Shell learning 2: ASPack 2.12 shelling

Shell learning 2: ASPack 2.12 shelling

Skyjacker
Http: // blog.csdn.net/skyjacker
Email: hemiaoyu <at> gmail.com
QQ: 67705517
2007-2-10

1. Shelling Process

Automatically write a simple form program.
Use aspack2.12 shelling (by using a volume) to generate the nullformaspack.exe program.

Description of the original file and the file after shelling:
Original file size: 379 KB (388,096 bytes)
Space occupied by the original file: 384 KB (393,216 bytes)
Shelling file size: 157 KB (161,280 bytes)
Shell file space: 160 KB (163,840 bytes)
Aspack2.12 compression rate: 41%

2. shelling

Peid shell check: ASPack 2.12-> Alexey solodovnikov
The ollydbg is loaded and stops at the entry point of the program:

The ollydbg is loaded and stops at the entry point of the program:
00465001> 60 pushad
00465002 E8 03000000 call 00000000a // enter F7
00465007-E9 eb045d45 JMP 45a354f7
00000000c 55 push EBP
00000000d C3 retn
00000000e E8 01000000 call 00465014
00465013 EB 5d JMP short 00465072
00465015 BB edffffff mov EBX,-13

Call 00000000a
00000000a 5d pop EBP; nullform.000000007
00000000b 45 Inc EBP // 00465008
00000000c 55 push EBP // 00465008 into the stack. Function: Adds 1 to the return address, that is, modifies the address of the next command to be executed.
00000000d C3 retn

The stack information is:
0012ffa0 00465007 returned to nullform.000000007 from nullform.00000000a
0012ffa4 7c930738 ntdll.7c930738
0012ffa8 ffffffff
0012 ffac 0012fff0

After retn:
EIPs = 465008

00465008/EB 04 JMP short 00000000e // modified EIP: = EIP + 1 because the command is converted to JMP short
00000000a | 5d pop EBP // from call 00000000a. Stealth method :)
00000000b | 45 Inc EBP
00000000c | 55 push EBP
00000000d | C3 retn
00000000e/E8 01000000 call 00465014 // F7. Then, the EIP: = EIP + 1 is executed. Single-byte.
00465013 EB 5d JMP short 00465072
00465015 BB edffffff mov EBX,-13
0046501a 03dd add EBX, EBP
0046501c 81eb 00500600 sub EBX, 65000
00465022 83bd 22040000 0> cmp dword ptr [EBP + 422], 0

Call 00465014
00465014 5d pop EBP // change the EIP to 7c930738 and nullform.00465013
00465015 BB edffffff mov EBX,-13 // original EBX: = 7ffde000, now: EBX: = ffffffed
0046501a 03dd add EBX, EBP // EBX: = ffffffed + 00465013 = 00465000
0046501c 81eb 00500600 sub EBX, 65000 // EBX: = 400000 mzp
00465022 83bd 22040000 0> cmp dword ptr [EBP + 422], 0
00465029 899d 22040000 mov dword ptr [EBP + 422], EBX
0046502f 0f85 65030000 jnz 00000039a // long jump, move to this address, press F4
00465035 8d85 2e040000 Lea eax, dword ptr [EBP + 42e]
0046503b 50 push eax
0046503c ff95 4d0f0000 call dword ptr [EBP + F4D]

When 00465014 is entered, the stack information is:
0012ffa0 00465013 returned to nullform.00465013 from nullform.00465014
0012ffa4 7c930738 ntdll.7c930738
0012ffa8 ffffffff
0012 ffac 0012fff0

Jnz 00000039a // long jump, move to this address, click this line, and press F4.
0034739a B8 84320500 mov eax, 53284 // number of immediate actions. Used to generate OEP
0036639f 50 push eax
00100003a0 0385 22040000 add eax, dword ptr [EBP + 422] // eax: = nullform.000000284
003473a6 59 pop ECx
003473a7 0bc9 or ECX, ECx
003473a9 8985 a8030000 mov dword ptr [EBP + 3a8], eax // dynamically modify program commands.
// Address of the modified command: 00465013 + 3a8 = 1273bb
003473af 61 popad
0000003b0 75 08 jnz short 0000003ba
003473b2 B8 01000000 mov eax, 1
00100003b7 C2 0c00 retn 0c
003663ba 68 00000000 push 0 // The modified data is the push value.
00100003bf C3 retn

CPU information is:
Eax 00000000
ECX 7c939aeb ntdll.7c939aeb
EdX 00400000 ASCII "mzp"
EBX 00000000
ESP 0012ffa4
EBP 00465013 nullform.00465013
ESI 004570f0 nullform.004570f0
EDI 004576ec nullform.004576ec
EIP 0046539a nullform.0046539a
C 0 es 0023 32-Bit 0 (ffffffff)
P 1 CS 001b 32-Bit 0 (ffffffff)
A 0 SS 0023 32-Bit 0 (ffffffff)
Z 1 Ds 0023 32-Bit 0 (ffffffff)
S 0 FS 003b 32-bit 7ffdf000 (FFF)
T 0 Gs 0000 null
D 0
O 0 lasterr error_no_impersonation_token (0000051d)

Stack information:
0012ffa4 7c930738 ntdll.7c930738
0012ffa8 ffffffff
0012 ffac 0012fff0
0012ffb0 0012ffc4

MoV dword ptr [EBP + 3a8]. After eax executes this line, convert the following command:
003473a9 8985 a8030000 mov dword ptr [EBP + 3a8], eax
003473af 61 popad
0000003b0 75 08 jnz short 0000003ba
003473b2 B8 01000000 mov eax, 1
00100003b7 C2 0c00 retn 0c
003473ba 68 84324500 push 00453284 // OEP
00100003bf C3 retn

Run F8 to reach the destination: dump, OK!
00453284 55 dB 55; char 'U'
00453285 8B dB 8b
00453286 EC Db EC
00453287 83 dB 83
00453288 C4 dB C4
00453289 F0 dB F0
0020.28a B8 dB B8
0045328b 14 dB 14
0036628c 31 db 31; char '1'
0020.28d 45 dB 45; char 'E'
0045328e 00 dB 00
0036628f E8 dB E8
00453290 80 dB 80
00453291 33 dB 33; char '3'
00453292 FB dB FB
00453293 FF dB FF
00453294 A1 dB A1
00453295 20 dB 20; char''
00453296 4f dB 4f; char 'O'
00453297 45 dB 45; char 'E'