Shell brute-force single-step analysis (5) cracking tutorial

Source: Internet
Author: User

[Cracked by] layper
[Author mailbox] layper2002@yahoo.com.cn
[Author's homepage] www.sy135.com
[Tools] peid, OD,
[Cracking platform] Win9x/NT/2000/XP
[Software name] single-step Analysis of Shell and shell chaos (5)
[Statement of cracking] I am a cainiao. I have some occasional experiences. I 'd like to share with you :)
--------------------------------------------------------------------------------
[Cracking content]

After writing this article, I felt that I had learned a lot in the process of analyzing this shell (although there were many mistakes). I had long wanted to analyze the shell in a single step, but I had never been able to make up my mind, who knows
In the joke article, I realized this idea. Haha, that's great. In fact, in foreign countries, one of the projects that crack often studies is reverse engineer ),
It is to reverse the program source code with the crack tool. This is a good way for us to learn programming and the low-level system. But unfortunately, it seems very rare in China to look at it.
See this article. Although this one-step analysis method is not a reverse engineering method, after the previous analysis, I did feel the benefits of reverse engineering. I really hope that reverse engineering
We are here to carry forward.
Continue to analyze our asprotect 1.2X-1.3x shell. After the last code, we returned here
00fe1000 90 NOP; this NOP is estimated to increase system compatibility.
00fe1001 60 pushad; save data of all registers
00fe1002 E8 40060000 call 00fe1647; follow up
00fe1007 EB 44 JMP short 00fe104d

00fe1647 8b2c24 mov EBP, dword ptr ss: [esp]; EBP = stack SS: [0012ff68] = 00fe1007
00fe164a 81ed 4b294400 sub EBP, 44294b; EBP = 00b9e6bc
00fe1650 C3 retn; Return

00fe1007/EB 44 JMP short 00fe104d; return here, Skip

00fe104d/BB 44294400 mov EBX, 442944; EBX = 442944
00fe1052 03dd add EBX, EBP; EBX = 00fe1007-44294b + 442944 = 00fe1000, fraud, actually moved to 00fe1000
00fe1054 2b9d 71294400 sub EBX, dword ptr ss: [EBP + 442971]; EBX = 00fa0000
00fe105a 83bd d8304400 00 cmp dword ptr ss: [EBP + 4430d8], 0; SS: [00fe1794] = 00000000
00fe1061 899d 2f2e4400 mov dword ptr ss: [EBP + 442e2f], EBX; SS: [00fe14eb] = EBX = 00fa0000
00fe1067 0f85 3e050000 jnz 00fe15ab; Skip
00fe106d 8d85 e0304400 Lea eax, dword ptr ss: [EBP + 4430e0]; eax = address = 010f179c, (ASCII "kernel32.dll ")
00fe1073 50 push eax; push to stack
00fe1074 ff95 ec314400 call dword ptr ss: [EBP + 4431ec]; SS: [010f18a8] = 7c80b529 (kernel32.getmodulehandlea) return the handle of the kernel32.dll Module
00fe107a 8985 dc304400 mov dword ptr ss: [EBP + 4430dc], eax; SS: [010f1798] = eax = 78c00000
00fe1080 8bf8 mov EDI, eax; EDI = eax = 78c0000
00fe1082 8d9d ed304400 Lea EBX, dword ptr ss: [EBP + 4430ed]; EBX = address = 010f17a9, (ASCII "virtualalloc ")
00fe1088 53 push EBX
00fe1089 50 push eax
00fe108a ff95 e8314400 call dword ptr ss: [EBP + 4431e8]
00fe1090 8985 79294400 mov dword ptr ss: [EBP + 442979], eax
00fe1096 8d9d fa304400 Lea EBX, dword ptr ss: [EBP + 4430fa]
00few.c 53 push EBX
00fe109d 57 push EDI
00fe109e ff95 e8314400 call dword ptr ss: [EBP + 4431e8]
00fe10a4 8985 7d294400 mov dword ptr ss: [EBP + 44297d], eax
00fe10aa 8b85 2f2e4400 mov eax, dword ptr ss: [EBP + 442e2f]
00fe10b0 8985 d8304400 mov dword ptr ss: [EBP + 4430d8], eax
00fe10b6 6a 04 Push 4
00fe10b8 68 00100000 push 1000
00fe10bd 68 46050000 push 546
00fe10c2 6a 00 push 0
00fe10c4 ff95 79294400 call dword ptr ss: [EBP + 442979]
00fe10ca 8985 75294400 mov dword ptr ss: [EBP + 442975], eax
00fe10d0 8d9d 452a4400 Lea EBX, dword ptr ss: [EBP + 442a45]
00fe10d6 50 push eax
00fe10d7 53 push EBX
00fe10d8 E8 74050000 call 00fe1651
00fe10dd 8bc8 mov ECx, eax
00fe10df 8dbd 452a4400 Lea EDI, dword ptr ss: [EBP + 442a45]
00fe10e5 8bb5 75294400 mov ESI, dword ptr ss: [EBP + 442975]
00fe10eb F3: A4 rep movs byte ptr es: [EDI], byte ptr d>
00fe10ed 8b85 75294400 mov eax, dword ptr ss: [EBP + 442975]
00fe10f3 68 00800000 push 8000
00fe10f8 6a 00 push 0
00fe10fa 50 push eax
00fe10fb ff95 7d294400 call dword ptr ss: [EBP + 44297d]
00fe1101 8d0e Lea ECx, dword ptr ds: [esi]
00fe1103 8551 2C test dword ptr ds: [ECx + 2C], EDX
00fe1106 44 Inc ESP
00fe1107 07 pop es
00fe1108 50 push eax
00fe1109 C3 retn

 

--------------------------------------------------------------------------------
[Copyright notice] This article is purely a technical exchange. repost the article to indicate the author and keep it complete. Thank you!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.