Manual shelling 18th PC Shrinker 0.71

Comments: [Remove text title] manual shelling entry 18th PC Shrinker 0.71 [remove text author] weiyi75 [Dfcg] [author's mailbox] weiyi75@sohu.com [author's homepage] Dfcg official base camp [use tools] Peid, ollydbg, ImportREC [Shell removal platform] Win2K/XP [software name] Pcshrink.exe [software brief [text removal title] manual shell removal entry 18th PC Shrinker 0.71
[Author] weiyi75 [Dfcg]
[Author mailbox] weiyi75@sohu.com
[Author's homepage] official Dfcg base camp
[Tools] Peid, Ollydbg, ImportREC
[Shelling platform] Win2K/XP
[Software name] Pcshrink.exe
[Software Overview] Phrozen Crew PE Shrinker is an windows 9x/NT executable file compressor, allowing compressed executables to run, functionally, the same as always, but occupy a significantly less amount of disk space.
[Software size] 15 KB
[] Local download
PC Shrinker 0.71.rar
[Shelling method] PC Shrinker 0.71-> Virogen
[Protection method] PC Shrinker compression Shell
[Shell removal statement] I am a little cainiao and may share with you a little bit :)
--------------------------------------------------------------------------------
[Shelling content]
The compression options of this program are very rich, and there is no encryption option from the interface, the OD is invalid and the setting exception is hidden.
Let's take a look at its shelled notepad.
Local download
NOTEPAD.rar
Check the Peid shell for PC Shrinker 0.71-> Virogen, and load and run the OD without any exception. Determine it as the compression shell.
0040 AAFB> 9C PUSHFD // notepad shell portal.
0040 AAFC 60 PUSHAD // still the ESP Law
0040 aafd bd B7710000 mov ebp, 71B7 // The ESP here is 12FFA0
0040AB02 01AD 543A4000 add dword ptr ss: [EBP 403A54], EBP
0040AB08 FFB5 503A4000 push dword ptr ss: [EBP 403A50]
0040AB0E 6A 40 PUSH 40
0040AB10 FF95 883A4000 call dword ptr ss: [EBP 403A88]
0040AB16 50 PUSH EAX
0040AB17 50 PUSH EAX
0040AB18 2D 7D394000 sub eax, notepad.0040824d
0040AB1D 8985 7E394000 mov dword ptr ss: [EBP 40366e], EAX
0040AB23 5F POP EDI
0040AB24 8DB5 7D394000 lea esi, dword ptr ss: [EBP 40366d]
0040AB2A B9 FC000000 mov ecx, 0FC
0040AB2F F3: A5 rep movs dword ptr es: [EDI], dword ptr ds>
0040AB31 5F POP EDI
0040AB32 FFE7 JMP EDI
........................................ ..........
Command line dd 12ffa0
Hardware access-Dword breakpoint.
Run F9
Hardware interruption.
Label 1
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
0040 AAFB> 9C PUSHFD // notepad shell portal.
0040 AAFC 60 PUSHAD //
The decompression process is a loop that we used to track slowly.
00132DC6 61 POPAD // stack balance, which is fully neat.
00132DC7 9D POPFD // here is the exit, we disconnected here.
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
00132DC6 61 POPAD
00132DC7 9D POPFD // here is the exit, we disconnected here. Turn tag 1 to see
00132DC8 BA CC104000 mov edx, 4010CC
00132DCD FFE2 jmp edx // EDX = 4010CC. This is the OEP of notepad, which is used by all people on Earth.
004010CC 55 push ebp // use Loadpe to directly Shell
004010CD 8BEC mov ebp, ESP
004010CF 83EC 44 sub esp, 44
004010D2 56 push esi // we can see that the encryption table is not broken, and we can see KERNEL32.GetCommandLineA
004010D3 FF15 E4634000 call dword ptr ds: [4063E4]; KERNEL32.GetCommandLineA
004010D9 8BF0 mov esi, EAX
004010DB 8A00 mov al, byte ptr ds: [EAX]
004010DD 3C 22 cmp al, 22
004010DF 75 1B jnz short NOTEPAD.004010FC
004010E1 56 PUSH ESI
004010E2 FF15 F4644000 call dword ptr ds: [4064F4]; USER32.CharNextA
004010E8 8BF0 mov esi, EAX
004010EA 8A00 mov al, byte ptr ds: [EAX]
004010EC 84C0 test al, AL
004010EE 74 04 je short NOTEPAD.004010F4
004010F0 3C 22 cmp al, 22
004010F2 ^ 75 ed jnz short NOTEPAD.004010E1
........................................ ...................
Run ImportREC and select this process. Change OEP to ipv10cc, click IT AutoSearch, and click "Get Import". All functions are valid. FixDump: runs normally. The notepad is completely shelled.
Shelling main program
Continue OD to load its main program.
004066F8> 9C PUSHFD // main program shell entry.
004066F9 60 PUSHAD // use the ESP law after this sentence,
004066FA BD B42D0000 mov ebp, 2DB4 // here ESP = 19ffa0
004066FF 01AD 543A4000 add dword ptr ss: [EBP 403A54], EBP
00406705 FFB5 503A4000 push dword ptr ss: [EBP 403A50]
0040670B 6A 40 PUSH 40
0040670D FF95 883A4000 call dword ptr ss: [EBP 403A88]
00406713 50 PUSH EAX
00406714 50 PUSH EAX
00406715 2D 7D394000 sub eax, pcshrink.004020.d
0040671A 8985 7E394000 mov dword ptr ss: [EBP 40366e], EAX
00406720 5F POP EDI
00406721 8DB5 7D394000 lea esi, dword ptr ss: [EBP 40366d]
00406727 B9 FC000000 mov ecx, 0FC
0040672C F3: A5 rep movs dword ptr es: [EDI], dword ptr ds>
0040672E 5F POP EDI
0040672F FFE7 JMP EDI
........................................ ........................................
Dd 19ffa0
Hardware access-Dword breakpoint.
Run F9
Hardware interruption.
001A2DD6 61 POPAD
001A2DD7 9D POPFD // stack balance
001A2DD8 BA 00104000 mov edx, 401000
001A2DDD FFE2 jmp edx // EDX = 401000 is the OEP of the main program
00401000 E8 DB E8 // you may see more in this case. Right-click analysis and choose clear analysis.
00401001 05 DB 05
00401002 16 DB 16
00401003 00 DB 00
00401004 00 DB 00
00401005 A3 DB A3
00401006 DF DB DF
00401007 37 DB 37; CHAR '7'
00401008 40 DB 40; CHAR '@'
00401009 00 DB 00
0040100A E8 DB E8
0040100B BF DB BF
0040100C 15 DB 15