NOTEPAD.0040D2A0
0040D299 53 push ebx
0040D29A FF95 044B440> call dword ptr ss: [ebp 444B04]
........................................ .....................
0040D370 8907 mov dword ptr ds: [edi], eax
0040D372 8385 F03F440> add dword ptr ss: [ebp 443FF0], 4
0040D379 ^ E9 32 FFFFFF jmp NOTEPAD.0040D2B0 jump back
0040D37E 8906 mov dword ptr ds: [esi], eax F4; NOTEPAD.004061CC
0040D380 8946 0C mov dword ptr ds: [esi C], eax
0040D383 8946 10 mov dword ptr ds: [esi 10], eax
0040D386 83C6 14 add esi, 14
0040D389 8B95 FC49440> mov edx, dword ptr ss: [ebp 4449F>
0040D38F ^ E9 EBFEFFFF jmp NOTEPAD.0040D27F jump back
0040D394 8B85 AD39440> mov eax, dword ptr ss: [ebp 4439A> F4.
0040D39A 50 push eax
0040D39B 0385 FC49440> add eax, dword ptr ss: [ebp 4449F>
0040D3A1 59 pop ecx
0040D3A2 0BC9 or ecx, ecx
0040D3A4 8985 E63C440> mov dword ptr ss: [ebp 443CE6], e>
D3aa 61 popad. The entrance is nearby.
0040D3AB/75 08 jnz short NOTEPAD.0040D3B5
0040d3active | B8 01000000 mov eax, 1
0040D3B2 | C2 0C00 retn 0C
0040D3B5 \ 68 CC104000 push NOTEPAD.004010CC put the entry value 4010CC
0040D3BA C3 retn returns.
004010CC 55 push ebp 004010CC program across segments, and through the PoPad keyword. Here, we use the Od Dump plug-in to directly shell it.
004010CD 8BEC mov ebp, esp
004010CF 83EC 44 sub esp, 44
004010D2 56 push esi
004010D3 FF15 E463400> call dword ptr ds: [4063E4]; kernel32.GetCommandLineA
004010D9 8BF0 mov esi, eax
004010DB 8A00 mov al, byte ptr ds: [eax]
004010DD 3C 22 cmp al, 22
When recreating an input table, the plug-in has two options. Method2 rebuilding the input table is fast, and the running rate is high after shelling. The input table reconstruction in Method1 is slow, and the running rate is low after shelling. However, this program cannot run after the input table is rebuilt using Method2. After the input table is rebuilt using Method1, the program can run directly.