New Shell removal series Tutorial: CI Crypt V0.1 manual shell Removal

Source: Internet
Author: User
Tags crypt

[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten me.
[Debugging environment]: WinXP, OllyDbg, PEiD, LordPE, ImportREC
_____________________________________________________________
[Shelling Process ]:


CI Crypt is an uncommon shell. shelling is a little more complicated than compressing the shell. We suggest you study UPX/AsPacK manual shelling and try again.
There are many shelling methods, and the ESP law can also be used. Follow the exercises first, and then find your own shelling method.
_____________________________________________________________
I. EP

Use LordPE to view the PE information of the target file: ImageBase = 00570000 SizeOfImage = 00075000
Set OllyDbg to ignore all Exception options. Use the IsDebugPresent plug-in Hide to clear all previous breakpoints.

CODE
00571744 3C 20 cmp al, 20
// After you enter the OllyDbg, It is paused here.
00571746 F5 cmc
00571747 79 01 jns short 0057174A
00571749 F8 clc
0057174A F5 cmc
0057174B F9 stc
0057174C 60 pushad
0057174D C0C1 70 rol cl, 70
00571750 E9 1B000000 jmp 00571770


_______________________________________________________
Ii. Data Recovery

BP VirtualAlloc
Shift + F9, cancel the breakpoint after interruption, Alt + F9 returns

CODE

0013FD6C 005713CC/CALL to VirtualAlloc from UnPackMe.005713CA
0013FD70 00400000 | Address = 00400000
0013FD74 0006B000 | Size = 6B000 (438272 .)
0013FD78 00003000 | AllocationType = MEM_COMMIT | MEM_RESERVE
0013FD7C 00000040 Protect = PAGE_EXECUTE_READWRITE

The requested memory address is 00400000.

Generally, the base address of the EXE file is 00400000, and the base address of the file after the CI Crypt is shelled is ImageBase = 00570000.
After the original CI Crypt is shelled, the base address is changed and the code should be restored during running.
If you look at the code, you 'd better understand the shell process. If you read more, you can learn a lot of knowledge.

CODE

005713C0 51 push ecx
005713C1 6A 40 push 40
005713C3 68 00300000 push 3000
005713C8 51 push ecx
005713C9 50 push eax
005713CA FFD3 call near ebx; kernel32.VirtualAlloc
005713CC 59 pop ecx
// Return here
005713CD 85C0 test eax, eax
005713CF 75 13 jnz short 005713E4
005713D1 6A 40 push 40
005713D3 68 00100000 push 1000
005713D8 51 push ecx
005713D9 50 push eax
005713DA FFD3 call near ebx
005713DC 85C0 test eax, eax
005713DE 0F84 4D020000 je 00571631
005713E4 8945 F4 mov dword ptr ss: [ebp-C], eax
005713E7 89C7 mov edi, eax
005713E9 8B75 08 mov esi, dword ptr ss: [ebp + 8]
005713EC 56 push esi
005713ED 89F1 mov ecx, esi
005713EF 034E 3C add ecx, dword ptr ds: [esi + 3C]
005713F2 8B49 54 mov ecx, dword ptr ds: [ecx + 54]
005713F5 F3: A4 rep movs byte ptr es: [edi], byte ptr ds: [esi]
// Ecx = 00000400 (decimal 1024 .)
// Ds: [esi] = [00571B79] = 4D (M)
// Es: [edi] = [00400000] = 00
// Start copying the PE Header data back to 00400000
005713F7 5E pop esi
005713F8 0376 3C add esi, dword ptr ds: [esi + 3C]
005713FB 81C6 F8000000 add esi, 0F8
00571401 8B45 08 mov eax, dword ptr ss: [ebp + 8]
00571404 0340 3C add eax, dword ptr ds: [eax + 3C]
00571407 0FB640 06 movzx eax, byte ptr ds: [eax + 6]
0057140B 8D7D C8 lea edi, dword ptr ss: [ebp-38]
0057140E 57 push edi
0057140F 6A 0A push 0A
00571411 59 pop ecx
00571412 F3: A5 rep movs dword ptr es: [edi], dword ptr ds: [esi]
// [Esi] is the section information of the file before shelling
00571414 5F pop edi
00571415 8B57 14 mov edx, dword ptr ds: [edi + 14]
00571418 85D2 &

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.