Remove UPX 0.89.6-1.02/1.05-1.24 using ESP Law

 
Using the ESP law not only makes off-compression shell very simple, but also can cope with a lot of encryption shells.
In short, the ESP law uses the principle of stack balance.
Assume that the shell is a subroutine. After the shell unzips the code and decompress it, it must follow the principle of stack balance.
When ESP is executed to OEP, the ESP is consistent with the ESP when the shell is initially written into the stack.
Usage of ESP law: load the shelling program and write down this value when the value in ESP changes for the first time.
For the hardware access breakpoint under this value, after the program is run, the general compressed shell will stop on the statement to be switched to OEP.
Remove the UPX 0.89.6-1.02/1.05-1.24 shell instance by using the ESP Law
1.ollydbgopen crackme.exe in upxshell
Address HEX data disassembly comments
00457B40 60 entry point of PUSHAD Program
Register (FFU)
EAX 00000000
ECX 0012FFB0
EDX 7C92EB94 ntdll. KiFastSystemCallRet
EBX 7FFDD000
ESP 0012FFC4
EBP 0012FFF0
ESI FFFFFFFF
EDI 7C930738 ntdll.7C930738
EIP 00457B40 Crackme. <module entry point>
C 0 ES 0023 32-Bit 0 (FFFFFFFF)
P 1 CS 001B 32-Bit 0 (FFFFFFFF)
A 0 SS 0023 32-Bit 0 (FFFFFFFF)
Z 1 DS 0023 32-Bit 0 (FFFFFFFF)
S 0 FS 003B 32-bit 7FFDF000 (FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO, NB, E, BE, NS, PE, GE, LE)
ST0 empty-UNORM BCE0 01050104 00000000
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR, 53 mask 1 1 1 1 1
2. Press F8 to run in one step to the second sentence.
Address HEX data Disassembly
00457B41 BE 00B04300 mov esi, Crackme.0043B000
The value in the ESP register is changed to 0012FFA4 (different hardware-the value may be different)
EAX 00000000
ECX 0012FFB0
EDX 7C92EB94 ntdll. KiFastSystemCallRet
EBX 7FFDD000
ESP 0012FFA4
EBP 0012FFF0
ESI FFFFFFFF
EDI 7C930738 ntdll.7C930738
EIP 00457B41 Crackme.00457B41
C 0 ES 0023 32-Bit 0 (FFFFFFFF)
P 1 CS 001B 32-Bit 0 (FFFFFFFF)
A 0 SS 0023 32-Bit 0 (FFFFFFFF)
Z 1 DS 0023 32-Bit 0 (FFFFFFFF)
S 0 FS 003B 32-bit 7FFDF000 (FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO, NB, E, BE, NS, PE, GE, LE)
ST0 empty-UNORM BCE0 01050104 00000000
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR, 53 mask 1 1 1 1 1
3. HR address -- set hardware access breakpoint
Enter hr 0012FFA4 in the command line
[Enter...]
Then press F9 to call the program,
We can see that we have already arrived at the 00457C65-E9 D295FAFF JMP Crackme.0040123C address,
This is exactly the Jmp statement that jumps to OEP,
Press F8 to jump to the address 0040123C.
4: Right-click it and choose "debug process with OllyDump ",
Generally, the starting address is 400000, and the file size is automatically identified.
The entry point address is also automatically located at the 123C offset address of the program OEP,
The code start RVA and data start can also be identified by default.
5: Check the following to recreate the input table. OllyDump will automatically repair the imported table.
Generally, select method 1. If method 1 does not work properly after shelling, try method 2,
However, it is best to use a professional Import REConstructor to fix the problem.
6. Click the shell removal button.
Scan the program with PEiD and check that the program is written in Microsoft Visual Basic 5.0/6.0.
[Finish...]
We can see that the effect of the ESP law is very obvious,
Mastering the ESP law is very useful for manual shelling.
Crack by Cr4ckk3y