PEQueKe0.06 flower shell learning notes

This shell seems like a fierce shell!
This shell successfully used the flower command generation engine, and the younger brother finally failed to analyze the OEP. I will show you the learning records.
I have analyzed the Protection Technology: spending commands, memory access exceptions, and spending commands are mature. It seems that the code for calling the stack execution is terminated abnormally.
The instruction is in practice, so you must take OD to get it,
The program starts with a CALL 004050AA and then locates itself,
Code:
The 004050AA 5D pop ebp call is pushed to the address of the next command to save the CALL.
004050AB 81ED 05000000 sub ebp, 5 to the beginning of the program code, in order to control the shell segment
 
The next step is to load the Kernel32.dll stored in the shell segment, load it, obtain the VirtualAlloc address, and then call VirtualAlloc to allocate a specified size of memory to receive the decoded shell segment code.
004050B1 8D75 3D lea esi, dword ptr ss: [EBP + 3D]; "Kernel32.dll"
004050B4 56 push esi; Kernel32.dll offset address
004050B5 FF55 31 call dword ptr ss: [EBP + 31]; GetModuleHandleA, obtain the Module Base Address
004050B8 8DB5 81000000 lea esi, dword ptr ss: [EBP + 81]; "VirtualAlloc"
004050BE 56 push esi; VirtualAlloc offset address
004050BF 50 push eax; Module Base Address of Kernel32.dll
004050C0 FF55 2D call dword ptr ss: [EBP + 2D]; GetProcAddress get function address
004050C3 8985 8E000000 mov dword ptr ss: [EBP + 8E], where EAX; VirtualAlloc function address is stored
004050C9 6A 04 PUSH 4; protection mode PAGE_READWRITE
004050CB 68 00100000 PUSH 1000; assigned type MEM_COMMIT
004050D0 68 28900000 PUSH 9028; allocated size
004050D5 6A 00 PUSH 0; distribution size starting position, used for calculation
004050D7 FF95 8E000000 call dword ptr ss: [EBP + 8E]; CALL VirtualAlloc
 
After the virtual memory is allocated, decrypt the shell code and copy it to the allocated memory. In this process, the flowers are randomly generated, and then the JMP jumps to the allocated memory to execute the code www.2cto.com.
004050DD 50 push eax; Virtual Memory Address
004050DE 8B9D 7D000000 mov ebx, dword ptr ss: [EBP + 7D]; offset to be decoded, 19C
004050E4 03DD add ebx, EBP; plus the starting address of the program 00405000 is the location of 0040519C.
004050E6 50 push eax; virtual address for memory allocation, parameter 2
004050E7 53 push ebx; original location, parameter 1
004050E8 E8 04000000 CALL PECompac.004050F1; CALL decoding copy
004050ED 5A pop edx; restores the address of the virtual address, that is, the push eax before MOV.
004050EE 55 push ebp; shell code base address
004050EF FFE2 jmp edx; JMP virtual memory
After decryption, the Code contains a lot of instructions. Note the following:
003D0000/EB 01 jmp short 003D0003; jump to 3D0003
003D0002 | 90 NOP; the generated flower command here. The original command is RDTSC. Right-click the binary editor and drop 0x0F NOP to retain the 0x31 operation code.
003D0003 31F0 xor eax, ESI; the memory size allocated and the address of the storage string VirtualAlloc are different or
003D0005 EB 0C jmp short 003D0013; jump to push ecx below
003D0007 33C8 xor ecx, EAX; ECX and EAX are different or
003D0009 EB 03 jmp short 003D000E; jump to the flower command. Now I have dropped the flower command operation code 0x0F NOP,
003D000B EB 09 jmp short 003D0016 jump to the following xor eax, ESI, where it is also a flower command
003D000D 90 NOP original command is, 003D000D 0F 59 74 05 MULPS XMM6, dqword ptr ss: [EBP + EAX + 75], change the operation code 0x0F to 90
003D000E 59 pop ecx restore ECX Value
003D000F 74 05 je short 003D0016 ZF is equal to 1
003D0011 ^ 75 F8 jnz short 003D000B ZF equal to 0 jump up
003D0013 51 PUSH ECX
003D0014 ^ EB F1 jmp short 003D0007; jump to xor ecx and EAX
003D0016 EB 01 jmp short 003D0019
003D0018 90 NOP same as above, change 0x0F to 90
003D0019 31F0 xor eax, esi eax and ESI are different or
003D001B EB 0C jmp short 003D0029 jump to push ecx below
003D001D 33C8 xor ecx, EAX exclusive or
003D001F EB 03 jmp short 003D0024 jump to the flower command, we change 0x0F to 90
003D0021 EB 09 jmp short 003D002C jump to xor esi, ESI there ESI, reset
003D0023 90 NOP
003D0024 59 pop ecx restore ECX Value
003D0025 74 05 je short 003D002C ZF equal to 1 Jump
003D0027 ^ 75 F8 jnz short 003D0021 if ZF is 0, jump up and jump to NOP
003D0029 51 push ecx to save the value of ECX
003D002A ^ EB F1 jmp short 003D001D jump to the above xor ecx, EAX
003D002C 33F6 xor esi, ESI cleared
003D002E E8 10000000 CALL 003D0043
 
