Several methods of removing upx shells by hand

recently in the study of the shell of the shelling method, some experience, and everyone to share how to hand off UPX shell Our process is Peid check the shell

the shell form is UPX 0.89.6-1.02/1.05-2.90, Markus & Laszlo od loading, prompting for "Compress code to continue analysis", we select No method One: Single Step tracking Method The program stops in the following diagram

F8 one step down, pay attention to the jump

encountered the upward arrow we are in the next line F4 (run to here), note that the red means jump implementation, the Gray Representative is not implemented, our purpose is not to let him achieve, gray we do not have to tube, specific description: 0040e8d6-NOP 0040e8d7-NOP 0040e8d8 8a06 mov al,byte ptr ds:[esi] 0040e8da Inc ESI 0040e8db 8807 mov byte ptr ds:[edi],al 0040E8DD Inc EDI 0040e8de 01DB Add ebx,ebx 0040e8e0 jnz Short Upx.0040e8e9 0040e8e2 8b1e mov ebx,dword ptr ds:[esi] 0040e8e4 83EE FC Sub esi,-0x4 0040e8e7 11DB ADC ebx,ebx 0040e8e9 ^ "ED jb Short Upx.0040e8d8"//here to jump back, jump to 0040e8d8 place
0040e8eb B8 01000000 mov eax,0x1//f4, continue F8
0040e8f0 01DB Add ebx,ebx 0040e8f2 jnz Short UPX.0040E8FB

we ran all the way down and found the following code two upward jumps, the following is the NOP statement, my treatment is under the NOP next line of code F4, because NOP is empty, no data. The same way we continue to F8 one-step operation. of course, there are many similar upward jumps in the program, I do not describe each, when the F8 step to run for a period of time, you may encounter such a situation Highlights:
0040e9f4 f2:ae repne SCAs byte ptr Es:[edi]
0040e9f6. Ebp
0040E9F7 FF96 a4ec0000 call dword ptr DS:[ESI+ECA4]
0040E9FD 09c0 or Eax,eax
0040e9ff JE Short notepad.0040ea08
0040EA01 8903 mov dword ptr ds:[ebx],eax
0040EA03 83c3 Add ebx,4
0040ea06 ^ EB E1 jmp Short notepad.0040e9e9//to jump back
0040EA08 FF96 a8ec0000 call DWORD ptr ds:[esi+eca8]//about this call, different programs are not the same, my run flew, again run when I skipped directly
0040EA0E Popad//Here F4, continue F8
0040ea0f-e9 b826ffff jmp notepad.004010cc//Jump right here to Oep at the time of shelling. We have to pay attention to popad this directive, its presence marks our program may reach Oep

We arrived at the Oep and then shelled with OD's own shelling tool.

method Two: ESP Law manual shelling F8 Single-step operation, found on the right register ESP red, indicating here can be ESP law dd 0012FFA4 Enter, breakpoint-hardware access--word,f9 run, come here directly

0040ea0f-e9 b826ffff jmp notepad.004010cc//Come to this one step to the Oep

The shelling step is the same as above method Three: Memory Mirroring method Alt+m Open Memory
Find. Rsrc,f2 down, F9 run
alt+m Open memory find upx0,f2 down, F9 run

Appears as shown in the following figure

explain:

0040EA01 8903 mov dword ptr ds:[ebx],eax//Come here, F8 continue 0040ea03 83c3 Add ebx,4 0040ea06 ^ EB E1 jmp Short Notepad.0040e9e9 0040ea08 FF96 a8ec0000 call dword ptr ds:[esi+eca8] 0040ea0e Popad//About to arrive Oep
0040ea0f-e9 b826ffff jmp notepad.004010cc

One last approach: seconds to Oep method Direct ctrl+f, input Popad

0040ea0e popad//f2 down, F9 Run, F2 cancel breakpoint, single step F8
0040ea0f-e9 b826ffff jmp notepad.004010cc

step down, and finally arrive at the Oep Finally, a special reminder, we found that jmp is a big jump, we have to pay attention to the big jump

probably not only these several methods, commonly used shelling method total about 7 kinds of, just for UPX shell at present these several best use, welcome everybody to discuss