Obsidium V1.2 shelling notepad

[Untext title] Obsidium V1.2 shelling notepad shelling

[Author] yeyu0808

[Tools] flyOD, Lordpe, PEID, ImportREC1.42

[Cracking platform] WinXp

[Software name] notepad

[Shelling method] Obsidium V1.2

[Shelling] I am a newbie, but I want to learn the technology ~!

[Shelling content] The shell of version Obs1.2 has been around for so long that no one is willing to release the shelling method. I am ugly here. This OBS

There is no major change in the upgrade. The shelling program is similar to the shelling method of Version 1.1, or the IAT and code connection after 4th Division of zero exceptions

There is not much change. the OEP and Version 1.1 are basically the same, but the memory access breakpoint is detected during IAT encryption and cannot be broken.

By encrypting IAT directly in Version 1.1, it sets a little obstacle for finding special functions. You can study it on your own ~!

The difficulty of using the Obsidium V1.2 shell notepad is greatly reduced. I am a cainiao and it is too difficult to solve it. I can only remove a notepad ~!

 

1. Search for OEP and Dump Processes

Old rule: Use the IsDebug 1.4 plug-in to remove the Ollydbg debugger flag. Ignore all other exceptions except the "integer is excluded from zero"
And use UnhandledExceptionFilter2.20. After F9, A Memory exception occurs, regardless of it, direct Shift + F9.

00407000>/EB 02 jmp short NOTEPAD.00407004 stop here after loading
003A120F F7F0 div eax 1 time
003A42E5 F7F0 div eax twice
003A4413 F7F0 div eax 3 times
003A42E5 F7F0 div eax 4 times, processing IAT location
003A2C8E F7F0 div eax 5 times
003A30B9 F7F0 div eax 6 times
003A2C8E F7F0 div eax 7 times
003A30B9 F7F0 div eax 8 times
0040891C F7F0 div eax 9 OEP hops

OK. When 5th 4th times of a2c8e exception, Ctrl + G: 003A2C8E (times of exception address)

When 003A2C8E is reached, Ctrl + f search Command: test word ptr ds: [esi], 20

003A49BF 66: F706 2000 test word ptr ds: [esi], 20 // locate here

Write down this: 003A64F0 address, and IAT decryption depends on it.

Stack at 9 times:
0012FF4C 0012FFE0 pointer to the next SEH record
0012FF50 00408951 SE handle

Go to the next disconnection of 00408951:
00408951 C8 000000 enter
00408955 EB 03 jmp short NOTEPAD.0040895A

Ctrl + f search command at the current location: mov dword ptr ds: [eax + 0B8], edx at 004089DF:
Search for the CONTEXT Structure and return it to the system in the middle.

004089DF 8990 B8000000 mov dword ptr ds: [eax + B8], edx;

NOTEPAD.00408C77
004089E5 EB 02 jmp short NOTEPAD.004089E9

At this time, edx = 00408C77, go to 00408C77, and F9:

00408C77 E8 bb1_00 call NOTEPAD.00408D37
// Encrypt the CALL and follow up.

00408D37 F8 clc
00408D38 73 01 jnb short NOTEPAD.00408D3B
00408D3A 59 pop ecx
00408D3B 60 pushad
00408D3C EB 02 jmp short NOTEPAD.00408D40
00408D3E FC cld
00408D3F D6 salc
00408D40 836C24 20 05 sub dword ptr ss: [esp + 20], 5
00408D45 EB 03 jmp short NOTEPAD.00408D4A
00408D47 CF iretd
00408D48 D4 1B aam 1B
00408D4A 8B4424 20 mov eax, dword ptr ss: [esp + 20]
00408D4E C600 CD mov byte ptr ds: [eax], 0CD
00408D51 C740 01 023B1DCD mov dword ptr ds: [eax + 1], CD1D3B02
00408D58 EB 01 jmp short NOTEPAD.00408D5B
00408D5A 65: B9 C0000000 mov ecx, 0C0
00408D60 F9 stc
00408D61 72 03 jb short NOTEPAD.00408D66
00408D63 9E sahf
00408D64 8480 BECD3A19 test byte ptr ds: [eax + 193 ACDBE], al
00408D6A 66