Repair after program shelling

After the program is shelled, it may not run. This is not necessarily because the correct program entry point is not found. You may need to do this:

 
 
 
1. The general steps for using ImportREC are as follows:
 
(1) Select a process. You can use the process that OD is debugging and run the program directly.
 
(2) manually change the OEP to the OEP found by OD, and then click "automatically find IAT ".
 
(3) Click "Get input table" to view invalid pointers in large windows.
 
(4) If all files are valid, click the "repair dump file" button and select the files to be repaired in the pop-up dialog box. The generated file with "_" is the repaired file.
 
(5) If an invalid one exists, click "view invalid", right-click the shadow in the large dialog box, and fix it with the corresponding trace level. Level 1 and level 3 are commonly used. When Level 3 is used, it is easy to stop the program. Solution: (1) directly open the running program and then append the program, instead of the Process in OD debugging; (2) use the shift key to select several pointers at a time, instead of all the selected ones.
 
(6) In addition, you can also manually repair the pointer: Right-click and select "disassembly/hexadecimal" to view the menu item, view the module of the pointer, and the corresponding API of the pointer. Then, click the pointer and select the module and API in the pop-up dialog box.
 
Note: Some shell pointers cannot be repaired. You can simply cut them out. Instead, they cannot be run, such as pangolin.
 
(7) If exceptions such as program termination occur during pointer fixing, you can use the "save tree file" button to save the working progress; after the process is re-appended, "load tree file" continues.
 
(8) LordPE also has some plug-ins to track and collect plug-ins for use.
 
(9) Note: Sometimes the RVA and size need to be modified. If the program still cannot run after the fix, consider this direction. The number of pointers found is very small, and some pointers in the program do not appear in the pointer list. In this case, right-click the data window and find the area where the program pointer is located. The first part of the pointer area is RVA, and the size of the pointer area is the size of this area. Then, "Get input table" is displayed ", cut out invalid pointers and then "Dump the repair program ".
 
 
 
 
 
2. Additional data
 
If the program still cannot run after shelling and repair, such as prompting unvalid data or invalid data, it may be that the program has additional data. The solution is:
 
Open the program in hexadecimal format using software such as winhex, and search for the position of all zeros from the end. From then on to the end, it is the additional data, we need to append the additional data to the end of the cracked program. Method: copy and paste the selected image.
 
You can also find this additional location in a more convenient way, it is to use the LordPE editor to open the shelling program -- Section -- now you can see the section of the program -- we will select the last section -- now we start to calculate the header of the additional data.: the header of the additional data = ROffset of the last section + RSize of the last section
 
 
 
3. program self-verification
 
If the program is turned on and closed after shelling, the program may have the self-validation function. The self-check program generally checks the program type, size, creation date, CRC value, and so on. The solution is to open two od s, load the original program and the program after shelling, start from the OEP, debug in one step, find its different jump location, and modify it.
 
In order to quickly find different places, you can first disconnect bp CreateFileA in both OD, and then return Alt + F9 after interruption! CreateFileA is an API used to detect files. It may have multiple interrupt locations. Check whether the function exists in the stack to find the correct location. For example
 
 
 
4. Program dark Pile
 
The program cannot run after shelling and repair. It may also be because the program has a dark pile after the entry point, such as INT 13. After the repaired program is loaded (of course it cannot run), F9 runs and finds an "inexplicable" exception. (Why is it an inexplicable exception? Because I have ignored all exceptions. Okay, let's get rid of him by NOP ~~~ Save! Open it and see ~~ OK. You can run it ~~
 
The exception dialog box is as follows:
 
 
 
After clicking "OK", the system stops at the abnormal location (preferably: do not click OK, check the location where OD is stopped) as follows:
 
 
 
Right-click this line of code ---- binary ---- fill with NOP
 
Right-click the disassembly code-copy to executable file-all modifications-click "save file" in the pop-up window"
 
(I personally think this may also be because of program self-verification. You can use the above program self-verification solution to try it out)
 
 
 
5. The program can run, but an error is prompted when you click a button or other operations ()
 
Exception settings: Ignore all exceptions except memory access exceptions.
 
Load Program --- F9 run --- click error location --- od stop error location --- modify code to save