Script to implement three-time memory breakpoint method to quickly deal with Telock0.96 + Aspack two-layer shells

[Untext title] Three-time memory breakpoint method to quickly deal with Telock0.96 + Aspack two-layer Shell

[Author] weiyi75 [Dfcg]

[Author mailbox] weiyi75@sohu.com

[Author's homepage] official Dfcg base camp

[Tools] Peid, Ollydbg, LoadPe, Imprec1.42, Freeres

[Cracking platform] Win2000/XP

[Software name] System Manager V2.71

[] Http://www.skycn.com/soft/11570.html

[Software Overview] system manager is a powerful operating system configuration software. Personalized settings meet the needs of beginners and set experts. System Manager not only provides you with settings in terms of desktop, personality, security, network, and optimization, but also covers the cleaning, maintenance, backup, and restoration of the system registry, cleaning and maintenance of System junk files, software, and ActiveX invalid components. Are you still worried about the system's need to install multiple settings and maintenance software at the same time? System Manager can provide comprehensive services for your Windows 98/2000/ME/XP/2003 operating system! System Manager's built-in system information detection can display a large amount of information about the operating system and hardware devices, and integrates process management and memory sorting tools. Currently, the system manager provides desktop settings, start menus, taskbar, input methods, Window Interfaces, system information, OEM information, personalized folders, security settings, multiple users, password policies, control panel, and security windows., registry backup/restoration, disk hiding, disguised files, hidden Special Projects, automatic running, system startup, file system, storage system, Program Acceleration, multimedia, network acceleration, IE browser, background services, registry cleanup, disk cleanup, software cleanup, component cleanup, and other functional settings.

Software size: 1852 KB

[Shelling method] Telock0.96 + Aspack

[Shell removal statement] I am a little cainiao and may share with you a little bit :)

--------------------------------------------------------------------------------

[Shelling content]

Peid shell check first, tElock 0.96-> tE !, Then load the program with OD, Alt + M to view the section, and find that there is a layer of Aspack in the layer.

We have read Telock0.98 in the advanced Article, which is troublesome. resumable data cannot be stored in disorder, for example, normal Int3 breakpoint data and hardware breakpoint data. However, it can still be interrupted through the memory breakpoint. Telock0.96 is weaker than Telock0.98.

The OD loader does not ignore invalid command exceptions and memory exceptions.

First, the fire detection Telock has a memory exception and two invalid command exceptions and then runs the program.

Reload the program.

0053CBA2> ^ E9 59E4FFFF JMP NSSetWin.0053B000 // shell Portal
0053CBA7 0000 add byte ptr ds: [EAX], AL
0053CBA9 0000 add byte ptr ds: [EAX], AL
0053 CBAB 0000 add byte ptr ds: [EAX], AL
0053 CBAD 00D3 add bl, DL
0053 CBAF 2BA3 0FEECB13 sub esp, dword ptr ds: [EBX + 13CBEE0F]
0053CBB5 0000 add byte ptr ds: [EAX], AL
0053CBB7 0000 add byte ptr ds: [EAX], AL
0053CBB9 0000 add byte ptr ds: [EAX], AL
0053 CBBB 0000 add byte ptr ds: [EAX], AL
0053 CBBD 000E add byte ptr ds: [ESI], CL
0053 cbbf cc INT3
........................................ ............................

Invalid Command exception, must Shift + F9

0053B6A8 8DC0 lea eax, EAX; register invalid
0053B6AA 74 03 je short NSSetWin.0053B6AF
0053B6AC CD 20 INT 20
0053B6AE 64: 67: 8F06 0000 pop dword ptr fs: [0]
0053B6B4 EB 02 jmp short NSSetWin.0053B6B8
0053B6B6 CD 20 INT 20
0053B6B8 59 POP ECX
0053B6B9 61 POPAD
0053B6BA F5 CMC
0053B6BB 8D7415 00 lea esi, dword ptr ss: [EBP + EDX]
0053B6BF 83C2 22 add edx, 22
0053B6C2 8BFE mov edi, ESI
0053B6C4 B9 80120000 mov ecx, 1280
0053B6C9 2ADB sub bl, BL
0053B6CB ac lods byte ptr ds: [ESI]
0053B6CC 32C3 xor al, BL
0053B6CE FEC0 INC AL
........................................ ............................

Memory exception, Shift + F9

0053BBA6 CD 68 INT 68
0053BBA8 66: 05 7B0C add ax, 0C7B
0053 BBAC 66: 48 DEC AX
0053 BBAE 74 55 je short NSSetWin.0053BC05
0053BBB0 8D85 rjb0000 lea eax, dword ptr ss: [EBP + B45]
0053BBB6 894424 04 mov dword ptr ss: [ESP + 4], EAX
0053 BBBA 64: 67: 8926 0000 mov dword ptr fs: [0], ESP
0053BBC0 EB 1F jmp short NSSetWin.0053BBE1
0053BBC2 CD 20 INT 20
0053BBC4 8B6424 08 mov esp, dword ptr ss: [ESP + 8]
0053BBC8 8B6C24 08 mov ebp, dword ptr ss: [ESP + 8]
0053 BBCC 8D85 7A0B0000 lea eax, dword ptr ss: [EBP + B7A]
0053BBD2 50 PUSH EAX
0053BBD3 EB 01 jmp short NSSetWin.0053BBD6
0053BBD5 E8 81AD291C CALL 1C7D695B
0053 BBDA 0000 add byte ptr ds: [EAX], AL
0053 BBDC E7 25 OUT 25, EAX; I/O command
0053 BBDE A9 FEC3EB01 test eax, 1EBC3FE
0053BBE3 EB 33 jmp short NSSetWin.0053BC18
........................................ ............................

Invalid Command exception