Comments: [Remove text title] manual shelling entry 17th VGCrypt PE Encryptor V0.75 [remove text author] weiyi75 [Dfcg] [author mailbox] weiyi75@sohu.com [author homepage] Dfcg official base camp [use tools] Peid, ollydbg, ImportREC [shelling platform] Win2K/XP [software name] VGCrypt PE Enc [detachment title] manual shelling 17th articles VGCrypt PE Encryptor V0.75
[Author] weiyi75 [Dfcg]
[Author mailbox] weiyi75@sohu.com
[Author's homepage] official Dfcg base camp
[Tools] Peid, Ollydbg, ImportREC
[Shelling platform] Win2K/XP
[Software name] VGCrypt PE Encryptor V0.75
[Software Overview] This is a fairly simple PE encryptor I wrote up. I commented everything that is relavent to PE appendation or insertion, more so than I needed to even. the most interesting feature of this encryptor is that it attempts to find a location to insert itself between object virtual size and the next file alignment boundary, thus not changing the physical file size.
[Software size] 16 KB
[] Local download
Vgcrypt.rar
[Shelling] Virogen Crypt 0.75
[Protection method] Virogen Crypt resource protection case
[Shell removal statement] I am a little cainiao and may share with you a little bit :)
--------------------------------------------------------------------------------
[Shelling content]
Download this program and compress a Win98 notepad using the command line method of Vgcrypt Notepad.exe. The size of the original file is 52 kb after compression, and the program does not encrypt IAT, the Code segment is messed up, so that you cannot disassemble it. You can use the resource editing software to find and edit resources.
Shell notepad
Local download
Notepad.rar
First, check the Peid shell. It is Virogen Crypt 0.75, And the OD is loaded and run without any exception. It is determined as the compression shell.
0040584C> 9C PUSHFD // notepad shell portal.
0040584D 55 PUSH EBP
0040584E E8 EC000000 CALL 1.0040593F
00405853 87D5 xchg ebp, EDX
00405855 5D POP EBP
00405856 PUSHAD // use the ESP law after this sentence,
00405857 87D5 xchg ebp, EDX // here ESP = 12ffa0
00405859 80BD 15274000 0> cmp byte ptr ss: [EBP 402715], 1
00405860 74 39 je short 1.0040589B
00405862 C685 15274000 0> mov byte ptr ss: [EBP 402715], 1
00405869 E9 E4000000 JMP 1.00405952
0040586E-E9 79DAFF90 JMP 914032EC
00405873 D6 SALC
00405874 64: ce into; Additional prefix
00405876 E4 3C in al, 3C; I/O command
00405878 40 INC EAX
00405879 94 xchg eax, ESP
0040587A 65: ec in al, DX; I/O command
0040587C ^ 78 8D js short 1.0040580B
........................................ .....................
Dd 12ffa0
Hardware access-Dword breakpoint.
Run F9
Hardware interruption.
004058A8 9D POPFD // stack balance
004058A9 8B9A 09274000 mov ebx, dword ptr ds: [EDX 402709]
004058AF 898A 09274000 mov dword ptr ds: [EDX 402709], ECX
004058B5 FFE3 jmp ebx // jump to OEP 4010CC
004010CC 55 DB 55 // right-click to clear the analysis
004010CD 8B DB 8B
004010CE EC DB EC
004010CF 83 DB 83
004010D0 EC DB EC
004010D1 44 DB 44; CHAR 'D'
004010D2 56 DB 56; CHAR 'V'
004010D3 FF DB FF
004010D4 15 DB 15
004010D5. E4634000 DD
004010D9 8B DB 8B
004010DA F0 DB F0
004010DB 8A DB 8A
004010DC 00 DB 00
004010DD 3C DB 3C; CHAR '; KERNEL32.GetCommandLineA
004010D9 8BF0 mov esi, EAX
004010DB 8A00 mov al, byte ptr ds: [EAX]
004010DD 3C 22 cmp al, 22
004010DF 75 1B jnz short 1.004010FC
004010E1 56 PUSH ESI
004010E2 FF15 F4644000 call dword ptr ds: []; USER32.CharNextA
004010E8 8BF0 mov esi, EAX
004010EA 8A00 mov al, byte ptr ds: [EAX]
004010EC 84C0 test al, AL
004010EE 74 04 je short 1.004010F4
004010F0 3C 22 cmp al, 22
004010F2 ^ 75 ed jnz short 1.004010E1
004010F4 803E 22 cmp byte ptr ds: [ESI], 22
........................................ ........................................
Run ImportREC and select this process. Change OEP to ipv10cc, click IT AutoSearch, and click "Get Import". All functions are valid. FixDump, cannot run. Rebuild the Pe with Loadpe and run normally.
Continue OD to load its main program.
00408000> 9C PUSHFD // main program shell entry.
00408001 55 PUSH EBP
00408002 E8 EC000000 CALL Vgcrypt.004080F3
00408007 87D5 xchg ebp, EDX
00408009 5D POP EBP
0040800A 60 PUSHAD // use the ESP law after this sentence,
0040800B 87D5 xchg ebp, EDX // here ESP = 12ffa0
0040800D 80BD 15274000 0> cmp byte ptr ss: [EBP 402715], 1
00408014 74 39 je short Vgcrypt.0040804F
00408016 C685 15274000 0> mov byte ptr ss: [EBP 402715], 1