Fly2015
For FSG shells. No previous contact was the first contact. This time to take the shelling process is still my love to crack the forum to crack the training of the Operation 3 program. For this shell toss for a while, and later was taken care of.
1. Check the shell
First check the shell for the program (My Love Hack training first lesson three. exe):
Watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqv/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/gravity /center ">
Very sorry. This die is also not good, just OK.
2. shelling
OD Loading the shell of the program for analysis. The following is the assembly code for the entry point:
At first, this kind of shell procedure is also relatively unfamiliar. But because OD uses the familiar, and combined with the shell program to get the function of the API call address features, very quickly found the key point of the program assembly:
Then F2 The breakpoint at the address 004001d1 , and then F9 executes to the address 004001d1 , where the address 0041DDAC is the real OEP Address of the Packers program.
F7 one step at address 0041DDAC . Unfortunately, we do not see the assembly code of the entry points we are familiar with, but don't worry,OD does not display the assembly code correctly, it is necessary for us to manually analyze the disassembly of the data:
Select the data that is not displayed correctly at address 0041DDAC. Then right-click Analysis and analyze the code to display it correctly.
Watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqv/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/gravity /center ">
After manually selecting the analysis code. The display of the data at address 0041DDAC. is not very intimate ah, familiar with the entry point assembly code appeared. But don't worry. This is the first step.
Watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqv/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/gravity /center ">
The most natural next step is to use the OD plug- in ollydump to perform the shelling of the program. But here for such a shell such a straightforward way of shelling and regardless of use, you need to use the Load PE combined with recimport tools for perfect shelling. Because the IAT table of the FSG Packers is not sequential. The shelling tool does not intelligently identify those memory data that is the address of the function. It is therefore necessary for us to manually identify those that are functions that are not addresses of functions. Then use the tool to shell.
Need to Shell program paused at address 0041DDAC , use the Load pe tool to manually Dump its memory PE image at this time out (completely shelled),.
attention . At this point , the program can not execute the dump , it is necessary to correct the dump program to repair the IAT table, it ability to execute.
Through the above debugging. Learn that the RVA address of the program's true OEP is 001DDAC. Use the Recimport tool to fix the IAT table for this Dump program .
1. General ways to repair the IAT table:
Manually fill in the 001DDACat the OEP of the recimport tooland click on the IAT to search by itself -- > Get Import Table -- fix dump .
Watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqv/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/gravity /center ">
IAT Table Repair After the execution of the shelling procedure.
Very clearly. The fix for the IAT table just now has not been repaired successfully. if the IAT table is successfully repaired, the following is not an unfriendly interface prompt after executing the shelling procedure.
2. How to manually repair the IAT table:
Unfortunately,Recimport tools don't work well. view memory data discovery through OD. The recimport tool does not completely repair the IAT of the post Dump program.
In the recimport tool,theIAT automatically searches the program's import table for a function that is not completely complete. , the starting RVA address for the Function Import table is 000320BC. The end RVA address of the Function Import table is 000320bc+200=000322bc , and the number of imported table functions is 0x200 , but after OD the observations found that the two parameters were wrong.
Back in the Od debugger, in the HEX data area,ctrl+g to address 00410000 address, then set how the data is displayed: Long Integer type - how the address is displayed.
Watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqv/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/gravity /center ">
OD Data Window - address display mode view:
After manual drag to find the way, found that the shell of the Import table entry RVA address should be 32000 not address 000320BC , and import the end of the table RVA The address is 00032554, so the size of the import table function should be 32554-32000 = 554 (hexadecimal).
The starting RVA addressof the import table:32000.
Watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqv/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/gravity /center ">
End RVA address for import table :00032554 , so the size of the import table function should be 32554-32000 = 554 .
After the above analysis and observation, for example, to fill in the Recimport tool required in the number of parameters. Then directly click Get import Table do not point IAT own initiative to obtain otherwise naught.
Click Show Invalid function found, in the obtained import table function has invalid function address, indeed through OD also found the function address is not continuous, some functions are 0x7FFFFFFF is not a valid function address.
Because 0x7FFFFFFF is not a valid function address, these invalid function addresses need to be removed. You can delete these invalid function addresses by right-selecting these invalid function addresses and selecting the cut pointer .
Ok, you can now use the exported function addresses of the remaining valid IAT tables to dump the correction of the dump program.
A view of a program that performs a valid IAT fix.
FSG shelling Analysis document and post-shelling program: http://download.csdn.net/detail/qq1084283172/8883891
Manual de-FSG shell combat