Next, let's talk about the uncertain shell removal.

Text/graph espresso
For a software, in order to reduce its occupied space, using shell tool compression is a necessary means and an extremely effective solution. After compression, the internal code of the program has changed and thus is widely used in software self-protection. In this way, a large number of shelling tools have emerged, and the changes are infinite. Its types can be divided into compression shell, encryption shell, and encryption driver shell. If you want to translate the shelling software in Chinese, shelling is the first process.
Let's first understand the program running process of the shell software. After the shell program is executed, run the shell code first. The shell code always runs before the original program. During the running, the compressed and encrypted code is restored to the original program code, the program runs properly.
Currently, the purpose of shelling a program is mainly embodied in three aspects: Making the program as small as possible, saving space and facilitating use; protecting copyright information and preventing unauthorized tampering, malicious cracking: hackers shell the trojan program to prevent antivirus software from being killed.
Anti-DDoS has previously published many shell articles. The general process of shelling is: checking the shell type-> finding the OEP address-> dumping the program at the OEP-> fixing the programs dumped by Dump. This article also involves an unknown shell. The actual shell detection tool PEiD is used to view the unknown shell, indicating that the entrance features of this shell are not within the PEiD detection range. Let's take a look at its EP section: three sections: kafei1, kafei2, and kafei3, as shown in 1. Let's take a look at its information, which shows encryption, as shown in 2.

Figure 1

Figure 2
From the above information, we can see that after the program is shelled, it has also been specially modified with the EP segment name. In this way, it is "unknown shell" on the surface ". At present, we have mastered the basic information.
To shell a program, first find the OEP of the program, and then dump the program at the OEP to fix the IAT. Currently, common tools are OD, LordPE, and ImportREC (shell removal tools are far from these tools ). Of course, you can also use PEiD's own check, shelling machine, and shelling script to perform shelling. Next we will introduce the Shelling Process of this unknown shell.
 
Find OEP
First, find OEP and load the program into OD. The code at the entrance is as follows.
 
0040ED7D> 9C pushfd; Entry
0040ED7E 60 pushad
0040ED7F E8 33000000 call 0040EDB7
0040ED84 5D pop ebp
0040ED85 B8 23090150 mov eax, 50010923
0040ED8A 2D 1C090150 sub eax, 5003661c
0040ED8F 2BE8 sub ebp, eax
0040ED91 8DB5 CBFEFFFF lea esi, dword ptr [ebp-135]
0040ED97 8B06 mov eax, dword ptr [esi]
0040ED99 83F8 00 cmp eax, 0
0040ED9C 74 1D je short 0040 EDBB
0040ED9E 8DB5 D7FEFFFF lea esi, dword ptr [ebp-129]
0040EDA4 8B06 mov eax, dword ptr [esi]
0040EDA6 83F8 01 cmp eax, 1
0040EDA9 C706 01000000 mov dword ptr [esi], 1
0040 EDAF 0F84 9C020000 je 0040F051
0040EDB5 EB 04 jmp short 0040 edbbb
0040EDB7 33ED xor ebp, ebp
0040EDB9 ^ EB C9 jmp short 0040ED84
0040 EDBB 8BD5 mov edx, ebp

According to habits, we generally need to first identify the characteristics of the entry point, judge the basic features of the shell (this requires accumulation of experience in the entry feature code of various common shells and programming languages ). The same is true for this program! This is a very familiar Beidou shell entrance feature, secretly happy! Immediately choose to use the ESP Law (this law will not be repeated, and anti-DDoS has been mentioned many times) to shell. However, this program does not work with methods such as ESP law, memory breakpoint method, and search feature code. The program will run, as shown in 3. No way, then go one step down at the entrance F8 to see where the program will run. After a single-step query by F8, it is found that after the CALL at 0040EE5C, it will run (run and fly). The Code is as follows.