Now I am learning a lot of instructions:
Command:
003D002C 33F6 xor esi, ESI
003D002E E8 10000000 CALL 003D0043
{
003D0041 C783 64FF3500 0> mov dword ptr ds: [EBX + 35FF64], 64000000
003D004B 8925 00000000 mov dword ptr ds: [0], ESP
003D0051 ad lods dword ptr ds: [ESI]
}
Modified code:
003D0041 90 NOP
003D0042 90 NOP
003D0043 64: FF35 0000000> push dword ptr fs: [0]
003D004A 64: 8925 0000000> mov dword ptr fs: [0], ESP
003D0051 ad lods dword ptr ds: [ESI]
003D0052 CD 20 INT 20 anti-tracking code
Command:
003D0054 68 9F6F56B6 PUSH B6566F9F
003D0059 50 PUSH EAX
003D005A E8 5D000000 CALL 003D00BC
{
003D00BC 58 POP EAX
003D00BD eb ff jmp short 003D00BE
}
After modification:
003D00BC 58 POP EAX
003D00BD 90 NOP
003D00BE FFF0 PUSH EAX
003D00C0 eb ff jmp short 003D00C1
Command:
003D00C0/eb ff jmp short 003D00C1
003D00C2 C083 E8FDEBFF 3> rol byte ptr ds: [EBX + FFEBFDE8], 30; shift constant beyond the range of 1 .. 31
003D00C9 E8 C9000000 CALL 003D0197 // affected by the preceding command
After modification:
003D00C0 90 NOP
003D00C1 FFC0 INC EAX
003D00C3 83E8 fd sub eax,-3
003D00C6 eb ff jmp short 003D00C7. No, dual-flower command.
003D00C8 30E8 xor al, CH
After modification:
003D00C6 90 NOP
003D00C7 FF30 push dword ptr ds: [EAX]
Code
003D00C7 FF30 push dword ptr ds: [EAX]
003D00C9 E8 C9000000 CALL 003D0197
{
003D0196 ^ \ EB 83 jmp short 003D011B flower instruction
003D0198 C017 eb rcl byte ptr ds: [EDI], 0EB; shift constant exceeds 1 .. 31
}
003D0196 90 NOP
003D0197 83C0 17 add eax, 17 after modification
Instructions:
003D019A/eb ff jmp short 003D019B flower
003D019C ^ 70 ed jo short 003D018B
After modification:
003D019A 90 NOP
003D019B FF70 ed push dword ptr ds: [EAX-13]
This is an amazing place, and it is not correct at all:
003D0081/75 09 jnz short 003D008C
003D0083 | 81F3 EBFF52BA xor ebx, BA52FFEB
003D0089 | 0100 add dword ptr ds: [EAX], EAX
003D008B | 83EB fc sub ebx,-4
003D008E 4A DEC EDX
003D008F FF71 0F push dword ptr ds: [ECX + F]
Which of the following experts can explain?
There are still a lot of such code in the future. Now I will summarize my experiences:
When we encounter a large number of spending commands, We must execute the modifications according to the code. Otherwise, if we see one, we can modify one, which will disrupt the code.


BY Deng Tao