Fly2015
This program is my love Break free shell exercise phase 8 of the shell procedure, the shell of the program is molebox V2.6.5 Shell, before also touched the shell but this program seems to be a bit more complicated.
First, the shell process is processed.
results of Exeinfo PE shells:
The result of the die shell, it is obvious that die tells us that the Shell program source program using Delphi , this is more useful, for we find the real OEP of the program very helpful.
OD loading the molebox V2.6.5 shell of the program, the entry point assembly code. Seeing Pushad, we would naturally think of using ESP 's law for shelling. F8 step to pushad next instruction is address 00469bd9 , select ESP register, right-click -->HW break [ESP] ( hardware breakpoint ) , F9 Run the program.
The program broke down at the address where the hardware was written to the breakpoint just now.
Single Step F7 to address 0046997b3 , found that the call eax command eax Save is the shell program Real OEP the VA address is 0045159C.
F7 follow up to address 0045159C View, assembly code is not very familiar? An entry point assembly code for a typical Delphi program. To tell you the truth, I don't like the disassembly of Delphi Programs, because There is no ideal tool for the disassembly of Delphi programs.
OK, by the shell program of the real OEP found, is it possible to directly Dump to the program shelling finished it? Try it and know it. Use OD plug- in Ollydump or Load pe+importrec or Scylla_ x86 The shell of the program, then runs the program, the result.
The unfriendly interface to run the program appears again. The reality of the Packers programOEPThe address has been found, but the program is still a problem, it is likely thatDumpof the programIATIt's not repaired well. In the process ofIATwhen repairing, direct theImportrecdisplayed in the programThe invalid function address is clipped. It has been observed that an invalid function that is clipped is not a systemDllthe export function, buttypically the tag at the end of the function address in the IAT table of the Packers program is -1 or 0, etc. 。 Later after the reference I love crack on the post to know that the original isthe API address of some functions is encrypted The
The following uses OD to find the memory location stored in the IAT table in the program's memory data . when the real OEP of the shell program is found , it is possible to find the IAT of the shell original program after the original program real OEP address (the shell original program) code The entry address of the IAT table is found at the save address .
From the code found above, observe that the code that calls the system Dll export function is found at the follow-up address 0040658C . Sure enough, after the follow-up to find the program calls the system API functions, the more obvious is the address 004554DC at the preservation of the function user32. The calling address of the PostQuitMessage.
The function user32 is found in the memory data area of the program Ctrl+g to address 004554DC . the location where the PostQuitMessage address is saved.
Drag up and down the OD data area scroll bar, you can find the iat table starting VA address 0045512C and iat End address of the table 00455728 and the size of the IAT table is 455724-45512c = 5f8.
The location of the encrypted system API functions was found in the IAT table . Obviously, the function address in the encrypted IAT table does not existin the system Dll , and there is no corresponding system in the parsing of the OD. API functions,.
The task now is to restore this partially encrypted system API function.
Ctrl+f2LetODre-debug loading of the shell-loaded program,Delete the hardware write breakpoint before,ODMemory Data Areactrl+gto theIATStart of TableVAAddress0045512C, and then findIATall the encrypted systems in the tableAPIthe Save address of the function is as00455170, select these addresses right-click -UnderDWORDtype of hardware write breakpointSeveral timesF9system functions that are later encryptedAPIThe address is displayed, and then theseAPIThe function address is recorded.
The following is the address of an encrypted system API function that was recorded in this way .
Before the address of the encrypted system API function is restored, the result of the IAT table function seen with scylla_x86 is An invalid function address.
A step further away from shelling the shell. Ctrl+f2LetODRun the program again to parse and delete all the types of breakpoints that precede it. Again under ESPThe law of shelling, using the previous method to find the real of the programOEPof theVAaddress and run to this address0045159CPlace. In theODthe memory data areactrl+gto theIATStart of TableVAAddress0045512C, and then findIATThe system is encrypted in the tableAPIat the address of the function, according to the previous record of the systemAPIThe correct address of the function to manually encrypt the functionAPIAddress modified over,.
After you manually modify the address of the encrypted system API function correctly, use scylla_x86 to see the result of the IAT table function.
Ok, you are done. Directly with ODthe pluginOllydumpin the program the realOEPof theRVAto be5159COffice toDumpprocess can be completed to change the perfect shelling of the procedure. or useLoad PEcombinedRecimportof the programDumpand theIATtable repair, complete the process of shelling. or directly usingscylla_x86tools for the first procedureDumpthen proceedFix Dump.
However, when using the tool, please note that scylla_x86 and recimport fill in the same data, the former filled in the VA address, the latter filled RVA address.
Program shelling success, run to verify,.
Summary, the above method of shelling is a bit, but the idea is not wrong or solve the problem, there is space to study, and other good methods of shelling.
I love breaking relief shell exercise phase 8 address : http://www.52pojie.cn/thread-11306-1-1.html.
I love breaking free shell practice 8 address of the phase shelling analysis : http://www.52pojie.cn/thread-11306-2-1.html .
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
Mole Box V2.6.5 Shelling analysis