Quick shell Removal Using OllyDbg

Quick shell Removal Using OllyDbg
Objective: To use NOTEPAD. EXE with ASPACK and UPX shelling
Tool: OllyDbg 1.09 English version, DUMP plug-in, PEditor
System: Win98SE
Keywords: Shelling, OllyDbg, OD, DUMP, PUSHAD, POPAD

Prerequisites
Most shells share a common feature. Run PUSHAD when the shell is ready to be decompressed.
POPAD must be called at the end. What is PUSHAD and POPAD used? In fact, PUSHAD is used
All General registers are ordered into the stack. POPAD is the ordered output from all General registers. POPAD output
The stack sequence is opposite to PUSHAD. To protect the registers, the shell puts all the registers into the stack before unzipping them,
After decompression, the register is output to the stack, restored to its original appearance, and set the IP address to the OEP of the original program. In this way
With this feature, you can quickly remove the shells of multiple types of software.

ASPACK
Use ASPACK to shell NOTEPAD. EXE. Load with OllyDbg (OD. See cursor stop
The entrance of the shell.
0040D001> 60 PUSHAD; shell entry. Prepare to start unzipping and protect the Register
0040D002 E8 03000000 CALL NOTEPAD.0040D00A
......
Regardless of the POPAD command, go down and look for the POPAD command. Locate POPAD at 40D3AF
......
0040D3AF 61 POPAD; unzipping complete, resume register
0040D3B0 75 08 jnz short NOTEPAD.0040D3BA
0040D3B2 B8 01000000 mov eax, 1
0040D3B7 C2 0C00 RETN 0C
0040D3BA 68 CC104000 PUSH NOTEPAD.004010CC; return to the OEP of the original program
0040D3BF C3 RETN
......
Select the 40D3AF line and run F4 here. The shell has been decompressed. And return to the original
The entrance of the program. F8: one step to 4010CC. Here is the OEP of the original program. Use the DUMP plug-in to directly DUMP it out.
Yes (change the entry point to 10CC During DUMP, that is, 4010CC-400000 = 10CC, and 400000 is the image base.
Address ). The file size is 77059 bytes. You can use PEditor to reconstruct the PE Header. The size of uncompressed files is
53248 bytes. The file size after shelling is 60930 bytes.

UPX
Use UPX to shell NOTEPAD. EXE and load it with OD. Stop at PUSHAD and use the same method as ASPACK.
Method To search for POPAD.
......
0040E9FE 61 POPAD
0040E9FF-E9 C826FFFF JMP NOTEPAD.004010CC
......
The following JMP jumps to the OEP of the program. F4 to 40E9FF, F8 one step, come to the OEP, DUMP out
. The DUMP file is 65536 bytes in size and can be run directly. To be perfect, use PEditor to recreate the PE Header.
The file size after shelling is 60293 bytes.

Postscript
Using the method described above, many shells can be removed manually quickly. If you do not have the od dump plug-in,
You can find it in the Download Area of the new forum. If not, you can stop at the OEP and use PEDump to DUMP. Very
I haven't written anything for a long time. This article is intended for beginners. In fact, the shell is also software, and how complicated is it?
Can be detached. Good luck.
In addition, please keep this article complete during reprinting.