Repair of unknown shell shelling-suitable for cainiao IAT repair

Articles for cainiao

Kongfoo/2004.2.20-21

Nuke crackme no1

Entry:
00416044>/E9 1C000000 JMP sn1.00416065
00416049 | 0000 add byte ptr ds: [EAX], AL
0041604B | 0000 add byte ptr ds: [EAX], AL
0041604D | 0000 add byte ptr ds: [EAX], AL
0041604F | 001E add byte ptr ds: [ESI], BL
00416051 | 0000 add byte ptr ds: [EAX], AL
00416053 | 0000 add byte ptr ds: [EAX], AL
00416055 | 0000 add byte ptr ds: [EAX], AL
00416057 | 0000 add byte ptr ds: [EAX], AL
00416059 | 0000 add byte ptr ds: [EAX], AL
0041605B | 003E add byte ptr ds: [ESI], BH
0041605D | 0000 add byte ptr ds: [EAX], AL
0041605F | 002E add byte ptr ds: [ESI], CH
00416061 | 0000 add byte ptr ds: [EAX], AL
00416063 | 0000 add byte ptr ds: [EAX], AL
00416065 60 PUSHAD

00413138 8D85 da1_00 lea eax, dword ptr ss: [EBP + DA]
0041313E C600 eb mov byte ptr ds: [EAX], 0EB
00413141 C640 01 10 mov byte ptr ds: [EAX + 1], 10
00413145-FFE2 jmp edx = skip 370000

After a while, I decided to take a shortcut and quit OD.
Run the program and run pmview to check the OEP. LordPE can correct the size and dump full.
Next, enter ImportREC, OEP, IAT autoSearch, and Get Import.
All the results are invalid pointers. Start fixing (for example ):
Show invalid, right-click Disassemble/Hex view, and the code is as follows:
003F0020 xor dword ptr [3F003C], 31BA5F95
003F002A push dword ptr [3F003C] // DWORD value: 31845F93
003F0030 xor dword ptr [3F003C], 31BA5F95
003F003A retn
Simple IAT encryption. Simply copy the XOR address. The content of 3f003c is 31845f93, which is different from that of 31ba5f95.
3e0006, open OD attach, go to 3e0006 to view:
003E0006 68 922EE577 PUSH kernel32.IsDebuggerPresent
003E000B C3 RETN
The result is displayed. Return to ImportREC and double-click the Invalid Pointer. Choose kernel32 as the Module and enter
IsDebggerPresent, OK, and so on.
In this case, the program steals the first few bytes of the API, which is also very simple. Let OD help us identify it:
3 bytes are stolen here. Which push 77e4169d-3 is the real entrance to the API: 77e4169a
Change push 77e4169d to push 77e4169a. VirtualProtect came out.
003E000C 55 PUSH EBP
003E000D 8BEC mov ebp, ESP
003E000F 68 9D16E477 PUSH 77E4169D
003E0014 C3 RETN
Well, all the items that can be repaired are repaired. The remaining two situations are different:
1)
003E003F 55 PUSH EBP
003E0040 8BEC mov ebp, ESP
003E0042 83EC 10 sub esp, 10
003E0045 60 PUSHAD
003E0046 6A 00 PUSH 0
003E0048 68 53003E00 PUSH 3E0053
003E004D 68 939FE577 PUSH kernel32.GetModuleHandleA
003E0052 C3 RETN
003E0053 61 POPAD
003E0054 53 PUSH EBX
003E0055 57 PUSH EDI
003E0056 68 D67CE577 PUSH 77E57CD6
003E005B C3 RETN
The analysis shows that eight bytes are stolen, and the pushad and popad are interference commands. Reduce push 77e57cd6 by 8:
003E0056 68 CE7CE577 PUSH kernel32.MultiByteToWideChar
2)
003E02B0 FF7424 08 push dword ptr ss: [ESP + 8]
003E02B4 FF7424 08 push dword ptr ss: [ESP + 8]
003E02B8 68 C3023E00 PUSH 3E02C3
003E02BD 68 A88AD177 PUSH USER32.GetDlgItem
003E02C2 C3 RETN
003E02C3 68 3A27D377 PUSH 77D3273A
003E02C8 C3 RETN
Here, it is similar to 1) reducing 77d3273a to 13:
003E02C3 68 2D27D377 PUSH USER32.SetDlgItemTextA
3)
003E02C9 6A 32 PUSH 32
003E02CB FF7424 08 push dword ptr ss: [ESP + 8]
003E02CF 68 DA023E00 PUSH 3E02DA
003E02D4 68 E144D177 PUSH 77D144E1
003E02D9 C3 RETN
003E02DA 68 21B8D177 PUSH 77D1B821
003E02DF C3 RETN
Like 2), 77d1b821-b:
003E02DA 68 16B8D177 PUSH USER32.PostQuitMessage
4)
003E0074 6A 18 PUSH 18
003E0076 68 F81BE477 PUSH 77E41BF8
003E007B 68 86003E00 PUSH 3E0086
003E0080 68 E174E577 PUSH 77E574E1
003E0085 C3 RETN
003E0086 68 8617E477 PUSH 77e000086
003E008B C3 RETN