General shelling steps and example of encrypted Shell

Today, I am mainly going to have a deep understanding of the assembly language. If I want to decompile the language, this is not enough. Of course, this is not a day or two that can be successful. Continue to work hard.

 

I. How to distinguish the encryption shell:

The shells are divided into encryption shells and compression shells. The purpose of the compression shells is to reduce the volume of software and facilitate the dissemination on the Internet,

The purpose of the encryption shell is to prevent the software from being shelled and cracked. Therefore, all the encryption shells have anti-tracking code.

, There will be many seh traps that cause exceptions during OD debugging, that is, it is easy to track the process

As a result, the program runs and you cannot trace and analyze the program. However, it is easier to compress the shell and compare the shell.

Simple. Generally, no exceptions occur.

 

Ii. knowledge points of unencrypted shell:

In the encrypted shell, there are many call variants. If there is a call deformation, it must be replaced by F7. A simple way to determine whether JMP is deformed is to compare the target address of the call with the current address, if the two are very close, the JMP is changed and F7 is used. For the call distance is very long, you can rest assured that the F8 step is used. There are a lot of F7 in the encryption shell, and the F8 single-step tracking can be done in the compression shell.

Unencrypted shell, loaded with OD, hooks all exceptions (do not ignore any exceptions, except ignore memory access exceptions in Kernel32. counting how many SHIFT + F9 programs are used, obviously, after the last exception, the program will jump from the shell to the OEP and start to execute. This is a key to finding OEP, if the program exits directly after shift + F9, it is obvious that the encryption shell detection debugger, the easiest way to deal with it is to use the OD plug-in to hide the OD.

One-step exceptions prevent us from tracking programs step by step. Although these exceptions interfere with our debugging, they also provide us with a path that shift + F9 skips all exceptions, then locate the last exception, and then its recovery exception under the breakpoint, tracking the shelling entry point.

 

 

3. General shelling steps for the encrypted shell:

Description: This method is generally used to encrypt the shell. This is a common method to remove the encrypted shell.

Step 1: Open the program with OD, click the option-debug option-exception, and remove all the √! CTRL + F2 reload the program.

Step 2: Press SHIFT + F9 until the program runs, and write down the number of times from start SHIFT + F9 to program run n.

Step 3: Reload the program, and then press SHIFT + F9. This time, the number of times is the n-1 times of the last time the program was run.

Step 4: observe that there is an "se handle" in the bottom-right corner of OD. Press Ctrl + G and enter the address before the se handle! Come to this address.

Step 5: Click here to open a breakpoint! Then press SHIFT + F9 to go To the breakpoint!

Step 6: At this time, we have skipped all exceptions, removed the breakpoint, and pressed F8 to track down and quickly reach the OEP.

Repair ---- rebuilding PE with lordpe