Comments: In fact, the shell itself does not matter. The problem is that there is a verification in the vm. Sm students show their mercy. I barely got a job running normally and didn't have the energy to restore the vm. On the retn of virutalfree, f4 is returned until [esp] is the address f7 In the exe image: 0040FA91 B8 BE180000 mov eax, 18BE0040FA96 BA 00004000 mov actually the shell itself does not matter, the problem is that there is a verification in the vm. Sm students show their mercy. I barely got a job running normally and didn't have the energy to restore the vm. Run f4 on the retn of virutalfree until [esp] is the address f7 In the exe image and returns: 0040FA91 B8 BE180000 mov eax, 18BE
0040FA96 BA 00004000 mov edx, slv_unpa.00400000
0040FA9B 03C2 add eax, edx
0040FA9D-FFE0 jmp eax on jmp eax f4 f7 to oep: 004018BE 68 EA1AF500 push 0F51AEA
004018C3-E9 EF01B500 jmp 00F51AB7
004018C8 CC int3
004018C9 CC int3jmp to vm, but this memory segment cannot be dump, ctrl f2 again to see where to allocate: bp virtualalloc, without stopping ctrl f9 to see eax = 00F50000 stop: 0040FBB6 6A 40 push 40
0040FBB8 68 00100000 push 1000
0040 FBBD 50 push eax
0040 FBBE 6A 00 push 0
0040FBC0 FF13 call [ebx]; kernel32.VirtualAlloc
0040FBC2 8BD0 mov edx, eax
0040FBC4 8BFA mov edi, edx
0040FBC6 8B4E FC mov ecx, [esi-4]
0040FBC9 F3: A4 rep movsb go down to ecx = 000151E9, copy an unpackme.exeto 2.exe, and add a section header: vaddr = 0x0022000
Vsize1_0x2000020.2.exe on 0040FBC2 f4 change eax to 422000. Then, follow the above method to go to oep and use lordpe dump (ollydump I never succeeded) dumped.exe
It is invalid to generate 3.exe with imprec fixdump. Click debug to mount od: 00422CCA 8910 mov [eax], edx // eax = 00140688
00422CCC E9 0D0E0000 jmp 00423ADE look up and look up all ass... Ah no, all are flowers instructions, but only EB, nop drop: 00422CA4 33C0 xor eax, eax
00422CAC AC lodsb
00422CB1 8B1487 mov edx, [edi eax * 4]
00422CB7 33C0 xor eax, eax
00422CBD AC lodsb
00422cc8b0487 mov eax, [edi eax * 4]
00422CCA 8910 mov [eax], edx
00422CCC E9 0D0E0000 jmp 00423ADE seems to be a VM command. It seems that something has been lost. Where does the verification come from?
Thought 1: GetFileSize, it is estimated that sm students did not bother to use it. It is useless to have a chance to try it.
Idea 2: When a tag is set somewhere, virtualalloc is released and the vm segment is also dump. Where can this problem be solved?
I think sm has always liked to insert something in the pe header. Let's take a look at the pe header1_2.exe press alt m on the pe header when oep f2 really interrupted access [400110] = 1000
Ipv3.exe is also interrupted, [400110] = 18BE
Originally, the entrypoint was verified, and it is estimated that the constant operation will be followed because 1000 will be used as the entry for all kbys. there are two solutions: one is to write a piece of entry code to change the entry to 1000, the other is to move, because the write protection is not convenient, I choose to move. 401000 ctrl r find both references and change them to 401005004011DA E8 21 FEFFFF call 3.00401000
004011EC E8 0 FFEFFFF call 3.00401000 modify the code here: 00401000>/E9 B9080000 jmp 4.004018BE
00401005 | 68 EA9C4200 push 4.00429CEA
0040100A-| E9 A82A0200 jmp 4.00423ab7save to the file, then lordpemodifies 1000to save 4.exe, and the image is displayed. However, if you click "she", you will not turn it off. Instead, it is estimated that the VM calls 1000 to exit,
After the result is jumped to 18be and DialogParam, you have to choose write protection. Use lordpe to add an input function VirutalProtect and find a blank space under oep to write the code. Finally, it jumps back to 18be.
004018C8> B8 00004000 mov eax, 00400000
004018CD 0340 3C add eax, [eax 3C]
004018D0 8D78 28 lea edi, [eax 28]
004018D3 50 push eax
004018D4 54 push esp
004018D5 6A 04 push 4
004018D7 6A 04 push 4
004018D9 57 push edi
004018DA FF15 1E304400 call [44301E]; kernel32.VirtualProtect
004018E0 58 pop eax
004018E1 B8 00100000 mov eax, 1000
004018E6 AB stosd
004018E7 ^ EB D5 jmp 004018BE: Change the entry to 18c8.