ORiEN shelling analysis and orien shelling

ORiEN shelling analysis and orien shelling

Author: Fly2015

ORiEN shells are not exposed before. I don't know whether it is a compressed shell or an encrypted shell. I can only try it. The program that needs to be shelled is the topic of the 7th issue of cracking and shelling exercises.

 

First, shell check is performed on the shelling program. This step is also a necessary step for program shelling.

Using the DIE tool to shell the shell program, we found that the shell program was originally written in Delphi language. This information is very helpful for finding the OEP of the original program.

The OD loading program is analyzed below, and the Assembly Code is compiled at the entry point of the shelling program:

When shelling a program, you should not panic about shelling it first. You 'd better take a look at the assembly code of the program. F7/F8 takes a few steps to see it. Maybe you will find a new one.

A single step of F8 tracking, found the PUSHAD command, continue to the next step of F8 to PUSHAD. Use the ESP law to shell the program and write the hardware into the ESP Register into the breakpoint HW Break.

F9 runs the program and the program will be disconnected from the hardware breakpoint address just now. Observe the value of the EAX register 0045159C. Through the disassembly of the address 0045159C, find the familiar Delphi disassembly entry code. Obviously, the address 0045159C is the VA of the original program that is shelled. In fact, F7 can go to the address 004A1AF4 in a few steps. After following JMP to the address 004A1AF1, you will find the real OEP of the original program.

Follow up with JMP to address 004A1AF1. In the jmp eax command, EAX = 0045159C stores the real oep va address of the shelled program.

F7 followed up to the address 0045159C in a single step, and found the portal of Delphi disassembly.

OK, the real OEP of the shelling program is found, and the memory Dump and IAT table repair can be performed on the shelling program. However, after the shelling program finds the OEP, it is recommended to use the Load PE and RECImport tools or Scylla to fix the program's memory Dump and IAT tables, which is more flexible than the OD OllyDump plug-in. First Load PE the program to fully shell the memory Dump, fill in the RECImport in the real oep rva address of the shell program 0005159C, automatically obtain the IAT table and cut out invalid function pointers, fix the captured memory Dump file to implement shelling.

OK. Run the shell removal program to verify that the shell is successful.

ORiEN shelling analysis documentation and after shelling of the program: http://download.csdn.net/detail/qq1084283172/8898321

Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.