Getting started with cracking (iii) ----- common methods for shelling

Comments: The shell has been connected together since it was added to the program. That is, the program is protected to prevent modification. That is, the shell wraps the program, the data of the original program is also compressed.What is Shell
You should first understand the concept of "shell. In nature, I think everyone should be familiar with the shell. plants use it to protect seeds and animals use it to protect their bodies. Similarly, some computer software also has a program dedicated to protecting the software from unauthorized modification or decompilation. They generally run programs before they get control and then complete their tasks to protect the software. Just like the shells of animals and plants are generally taken for granted outside the body (of course, there is also a so-called "seed shell in the shell ). Because this program has many similarities in functionality with the shell of nature, such a program is called a "shell" based on naming rules. Just like computer viruses and viruses in nature, they are actually naming methods.
Role of Shell
1. After writing a program, we can shell it to protect it from being modified, instead of letting others modify the copyright information.
2. the compressed shell can be used to reduce the program capacity and facilitate program propagation.
3. This helps eliminate viruses and viruses. We can directly add shells and eliminate viruses, or modify the code to avoid virus software scanning and removal.
Basic knowledge of shelling
How is 1 Shell loaded?
Since the shell is added to the program, it is connected together to protect the program and prevent modification, that is, the shell wraps the program, the data of the original program is also compressed.
During loading, the shell is usually executed first and then jumped to the real OEP (program entry point) of the original program. At this time, the program that was not shelled started to run.
Run sequence: execute shell files-execute shell-execute to program entry point-run unshelled programs.
2 shell Classification
For the purpose of compressing program resources and registering and protecting program resources, shell is generally divided into two types: Compressed shell and encrypted shell.
Compressed Shell: Generally, only the files are compressed, which compresses the segments and resources to reduce the file volume.
Such as ASPack, UPX, and PECompact.
Encryption Shell: This is the opposite of the compression shell. Generally, the file is encrypted at the cost of reducing the volume. Various anti-tracking technologies are used to protect programs from debugging and shelling,
Such as ASProtect, Armadillo, and EXECryptor.
However, with the development of shelling technology, the boundary between these two types of shells is becoming increasingly blurred. Many shelling software have both compression functions and protection performance, and many encryption shells are now carrying meat in the shells, the meat is shelled.
3 OEP (program entry point)
OEP: Original Entry Point, which is the real Entry Point before the program shelling.
4. Basic Steps for shelling
Shell query (PEID, FI, PE-SCAN) ---> look for OEP (OD) ---> shell/Dump (LordPE, PeDumper, OD comes with Shell plug-in, PETools) ---> Import REConstructor)
Common shelling Methods
1. One-Step Tracing Method
(1) load with OD, click "do not analyze code"
(2). Track F8 in one step to perform a downward hop. That is to say, the upward hop won't be implemented (through F4)
(3) When the program jumps back (including loops), we press F4 in the next code (or right-click the code and select the breakpoint --> run to the selected code)
(4) the green line indicates that the jump is not implemented, so ignore it. The red line indicates that the jump has been implemented.
(5) If we have just loaded the program and there is a CALL nearby, we will follow F7, otherwise the program will easily run and fly, so that we can quickly get to the program's OEP
(6) during tracking, if a CALL program runs, F7 enters
(7) There is usually a large jump (large-span segment), such as jmp XXXXXX or je xxxxxx or the OEP of the program will soon be
Note: When some shells cannot be tracked down, we can find a large jump that is not implemented nearby, right-click --> "follow", and then F2 is disconnected, shift + F9 stops at the "follow" position, cancels the breakpoint, and continues F8 single-step tracking. Generally, you can easily reach the OEP
2 ESP Law
ESP theorem shelling (ESP in the OD register, we only need to access the breakpoint of ESP hardware in the command line, and we will come to the program's OEP !)
(1) At the beginning, click F8. Note that the ESP in the top-Right Register of the OD has not suddenly appeared (changed to red) (this is only the case, more specifically, the ESP value we selected is the first ESP value after the key sentence)
(2) In the command line: dd XXXXXXXX (the ESP address in the current Code, or hr XXXXXXXX), press ENTER
(3) Select the disconnected address, breakpoint ---> hardware access ---> WORD breakpoint
(4) Press F9 to run the program and directly go to the jump. Press F8 to reach the program OEP.
3 memory Mirroring
(1) Open the software with OD
(2) Click "option"> "debug option"> "exception" to ignore all the errors. CTRL + F2 reload the program
(3) press ALT + M to open the memory image and find the first image of the program. rsrc. press the breakpoint under F2, run SHIFT + F9 to the breakpoint, and then press ALT + M to open the memory image and find the first program. rsrc. above. CODE (that is, 00401000 points), and press F2 to open a breakpoint. Then press SHIFT + F9 (or press F9 without exception) to directly reach the program OEP
4. Arrive at OEP in one step
(1) start to press Ctrl + F, input: popad (only applicable to a few shells, including UPX and ASPACK shells), and then press F2 and F9 to run here
(2) go to the big jump location, and click F8 to reach OEP.
5. Last exception Method
(1) Open the software with OD
(2) Click "option"> "debug option"> "exception" to remove all the √! CTRL + F2 reload the program
(3) At the beginning, the program is a jump. Here we press SHIFT + F9 until the program runs, and write down the number of times from start SHIFT + F9 to program running m.
(4) CTRL + F2 reload program, and press SHIFT + F9 (the number of times the program runs is expressed as the number of times the program runs on expressed 1-1)
(5) In the bottom right corner of the OD, we can see a "SE handle". Press CTRL + G to enter the address before the SE handle.
(6) Press F2 to start the breakpoint, and then press SHIFT + F9 to start the breakpoint.
(7) Remove the breakpoint and press f8.
(8) arrive at the program's OEP
6. simulation tracing method
(1) first run the test run and follow up the program to see if there are any SEH hidden piles or the like.
(2) ALT + M open the memory image and find (include SFX, imports, relocations or SFX in that column, enter the table, and relocate)
(3) if the address is 00xxxxxx, enter tc eip <00 xxxxxx in the command line, and press enter to prompt that the trail is being performed.
7 SFX Method
(1) set the OD and ignore all exceptions, that is, check the exception tab.
(2) switch to The SFX tab and select "byte mode to track the actual entry (very slow)". OK
(3) Reload the program (if it jumps out, do you want to "compress the code ?" Select "no" and OD will arrive at OEP)