Introduction to shell and shelling

Overview

For the purpose of compressing program resources and registering and protecting program resources, the shell can be divided into two types: Compressed shell and encrypted shell.
Upx aspcak telock pelite nspack...
Armadillo asprotect acprotect epe svkp...
As the name suggests, the compression shell only compresses resources to reduce the size of the program, and the encryption shell is used to encrypt and protect input tables. Of course, the protection capability of the encryption shell is much stronger!

Ii. Common shelling Methods

Prerequisites

1. PUSHAD (pressure stack) indicates the entry point of the program,
2. POPAD (Out stack) indicates the exit point of the program. It corresponds to PUSHAD. Generally, this OEP is located nearby.
3. OEP: the entry point of the program. The software shelling means that the OEP is hidden (or false OEP/FOEP is used). As long as we find the real OEP of the program, we can immediately shell it.

Method 1: One-Step Tracing
1. Load with OD, click "do not analyze code !"
2. Track F8 in one step to perform a downward hop. That is to say, the jump up won't be implemented! (Through F4)
3. When the program jumps back (including loops), we press F4 in the next code (or right-click the code and select the breakpoint --> run to the selected code)
4. The green line indicates that the jump is not implemented. Ignore it. The red line indicates that the jump has been implemented!
5. If you have just loaded the program and there is a CALL nearby, we will follow F7, otherwise the program will easily run and fly, so that we can quickly get to the program's OEP
6. During tracking, if a CALL program runs, F7 enters
7. There are usually large jumps (large-span segments), such as jmp XXXXXX or je xxxxxx, or the OEP of the program will soon be available if there is a RETN.

Btw: when some shells cannot be tracked down, we can find a large jump that is not implemented nearby, right-click --> "follow", and then F2 is disconnected, shift + F9 stops at the "follow" position, cancels the breakpoint, and continues F8 single-step tracking. Generally, you can easily reach OEP!

Method 2: ESP Law
ESP theorem shelling (ESP in the OD register, we only need to access the breakpoint of ESP hardware in the command line, and we will come to the program's OEP !)
1. Click F8 at the beginning. Note that the ESP in the register in the top-right corner of the OD is not displayed (red ). (This is generally the first ESP value after the key sentence)
2. In the command line: dd XXXXXXXX (the ESP address in the current Code, or hr XXXXXXXX), press Enter!
3. Select the broken address, breakpoint ---> hardware access ---> WORD breakpoint.
4. Press F9 to run the program and go directly to the jump point. Press F8 to reach the program OEP.

Method 3: Memory Mirroring
1: Open the software with OD!
2: click "option"> "debug option"> "exception" to ignore all the errors! CTRL + F2 reload the program!
3: press ALT + M to open the memory image and find the first image of the program. rsrc. press the breakpoint under F2, then press SHIFT + F9 to run to the breakpoint, and then press ALT + M to open the memory image and find the first program. rsrc. above. CODE (that is, 00401000 points), and press F2 to open a breakpoint! Then press SHIFT + F9 (or press F9 without exception) to directly reach the program OEP!

Method 4: Get to OEP in one step
1. Start to press Ctrl + F, input: popad (applicable only to a few shells, including UPX and ASPACK shells), and then press F2 and F9 to run here
2. Go to the big jump and click F8 to reach OEP!

Method 5: last exception Method
1: Open the software with OD
2: click option-debug option-exception to remove all √! CTRL + F2 reload the program
3: At the beginning, the program is a jump. Here we press SHIFT + F9 until the program runs, and write down the number of times from start SHIFT + F9 to program running m!
4: CTRL + F2 reload program, and press SHIFT + F9 (the number of times this operation was run as expressed as the number of times the program was run as expressed as 1-1)
5: In the lower-right corner of the OD, we can see a "SE handle". Press CTRL + G to enter the address before the SE handle!
6: press the F2 breakpoint! Then press SHIFT + F9 to go To the breakpoint!
7: remove the breakpoint and press F8 to go down slowly!
8: OEP of the program!

Method 6: Simulated Tracing
1: run the test run first and follow up the program to see if there are any SEH hidden piles or the like.
2: ALT + M open the memory image and find (including = SFX, imports, relocations)

Memory image, Project 30
Address = 0054B000
Size = 00002000 (8192 .)
Owner = check00400000
Segment =. aspack
Include = SFX, imports, relocations
Type = Imag 01001002
Access = R
Initial access = RWE

3: The address is 0054B000. If we enter tc eip <0054B000 on the command line, press enter and track ing ..

Ice: when you use this method, you need to understand the situation in which you want to use it.

Method 7: SFX Method
1: Set the OD to ignore all exceptions, that is, check the exception tab.
2: Switch to The SFX tab, select "byte mode to track the actual entry (very slow)", and click OK.
3: Reload the program (if it jumps out, do you want to "compress the code ?" Select "no" and OD will arrive at OEP)

Ice: Do not abuse this method well and exercise well.
Article from: Mzhacker.cn