Fly2015
I love cracking training first class elective assignments section 6 Practice example programs. Have to repeat that sentence, have not seen this shell, the shell is a compression shell, relative to the compression shell, the encryption shell more difficult, especially the IAT table repair problem.
Firstly, Die and exeinfo PE were used to check the shell of the shell process.
OD loading and winupack shell of the program for dynamic debugging analysis, shell program entry point disassembly snapshot.
Don't even think about it, see Pushad Direct ESP law shelling F8 Single step,ESP Register right-click Set Hardware Write Breakpoint. F9 Run the program, the program is naturally broken at the hardware breakpoint set.
A bit stunned, the hardware breakpoint breaks down the place 004739BC the jump address of the JMP directive 0041DDAC is the real OEP of the original program of the VA , F7 step directly with the past, the familiar interface appears.
CTRL + A analysis of memory data at address 0041DDAC, instantly enlightened a lot.
OK, you can now use the OD plug- in ollydump or scylla_x86 for program memory Fixes for Dump and IAT tables. But to illustrate is the use of Load PE combined with Importrec Direct shelling a bit of a problem, no closer scrutiny. Below run the shelling procedure, prove the shelling success.
Manual Removal Winupack Shell Analysis documents and post-shelling procedures: http://download.csdn.net/detail/qq1084283172/8900675.
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
Manual de-winupack shell combat--my love crack training first class elective assignment six
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
