Forgot Unpack Me v0.1.5 bugfix shelling

[Software name]: forgot's Unpack Me v0.1.5 bugfix
[]: Http://bbs.pediy.com/showthread.php? S = & threadid = 10806.
[Shell removal statement]: Crack for beginners. It is only interesting and has no other purpose. For errors, please enlighten us!
[Operating System]: win2k
[Shelling tool]: traditional tools such as OD

-------------------------------------------
　
[Shelling Process ]:

Step 1: Find d-process:

Use OD to load the program and ignore all exceptions. Run the program bp WriteProcessMemory and F9 and stop:

77E7ADB9> 55 push ebp /// disconnected.
77E7ADBA 8BEC mov ebp, ESP
77E7ADBC 51 PUSH ECX
77E7ADBD 51 PUSH ECX
77E7ADBE 8B45 0C mov eax, dword ptr ss: [EBP + C]
77E7ADC1 53 PUSH EBX
77E7ADC2 8945 F8 mov dword ptr ss: [EBP-8], EAX

Observe the stack data:

00A185C0 00A1BEBF/CALL to WriteProcessMemory from 00A1BEBA
00A185C4 00000028 | hProcess = 00000028 (window)
00A185C8 00A1D5BA | Address = A1D5BA // important! Write down backup.
00A185CC 00A1CF28 | Buffer = 00A1CF28
00A185D0 0000029A | BytesToWrite = 29A (666.) //// size.
00A185D4 00000000 pBytesWritten = NULL

Okay, F9 runs the program directly. When the interface appears, run LordPE to select the process with a small image file, and then partial DUMP to DUMP the 29A data starting from A1D5BA, name A1D5BA. bin.

Step 2: Change the dual process to a single process:

Reload the program, bp CreateProcessA, run the program, and stop:

77E73F8F> 55 push ebp /// disconnected here.
77E73F90 8BEC mov ebp, ESP
77E73F92 FF75 2C push dword ptr ss: [EBP + 2C]
77E73F95 FF75 28 push dword ptr ss: [EBP + 28]
77E73F98 FF75 24 push dword ptr ss: [EBP + 24]
77E73F9B FF75 20 push dword ptr ss: [EBP + 20]
77E73F9E FF75 1C push dword ptr ss: [EBP + 1C]

Observe the stack data:

00A185AC 00A1AF45/CALL to CreateProcessA from 00A1AF40
00A185B0 00A19CB2 | ModuleFileName = "C: Documents and SettingsAdministrator Desktop \ 015 reply 1.exe"
00A185B4 00A1AF36 | CommandLine = "X" //// debug mark!
00A185B8 00000000 | pProcessSecurity = NULL
00a185bc00000000 | pThreadSecurity = NULL
00A185C0 00000000 | InheritHandles = FALSE
00A185C4 00000003 | CreationFlags = DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS
00A185C8 00000000 | pEnvironment = NULL
00A185CC 00000000 | CurrentDir = NULL
00A185D0 00A18938 | pStartupInfo = 00A18938
00A185D4 00A18928 pProcessInfo = 00A18928

 

Reload the program, bp GetCommandLineA, run the program, and stop:

77E6FB03> A1 9406EC77 mov eax, dword ptr ds: [77EC0694] /// disconnected here. Cancel a breakpoint.
77E6FB08 C3 RETN // return.
77E6FB09> 55 PUSH EBP
77E6FB0A 8BEC mov ebp, ESP
77E6FB0C 56 PUSH ESI
77E6FB0D 64: A1 18000000 mov eax, dword ptr fs: [18]

Return:

00A1909F 68 9F6F56B6 PUSH B6566F9F
00a0000a4 50 PUSH EAX
00a0000a5 E8 5D000000 CALL 00A19107
00a0000aa eb ff jmp short 00a0000ab
00a0000ac 71 78 jno short 00A19126
00a0000ae C2 5000 RETN 50
00a0000b1 ^ EB D3 jmp short 00a000086
00a0000b3 5B POP EBX
00a0000b4 F3: prefix rep:; Redundant PREFIX
00a0000b5 68 895C2448 PUSH 48245C89
00a0000ba 5C POP ESP
00a0000bb 24 58 and al, 58
00a0000bd FF8D 5C24585B dec dword ptr ss: [EBP + 5B58245C]

Search for the binary character "803e58" and find:

00A19330 ^ eb fa jmp short 00A1932C
00A19332 ^ EB 83 jmp short 00A192B7
00A19334 C017 eb rcl byte ptr ds: [EDI], 0EB; the moving constant exceeds the range of 1 .. 31
00A19337 FF70 ed push dword ptr ds: [EAX-13]
00A1933A ^ 71 eb jno short 00A19327
00A1933C ^ eb fa jmp short 00A19338
00A1933E ^ EB 80 jmp short 00A192C0 // click here. Here is a flower command.
00A19340 3E: 58 pop eax; Redundant prefix
00A19342 0F84 CB3F0000 JE 00A1D313
00A19348 68 9F6F56B6 PUSH B6566F9F
00A1934D 50 PUSH EAX
00A1934E E8 5D000000 CALL 00A193B0
00A19353 eb ff jmp short 00A19354
00A19355 71 78 jno short 00A193CF

After the NOP drop command:

00A1933E 90 &