OEP processing of ACProtect in encrypted shell, acprotectoep

OEP processing of ACProtect in encrypted shell, acprotectoep

Processing of ACProtect's OEP using encryption Shell

Attachment download: Shelling file and pdf

1. encryption process:

ACProctect v1.41

Analyze the theft of OEP entry point code

 

2. analysis process:

After loading, EIP = 00412000

00412000> 60 pushad

00412001 E8 01000000 call vcmfc database 1.00412007

00412006-7E 83 jle Xvcmfc database 1.00411F8B

00412008 04 24 add al, 0x24

0041200A 06 push es

0041200B C3 retn

0041200C 77 01 ja Xvcmfc library 1.0041200F

0041200E 43 inc ebx

0041200F FC cld

00412010 75 01 jnz Xvcmfc library 1.00412013

The entry point is in the shell section (Address: 00412000, size: 19000)

 

Based on Shell features, ESP is used for hr esp at 00412001 points

Here:

0041254A 56 push esi

0041254B 8F05 A1294100 pop dword ptr ds: [0x4129A1]

00412551 60 pushad

00412552 78 03 js Xvcmfc library 1.00412557

00412554 79 01 jns Xvcmfc library 1.00412557

00412556 7B 40 jpo Xvcmfc library 1.00412598

 

You can see pushad. After clearing the hardware breakpoint above, run hr esp under pushad.

Here:

00427753 51 push ecx

00427754 8F05 89284100 pop dword ptr ds: [0x412889]; [889] = ecx

0042775A 60 pushad

0042775B 61 popad

0042775C 51 push ecx

0042775D 8F05 CD294100 pop dword ptr ds: [0x4129CD]; [9cd] = ecx

00427763 FF35 CD294100 push dword ptr ds: [0x4129CD]

00427769 8915 E1284100 mov dword ptr ds: [0x4128E1], edx

0042776F FF35 E1284100 push dword ptr ds: [0x4128E1]

00427775 56 push esi

00427776 BE 11294100 mov esi, vcmfc database 1.00412911

0042777B 8BD6 mov edx, esi

0042777D 5E pop esi

0042777E 52 push edx

0042777F 59 pop ecx; ecx = edx = 412911

00427780 8F05 3D284100 pop dword ptr ds: [0x41283D]

00427786 8B15 3D284100 mov edx, dword ptr ds: [0x41283D]

0042778C 8929 mov dword ptr ds: [ecx], ebp; [412911] = ebp

0042778E 8F05 A12A4100 pop dword ptr ds: [0x412AA1]

00427794 56 push esi

00427795 BE A12A4100 mov esi, vcmfc library 1.00412AA1

0042779A 8B0E mov ecx, dword ptr ds: [esi]

0042779C 5E pop esi

0042779D FF35 11294100 push dword ptr ds: [0x412911]; this is the first stolen code pushebp.

004277A3 8925 192B4100 mov dword ptr ds: [0x412B19], esp

004277A9 90 nop

004277AA 90 nop

004277AB 60 pushad

004277AC E8 01000000 call vcmfc database 1.004277B2

004277B1 ^ 77 83 ja Xvcmfc database 1.00427736

Note that the nop pushad commands appear, which means that this is the beginning of the stolen code .... Of course, the nop here is randomly filled. There may be either one or two or more. The key is the pushad command.

 

Copy all the commands before NOP into binary and save them.

00427753 51 push ecx

00427754 8F05 89284100 pop dword ptr ds: [0x412889]; [889] = ecx

0042775A 60 pushad

0042775B 61 popad

0042775C 51 push ecx

0042775D 8F05 CD294100 pop dword ptr ds: [0x4129CD]; [9cd] = ecx

00427763 FF35 CD294100 push dword ptr ds: [0x4129CD]

00427769 8915 E1284100 mov dword ptr ds: [0x4128E1], edx

0042776F FF35 E1284100 push dword ptr ds: [0x4128E1]

00427775 56 push esi

00427776 BE 11294100 mov esi, vcmfc database 1.00412911

0042777B 8BD6 mov edx, esi

0042777D 5E pop esi

0042777E 52 push edx

0042777F 59 pop ecx; ecx = edx = 412911

00427780 8F05 3D284100 pop dword ptr ds: [0x41283D]

00427786 8B15 3D284100 mov edx, dword ptr ds: [0x41283D]

0042778C 8929 mov dword ptr ds: [ecx], ebp; [412911] = ebp

0042778E 8F05 A12A4100 pop dword ptr ds: [0x412AA1]

00427794 56 push esi

00427795 BE A12A4100 mov esi, vcmfc library 1.00412AA1

0042779A 8B0E mov ecx, dword ptr ds: [esi]

0042779C 5E pop esi

0042779D FF35 11294100 push dword ptr ds: [0x412911]; this is the first stolen code pushebp.

