Introduction to ESP Law)

I often see the ESP Law in the tutorial. Now I will tell you what the ESP law is. What is its principle?

!! (Too useful ◎)

BTW: After Reading 18 articles about manual shelling, reading this article may be more helpful to you!

2. Preparations before we begin to discuss the ESP law, I will explain some simple assembly knowledge to you.
1. call
This command is a basic assembly instruction for accessing subprograms. Maybe you said, I already know this! Don't worry, please continue watching.
What is the true meaning of call? We can understand this as follows: 1. The address of the next program is pushed to the stack; 2. The address of the subroutine from JMP to call. For example:

00401029. E8 DA240A00 call 004A3508
0040102E. 5A pop edx
After 00401029 is executed, the program will press 0040102E into the stack, and then JMP to 004A3508 address!

2. RET
The corresponding call is RET. We can understand RET as follows: 1. Stack the address pointed to in the current ESP; 2. Send JMP to this address.

This completes the process of calling a subroutine. The key here is: if we want to return the parent program, when we perform stack operations in the stack, we must ensure that before the RET command, ESP points to the address we press into the stack. This is also the famous "Stack balancing" principle!

3. Narrow ESP Law

The principle of ESP law is the "Stack balance" principle.

Let's take a look at the entrance to the program!

1. This is the value of each register when the entrance of the UPX shell is added!
Eax 00000000
ECX 0012ffb0
EdX 7ffe0304
EBX 7ffdf000
ESP 0012ffc4
EBP 0012fff0
ESI 77f51778 ntdll.77f51778
EDI 77f517e6 ntdll.77f517e6
EIP 0040ec90 note-UPX. <moduleentrypoint>
C 0 es 0023 32bit 0 (ffffffff)
P 1 CS 001b 32bit 0 (ffffffff)
A 0 SS 0023 32bit 0 (ffffffff)
Z 0 DS 0023 32bit 0 (ffffffff)
S 1 FS 0038 32bit 7ffde000 (FFF)
T 0 Gs 0000 null
D 0
O 0 lasterr error_mod_not_found (0000007e)

2. This is the value of the Register after the UPX shell JMP goes to OEP!
Eax 00000000
ECX 0012ffb0
EdX 7ffe0304
EBX 7ffdf000
ESP 0012ffc4
EBP 0012fff0
ESI 77f51778 ntdll.77f51778
EDI 77f517e6 ntdll.77f517e6
EIP 004010cc note-upx.004010CC.
C 0 es 0023 32bit 0 (ffffffff)
P 1 CS 001b 32bit 0 (ffffffff)
A 0 SS 0023 32bit 0 (ffffffff)
Z 1 Ds 0023 32bit 0 (ffffffff)
S 0 FS 0038 32bit 7ffde000 (FFF)
T 0 Gs 0000 null
D 0
O 0 lasterr error_mod_not_found (0000007e)

Haha ~ Is it the same except for the EIP!

Why?
Let's take a look at the first line of the UPX shell:

0040EC90 n> 60 pushad // ***** pay attention to this *****
0040EC91 BE 15B04000 mov esi, note-upx.0040B015

PUSHAD is to press all registers on the stack! At the end of the shell, let's take a look:

0040EE0F 61 popad // ***** Note *****
0040EE10-E9 B722FFFF jmp note-upx.004010CC // JMP to OEP

POP is to take all registers out of the stack!

When PUSHAD is used, ESP pushes the Register into the stack of 0012FFC0-0012FFA4! As follows:

0012FFA4 77F517E6 returned to ntdll.77F517E6 from ntdll.77F78C4E // EDI
0012FFA8 77F51778 returned to ntdll.77F51778 from ntdll.77F517B5 // ESI
0012 FFAC 0012FFF0 // EBP
0012FFB0 0012FFC4 // ESP
0012FFB4 7FFDF000 // EBX
0012ffb8 7ffe0304 // edX
0012 ffbc 0012ffb0 // ECx
0012ffc0 00000000 // eax

In this case, we will tell you the hardware access breakpoint for the ESP 0012ffa4. That is to say, when the program needs to access these stacks, so as to restore the original register value and prepare to jump to the search OEP, OD helps us to interrupt.

So we stopped at ee10!

Summary: Let's assume the shell is a subroutine. After the shell unzips the code and decompress it, what he must do is follow the stack Balancing Principle and let ESP execute it to OEP, make ESP = 0012FFC4.

4. General ESP Law

After reading the tutorial, many people will ask: is the ESP law 0012FFA4? Is the ESP law applicable only to compression shells!

My answer is: NO!

After reading the above, you will know that if you use 0012FFA8, you can also use the ESP law not only to compress the shell, but also to encrypt the shell !!!

