Comments: [Remove text title] manual shelling entry 19th ASProtect 1.1 [remove text author] weiyi75 [Dfcg] [author's mailbox] weiyi75@sohu.com [author's homepage] Dfcg official base camp [use tools] Peid, ollydbg, Loadpe, ImportREC1.42 [shelling platform] Win2000/XP [software name] chap709.e [detachment title] manual shelling 19th ASProtect 1.1
[Author] weiyi75 [Dfcg]
[Author mailbox] weiyi75@sohu.com
[Author's homepage] official Dfcg base camp
[Tools] Peid, Ollydbg, Loadpe, ImportREC1.42
[Shelling platform] Win2000/XP
[Software name] chap709.exe
[] Local download
Chap709.rar
[Software Overview] ASProtect 1.1b Registered encrypts Win98 notepad.
Software size: 58.2 KB
[Shelling method] ASProtect 1.1b Registered [SAC]-> Alexey Solodovnikov
[Shell removal statement] I am a little cainiao and may share my thoughts with you:
--------------------------------------------------------------------------------
[Shelling content]
First, Peid shell check: ASProtect 1.1b Registered [SAC]-> Alexey Solodovnikov, ASProtect 1.1b Registered is rarely done, unlike Asprotect1.2X SEH, but it is also easy. All SEH exceptions are composed of 13 well-designed illegal command SEH, so that it is impossible to use simulated tracking to find Oep. The second brother has no patience to get off the shell. Let's take a rough look at the program and start shelling.
The OD loader ignores all exceptions except errors or privileged commands. 1.1b does not detect the OD and does not need to be hidden.
0040D001> 60 pushad // shell entry, F9 running.
0040D002 E9 95050000 jmp chap709.0040D59C
0040D007 F710 not dword ptr ds: [eax]
0040D009 0F0F ??? ; Unknown command
0040D00B 0F9F6C90 FC setg byte ptr ds: [eax edx * 4-4]
0040D010 57 push edi
0040D011 C5540F CA lds edx, fword ptr ds: [edi ecx-36]
0040D015 4B dec ebx
0040D016 C5540F 12 lds edx, fword ptr ds: [edi ecx 12]
0040D01A EC in al, dx
0040D01B 3AAC90 CD540F92 cmp ch, byte ptr ds: [eax edx * 4 920F54CD]
0040D022 CC int3
........................................ .....................
First exception
0092FF94 8DC0 lea eax, eax; register invalid
0092FF96 EB 01 jmp short 0092FF99
0092FF98 68 648F0500 push 58F64
0092FF9D 0000 add byte ptr ds: [eax], al
0092FF9F 00EB add bl, ch
0092FFA1 02E8 add ch, al
0092FFA3 0158 68 add dword ptr ds: [eax 68], ebx
0092FFA6 98 cwde
0092FFA7 E5 92 in eax, 92
0092FFA9 0068 D0 add byte ptr ds: [eax-30], ch
0092 FFAC FF92 00687CF5 call dword ptr ds: [edx F57C6800]
0092FFB2 92 xchg eax, edx
0092FFB3 0068 14 add byte ptr ds: [eax 14], ch
........................................ ...........................
It is also the last exception to continue Shift F9 12 times to 13th times.
0093053D 8DC0 lea eax, eax; register invalid
0093053F EB 01 jmp short 00930542
00930541 68 648F0500 push 58F64
00930546 0000 add byte ptr ds: [eax], al
00930548 00EB add bl, ch
0093054A 02E8 add ch, al
0093054C 0158 33 add dword ptr ds: [eax 33], ebx
0093054F C05A 59 rcr byte ptr ds: [edx 59], 59
00930553 64: 8910 mov dword ptr fs: [eax], edx
00930556 68 78059300 push 930578
0093055B 8D45 F0 lea eax, dword ptr ss: [ebp-10]
0093055E E8 2D2CFFFF call 00923190
00930563 8D45 F8 lea eax, dword ptr ss: [ebp-8]
........................................ .....................
Alt m open the memory image.
Memory image, project 21
Address = 00401000
Size = 00004000 (16384 .)
Owner = chap709 00400000
Section =
Include = code // The Memory Access breakpoint here, Shift F9 runs.
Type = Imag 01001002
Access = R
Initial access = RWE
004010CC 55 push ebp // reach Oep, use Loadpe to shell it.
004010CD 8BEC mov ebp, esp
004010CF 83EC 44 sub esp, 44
004010D2 56 push esi
004010D3 FF15 E4634000 call dword ptr ds: [4063E4]
004010D9 8BF0 mov esi, eax
004010DB 8A00 mov al, byte ptr ds: [eax]
004010DD 3C 22 cmp al, 22
004010DF 75 1B jnz short chap709.004010FC // check whether IAT is encrypted.
004010E1 56 push esi
004010E2 FF15 F4644000 call dword ptr ds: [4064F4]
004010E8 8BF0 mov esi, eax
004010EA 8A00 mov al, byte ptr ds: [eax]
004010EC 84C0 test al, al
004010EE 74 04 je short chap709.004010F4
004010F0 3C 22 cmp al, 22
004010F2 ^ 75 ED jnz short chap709.004010E1
004010F4 803E 22 cmp byte ptr ds: [esi], 22
004010F7 75 15 jnz short chap709.0040110E
004010F9 46 inc esi
004010FA EB 12 jmp short chap709.0040110E
........................................ ...................
IAT repair
Run ImportREC, enter 10CC in OEP, and search automatically to obtain the input information. 111 pointers are not repaired. First, fix 98 with tracking level 1, and fix all the remaining 13 with Level 3, normal operation.
Remove the spam block and re-build the PE.
This requires a little PE knowledge. It doesn't matter if you don't have it. Learn it together and accumulate experience.
Back up the shelling program, and sometimes the program cannot run due to excessive weight loss.
This section is just an example of losing weight.
We use OD to simultaneously load unencrypted Win98 event books and shelling programs.
Win98 notepad
Local download
Notepad.rar
Alt M enables Synchronous Analysis of memory images.
Original program memory image
Address size Owner Section Contains type access initial access ing is
003e00000 00002000 Map R
00400000 00001000 notepad pe header Imag R RWE
00401000 00004000 NOTEPAD. text code Imag R RWE
00405000 00001000 NOTEPAD. data Imag R RWE
00406000 00001000 NOTEPAD. idata imports Imag R RWE
00407000 00005000 NOTEPAD. rsrc resources Imag R RWE
0040C000 00001000 NOTEPAD. reloc relocations Imag R RWE
Contains
. Text // code segment, which we often see in decompilation programs.
. Data // fast data for program initialization.
. Idata // input table. Currently, encryption shells are used to corrupt objects and bad input tables.