004277A3 8925 192B4100 mov dword ptr ds: [0x412B19], esp

 

The binary data of this Code is:

51 8F 05 89 2841 00 60 61 51 8F 05 CD 29 41 00 FF 35 CD 29 41 00 89 15 E1 28 41 00 FF 35 E128 41 00 56 BE 11 29 41 00 8B D6 5E 52 59 8F 05 3D 28 41 00 8B 15 3D 28 41 0089 29 8F 05 A1 2A 41 00 56 BE A1 2A 41 00 8B 0E 5E FF 35 11 29 41 00 89 25 192B 41 00

 

 

 

Repeat the above steps until n times. How can I determine n? I will see it after the trial version nag is popped up.

Save the binary data between n times.

00429106/EB 01 jmp Xvcmfc library 1.00429109

00429108 | E8 FF254B91 call 918DB70C

0042910D 42 inc edx

 

00429106 is a recent hop, F7 goes in

00429109-FF25 4B914200 jmp dword ptr ds: [0x42914B]; vcmfc library 1.00405391

0042910F 60 pushad

00429110 E8 00000000 call vcmfc database 1.00429115

00429115 5E pop esi

00429116 83EE 06 sub esi, 0x6

Where:

Ds: [0042914B] = 00405391 (vcmfc database 1.00405391)

This is a long jump across segments,What is cross-segment?The current command is in 00429109 and it will jump to 00405391,

The module diagram shows that it is to jump from the. perplex segment to the. text Segment for execution. This is the legendary cross-segment

 

Therefore, after entering the code segment, it is the legendary pseudo-OEP, which looks like this.

 

 

Next we will DUMP it out.

Use import rec to fix IAT. fix the files dumped by dump.

 

Import rec adds. the input table is saved in the partition section of the Malk. The size is 1000. The input table cannot use such a large space. We can put the stolen code in this partition.

Use odopen repair and dump_.exe to find an empty location in the 0042b000 segment,

I am looking for 0042BBA0. I will paste the binary obtained above and add a JMP 00405391 (jump to the pseudo OEP)

0042 BEBF 58 POP EAX

0042BEC0 8908 mov dword ptr ds: [EAX], ECX

0042BEC2 A1 A4604000 mov eax, dword ptr ds: [0x4060A4]

0042BEC7-E9 C594FDFF JMP dumped _. <ModuleEntryPoint>

 

Use load pe to change the entry point to 0042BBA0, OK, finished...

 

 

 

Save all binary data:

00427753 51 push ecx

00427754 8F05 89284100 pop dword ptrds: [0x412889]; [889] = ecx

0042775A 60 pushad

0042775B 61 popad

0042775C 51 push ecx

0042775D 8F05 CD294100 pop dword ptrds: [0x4129CD]; [9cd] = ecx

00427763 FF35 CD294100 push dword ptrds: [0x4129CD]

00427769 8915 E1284100 mov dword ptrds: [0x4128E1], edx

0042776F FF35 E1284100 push dword ptrds: [0x4128E1]

00427775 56 push esi

00427776 BE 11294100 mov esi, vcmfc database 1.00412911

0042777B 8BD6 mov edx, esi

0042777D 5E pop esi

0042777E 52 push edx

0042777F 59 pop ecx; ecx = edx = 412911

00427780 8F05 3D284100 pop dword ptrds: [0x41283D]

00427786 8B15 3D284100 mov edx, dword ptrds: [0x41283D]

0042778C 8929 mov dword ptrds: [ecx], ebp; [412911] = ebp

0042778E 8F05 A12A4100 pop dword ptrds: [0x412AA1]

00427794 56 push esi

00427795 BE A12A4100 mov esi, vcmfc library 1.00412AA1

0042779A 8B0E mov ecx, dword ptrds: [esi]

0042779C 5E pop esi

0042779D FF35 11294100 push dword ptrds: [0x412911]; this is the first stolen code pushebp.

004277A3 8925 192B4100 mov dword ptrds: [0x412B19], esp

 

51 8F 05 89 28 41 00 60 61 51 8F 05 CD 2941 00 FF 35 CD 29 41 00 89 15 E1 28 41 00 FF 35 E1 28

41 00 56 BE 11 29 41 00 8B D6 5E 52 59 8F05 3D 28 41 00 8B 15 3D 28 41 00 89 29 8F 05 A1 2A 41

00 56 BE A1 2A 41 00 8B 0E 5E FF 35 11 2941 00 89 25 19 2B 41 00

 