Figure 3
 
0040EE4D 50 push eax
0040EE4E 05 C0EE0000 add eax, 0EEC0
0040EE53 FFD0 call eax
0040EE55 58 pop eax
0040EE56 50 push eax
0040EE57 05 BA160000 add eax, 16BA
0040EE5C FFD0 call eax; the program is running
0040EE5E 83C4 04 add esp, 4
0040EE61 58 pop eax
0040EE62 5F pop edi
0040EE63 50 push eax
0040EE64 68 00000000 push 0
0040EE69 68 0F000000 push 0F
0040EE6E 05 5D180000 add eax, 185D
0040EE73 57 push edi
0040EE74 FFD0 call eax; the program is running
0040EE76 83C4 10 add esp, 10
0040EE79 61 popad
0040EE7A 60 pushad
0040EE7B EB 0D jmp short 0040EE8A
0040EE7D 81C3 11BA0C89 add ebx, 890CBA11
0040EE83 BB 00000000 mov ebx, 0
0040EE88 EB 0B jmp short 0040EE95

Why? Then we will try again. When we get to the CALL at ee5c, we will use F7 to check whether it is.
009C16BA 55 push ebp; unknown shell. <module entry point>
009C16BB 8BEC mov ebp, esp
009C16BD 83EC 54 sub esp, 54
009C16C0 53 push ebx
009C16C1 56 push esi
009C16C2 57 push edi
009C16C3 68 FC909C00 push 9C90FC; ASCII "xxsim_nsyt"
009C16C8 6A 01 push 1
009C16CA 6A 01 push 1
009C16CC 6A 00 push 0
009C16CE FF15 54809C00 call dword ptr [9C8054]; kernel32.CreateSemaphoreA
009C16D4 6A FF push-1
009C16D6 50 push eax
009C16D7 A3 E8A09C00 mov dword ptr [9CA0E8], eax
009C16DC FF15 50809C00 call dword ptr [9C8050]; kernel32.WaitForSingleObject
009C16E2 8B75 08 mov esi, dword ptr [ebp + 8]
009C16E5 8365 08 00 and dword ptr [ebp + 8], 0
009C16E9 8B46 44 mov eax, dword ptr [esi + 44]
009C16EC 8DBE 00040000 lea edi, dword ptr [esi + 400]
009C16F2 A3 ECA09C00 mov dword ptr [9CA0EC], eax
009C16F7 8B46 4C mov eax, dword ptr [esi + 4C]
009C16FA 8945 F8 mov dword ptr [ebp-8], eax
009C16FD 8D8E 00050000 lea ecx, dword ptr [esi + 500]
009C1703 0FBE07 movsx eax, byte ptr [edi]
009C1706 47 inc edi
009C1707 8D96 00060000 lea edx, dword ptr [esi + 600]
009C170D 85C0 test eax, eax
009C170F 897D F0 mov dword ptr [ebp-10], edi
009C1712 7E 10 jle short 009C1724
009C1714 8B5D 08 mov ebx, dword ptr [ebp + 8]
009C1717 03DF add ebx, edi
009C1719 8033 BD xor byte ptr [ebx], 0BD
009C171C FF45 08 inc dword ptr [ebp + 8]
009C171F 3945 08 cmp dword ptr [ebp + 8], eax
009C1722 ^ 7C F0 jl short 009C1714
009C1724 0FBE19 movsx ebx, byte ptr [ecx]
009C1727 41 inc ecx
009C1728 33C0 xor eax, eax
009C172A 85DB test ebx, ebx
009C172C 895D 08 mov dword ptr [ebp + 8], ebx
009C172F 894D EC mov dword ptr [ebp-14], ecx
009C1732 7E 0A jle short 009C173E
009C1734 803408 BD xor byte ptr [eax + ecx], 0BD
009C1738 40 inc eax
009C1739 3B45 08 cmp eax, dword ptr [ebp + 8]
009C173C ^ 7C F6 jl short 009C1734
009C173E 0FBE0A movsx ecx, byte ptr [edx]
009C1741 42 inc edx
009C1742 33C0 xor eax, eax
009C1744 85C9 test ecx, ecx
009C1746 7E 09 jle short 009C1751
009C1748 803410 BD xor byte ptr [eax + edx], 0BD
009C174C 40 inc eax
009C174D 3BC1 cmp eax, ecx
009C174F ^ 7C F7 jl short 009C1748
009C1751 8365 F4 00 and dword ptr [ebp-C], 0
009C1755 8365 08 00