Reverse Foundation: Introduction to manual shell removal (1)

Reverse Foundation: Introduction to manual shell removal (1)

Here we have integrated some notes and documents from the previous manual shelling of the software, hoping to help the new students with reverse and shell removal.

1. Concepts

1.1 shelling

The full name of shelling should be executable program resource compression, which is a common means to protect files. Programs that have been shelled can run directly, but cannot view the source code. The source code can be viewed only after shelling.

Shelling uses special algorithms to compress and encrypt resources in EXE and DLL files. Similar to WINZIP, the compressed file can be run independently. The decompression process is completely concealed and completed in the memory. They are attached to the original program after loading the memory through the Windows loader, and are executed before the original program to obtain control. During the execution, the original program is decrypted and restored, after the restoration, return the control to the original program and execute the original code. After the shell is added, the original program code usually exists in the encrypted form in the disk file and is only restored in the memory during execution, this effectively prevents the hacker from making illegal modifications to the program file, and also prevents the program from being statically decompiled.

The types of shells are generally divided into compression shells and encryption shells. The compression shell feature is to reduce the size of the software, encryption protection is not the focus. There are many types of encryption shells. Different shells have different focuses. Some shells only protect programs, while others provide additional functions, such as the registration mechanism, number of times of use, and time restrictions.

1.2 OEP

OEP :( Original Entry Point), the Entry Point of the program. Software shelling generally hides the real OEP of the Program (or uses a fake OEP). We need to find the real OEP of the program to complete shelling.

Generally, when the shell program uses dynamic debugging tools such as Ollydbg, it will stop at the pre-processing block of the shell. That is, before extracting or decrypting the original code block of the program, after running the self-shelling module of the program, it will stay at the OEP position before the program shelling. This is the best time for the dump program. When the program code segment is completely restored, you can capture the int3 breakpoint at the real OEP during shelling. Therefore, finding the right OEP For shelling programs has become the top priority for manual shelling.

1.3 IAT

IAT :( Import Address Table): Import the Address Table. Because the imported function is called by the program but its Execution Code is not in the program, the code of these functions is located in one or more DLL. When the PE file is loaded into the memory, the Windows loader loads the DLL and associates the commands that call the imported function with the actual address of the function (dynamic connection ), this operation requires the table to be imported. The imported address table indicates the actual address of the function. Most shelling software re-creates the import address table at runtime. Therefore, obtaining the correct import address table from the shelling program is also a key issue in manual shelling.

2. Shelling Methods

2.1 single-step Tracing

The principle of the single-step tracing method is to use the Ollydbg's single-step (F8), single-step (F7), and Runtime (F4) functions to completely walk through the self-Shelling Process of the program, skip some fragments of the loop recovery code and use a single step to ensure that the program does not skip the OEP. In this way, after the automatic shell removal module of the software is run, it can reach the OEP and dump the program.

2.2 ESP Law

The ESP law method is a powerful tool for shelling and one of the most frequently used shelling methods.

The principle of ESP law lies in the rational use of stack balance in the program. In the process of program self-decryption or self-decompression, many shells will first push the content of the current Register to the stack. For example, after pushad is decompressed, the previous register value will go out of the stack, for example, use popad. Therefore, when the register is out of the stack, the program code is often automatically restored. At this time, the hardware breakpoint is triggered. Then, at the current position of the program, you only need to perform a few single-step tracking to easily reach the correct OEP position.

2.3 memory mirroring method (secondary breakpoint method)

The memory mirroring method enters the virtual memory segment of the program through the ALT + M Shortcut of OD when the shelling program is loaded. Then, you can add two memory one-time breakpoints to reach the correct OEP position of the program.

The principle of the memory mirroring method is that when the program resource segment and the breakpoint under the code segment are self-extracted or self-decrypted by the program, the system first accesses the resource segment to obtain the required resources, and then after automatic shelling, code segment of the program. At this time, the program will stop at the OEP when the memory is broken at one time.

1 step to reach OEP

The so-called one-step shelling method to reach the OEP is to find an assembly instruction closest to the OEP based on the characteristics of the shelling, and then run the int3 breakpoint to dump the program when the program reaches the OEP. For example, some compression shells are usually very close to OEP or Magic Jump. Therefore, using the Ollydbg search function, you can search the feature assembly code of the shell to achieve the effect of reaching the OEP at one breakpoint.

2.5 last exception Method

The principle of the last exception method is that the program may trigger countless exceptions during the process of self-extracting or self-decryption. If the location of the last program exception is located, it may be close to the automatic shelling completion location. Now we can use the exception counter plug-in of Ollydbg to record the number of exceptions and load them again. The last exception is automatically stopped.

2.6 simulation tracing method

The principle of the simulated tracing method is to use conditional breakpoints in Ollydbg. SFX is equivalent to a self-extracting segment. It is very close to OEP when the self-extracting segment ends (when the eip value is transferred to the code segment, however, this tracing method takes a long time.

2.7 "SFX" Method

The "SFX" method utilizes the OEP search function provided by Ollydbg. You can choose to directly stop the program at the OEP found by OD. At this time, the self-extracting has been completed, and you can directly dump the program.