FF 35 19 2B 41 00 8F 05 C1 29 41 00 56 BEC1 29 41 00 8B 2E 5E 57 BF 9D 29 41 00 89 1F 5F FF 35

9D 29 41 00 89 35 31 28 41 00 FF 35 31 2841 00 68 FF 5E 89 35 99 2A 41 00 8B 1D 99 2A

41 00 8F 05 0D 2A 41 00 8B 35 0D 2A 41 0057

 

89 1C 24 8F 05 29 41 00 8F 05 19 28 4100 FF 35 19 28 41 00 5B FF 35 05 29 41 00 89 05 D5 2A

41 00 FF 35 D5 2A 41 00 89 3C 24 89 0C 24C7 04 24 A0 61 40 00 57 8F 05 E1 2A 41 00 FF 35 E1 2A

41 00 89 1C 24 C7 04 24 C0 54 40 00

 

64 A1 00 00 00 00 89 05 A5 29 41 00 FF 35A5 29 41 00 89 1C 24 89 0D 85 2A 41 00 FF 35 85 2A 41

00 57 BF 91 29 41 00 8B CF 5F 56 8B F1 8BDE 5E 8B 0C 24 8F 05 B5 2A 41 00 89 03 8B 1C 24 8F 05

ED 28 41 00 FF 35 91 29 41 00

 

64 89 25 00 00 00 00 83 EC 68 53 8F 05 D529 41 00 FF 35 D5 29 41 00 8F 05 99 28 41 00 FF 35 99

28 41 00 57 89 04 24 8F 05 65 29 41 00 FF35 65 29 41 00 89 34 24 52 8F 05 F1 28 41 00 FF 35 F1

28 41 00 89 3D C9 2A 41 00 FF 35c9 2A 4100

 

56 8F 05 31 2A 41 00 60 61 68 E5 2A 41 005F 51 8B CF 8B D1 59 8F 05 B9 28 41 00 8B 3D B9 28 41

00 89 3A 8F 05 D1 28 41 00 53 BB D1 28 4100 8B 13 5B FF 35 E5 2A 41 00 89 65 E8 33 DB 89 5D FC

89 15 85 29 41 00 FF 35 85 29 41 00 89 3424 53 89 14 24 50 B8 02 00 00 60

 

8B D0 58 52 5E 8F 05 01 2A 41 00 8B 15 012A 41 00 56 89 14 24 50 B8 25 29 41 00 8B D0 58 89 32

8F 05 AD 29 41 00 8B 15 AD 29 41 00 8B 3424 8F 05 B9 2A 41 00 FF 35 25 29 41 00 FF 15 98 60 40

00 8F 05 01 29 41 00 50 B8 5D 2A 41 00 8938 58

 

FF 35 5D 2A 41 00 51 C7 04 24 01 29 41 008F 05 85 28 41 00 8B 3D 85 28 41 00 8B 0F 8B 3C 24 8F

05 61 29 41 00 83 0D B4 F1 40 00 FF 83 0DB8 F1 40 00 FF 15 9C 60 40 00 89 05 C1 28 41 00 FF

35 C1 28 41 00 57 BF 35 28 41 00 8B C7 5F89 30

 

8B 04 24 8F 05 41 28 41 00 FF 35 28 28 4100 50 8F 05 6D 2A 41 00 FF 35 6D 2A 41 00 89 3D 39 28

41 00 FF 35 39 28 41 00 51 B9 7C 71 40 008B F9 59 57 58 5F 50 5E 8F 05 2D 2A 41 00 8B 05 2D 2A

41 00 8B 0E 8F 05 11 2B 41 00 FF 35 11 2B41 00

 

55 8F 05 25 2B 41 00 60 61 5E 89 08 FF 15A0 60 40 00 52 8F 05 55 2A 41 00 FF 35 55 2A 41 00 C7

05 29 29 41 00 78 71 40 00 FF 35 29 4100 8F 05 35 2A 41 00 8B 15 35 2A 41 00 8B 0A 8F 05 C9

28 41 00 50 B8 C9 28 41 00 8B 10 58 89 08A1 A4 60 40 00

 

How can I know the OEP entry after I use the shell removal software? Show on Software

The general idea of looking for OEP is as follows: Check whether the shell is encrypted or compressed. It is easier to compress the shell. Generally, there is no exception. After finding the corresponding popad, you can get to the portal, the method for redirecting to an entry is generally jmp OEP, push OEP ret, and call OEP. Of course there are other methods, such as je OEP, which usually involve large jumps between segments, the OD Disassembly window contains the content of the same segment, so it is better to distinguish whether it is a jump between segments.
That's all I know. Sorry, I'm a beginner in computer science.

How can we find the real OEP program entry ?? Like wearing the shell of a mountain armor Old Wang, when shelling, there is always a false OEP.

These things all need to be done in a single step. Different shells with different versions of OEP are different. There is no simple solution. Otherwise, there will be no different versions of scripts with the same shell.