First, let us know the truth-when the PE file starts running, that is, the first line of code that enters the shell. The register value is always the value above. If you don't believe it, try it yourself! When OEP is reached, most of the programs will start with a pressure stack! (Apart from the programs compiled by BC, BC usually uses the following statements to press the stack)

Now, based on the above ESP principle, we know that most shells run to OEP when ESP = 0012FFC4. That is to say, the first sentence of the program is to write 0012FFC0!

Finally, we get the general ESP law. If the hardware writes a breakpoint under 0012FFC0, we can stop at the second sentence of OEP !!

Let's take an example. Let's go to the first article on shelling!

After loading OD, come here:

0040D042 N> B8 00D04000 mov eax, Notepad.0040D000 // stop here
0040D047 68 4C584000 push Notepad.0040584C
0040D04C 64: FF35 00000000 push dword ptr fs: [0] // The First hardware interruption, F9
0040D053 64: 8925 00000000 mov dword ptr fs: [0], esp
0040D05A 66: 9C pushfw
0040D05C 60 pushad
0040D05D 50 push eax

Directly write a breakpoint to the hardware under 0012FFC0, and F9 runs. (Pay attention to hardware interruption)

The first hardware interruption at 0040D04C, F9 continues!

0040D135 A4 movs byte ptr es: [edi], byte ptr ds: [esi] // access exception, whether shift + F9 continues
0040D136 33C9 xor ecx, ecx
0040D138 83FB 00 cmp ebx, 0
0040D13B ^ 7E A4 jle short Notepad.0040D0E1

The second hardware interruption.

004058B5 64 db 64 // disconnected here
004058B6 89 db 89
004058B7 1D db 1D
004058B8 00 db 00
004058B9 00 db 00

Not here. F9 continues!

004010cc/. 55 push EBP
004010cd |. 8bec mov EBP, esp // disconnected here, haha, now! (If you find a flower command, use Ctrl + A to analyze it)
004010cf |. 83ec 44 sub ESP, 44
004010d2 |. 56 push ESI

Come on! This is not an addiction. Here is an example.

Shell removal advanced Article 2

If the above method cannot be broken, the program runs directly! Nothing. We are using another method!

Stop here after loading, and use the plug-in to hide od!

0040dbd6 n> ^ \ E9 25e4ffff JMP note_tel.0040c000 // stop here
0040 DBDB 0000 add byte ptr ds: [eax], al
0040 DBDD 0038 add byte ptr ds: [eax], bh
0040 DBDF A4 movs byte ptr es: [edi], byte ptr ds: [esi]
0040DBE0 54 push esp

Run F9 and skip the exception with SHIFT + F9:

0040D817 ^ \ 73 DC jnb short Note_tEl.0040D7F5 // here
0040D819 CD20 64678F06 vxdcall 68F6764
0040D81F 0000 add byte ptr ds: [eax], al
0040D821 58 pop eax

Write a breakpoint to the hardware under 0012FFC0! (Type HW 12FFC0 in the command line) SHIFT + F9 skip the exception and you will be taken to the second line of OEP: (use CTRL + A to analyze it)

004010CC/. 55 push ebp
004010CD |. 8BEC mov ebp, esp // disconnected here
004010CF |. 83EC 44 sub esp, 44
004010D2 |. 56 push esi
004010D3 |. FF15 E4634000 call dword ptr ds: [4063E4]
004010D9 |. 8BF0 mov esi, eax
004010DB |. 8A00 mov al, byte ptr ds: [eax]
004010DD |. 3C 22 cmp al, 22

In this way, we can easily solve the problem of finding OEP with two encrypted shells!

5. Summary

Now we can easily answer some questions.

1. What is the principle of ESP law?

Stack Balancing Principle.

2. What is the scope of application of ESP law?

Almost all compression shells, partially encrypted shells. As long as it is the shell of ESP = 0012FFC4 after JMP to OEP, we can use it theoretically. However, when a breakpoint is placed to avoid verification and when the OD is disconnected, this requires further summarization and accumulation. You are welcome to share your experience with us.

3. Can I only break the access breakpoint of 12FFA4?

Of course not. It is only an embodiment of the ESP law. We use the principle of the ESP law, not its specific value. It cannot be said that 12FFA4, or 12FFC0 is the ESP law, they are just an application of the ESP law!

4. What should we do with stolen code?

Haha, this is the best way to find stolen code! When we disconnected, it happened to be in the place where the shell was processing stolen code, and we went to OEP in F8!

6. Later


The principles of the above methods are summarized by myself and my own experience. If there is anything wrong, there is nothing to explain clearly. Also, haihan! However, if you think I am very good, you don't have to, because the ESP law is also taught by others, not my first one! I'm just a newbie who flies a little earlier than you. ^-^

After reading the above text, I hope it will help you find OEP, but don't forget one sentence: cainiao thinks it is difficult to find OEP, and experts think it is the most difficult to fix it! Now, I should write down the IAT repair principle in the next article! Let's work together!