Shelling methods and techniques of common Shell

From: http://www.bllll.com/thread-43439-1-1.html

Shelling methods and techniques of common Shell

This article is a shell removal summary I made in my notebook when I was learning how to shell myself. It includes various shell shelling methods, the most important thing is to comment out what shell is used and what method is the most time-saving and labor-saving
Method. After all, it is a note, so the order may be messy. It's not easy to move a word from a laptop to a computer.

First of all, Let's explain the following points to avoid some friends who are new to shelling spending their time on Baidu and Google because they do not know what they mean.

Common shelling knowledge:
1. pushad (pressure stack) indicates the entry point of the program
2. popad (Out stack) indicates the exit point of the program, which corresponds to pushad. This is generally found, indicating that the OEP may be nearby.
3. OEP: the entry point of the program. If the software is shelled, the OEP is hidden (or a false OEP is used ),
As long as we find the real OEP of the program, we can immediately shell it.

Several shelling methods:
Method 1: single-step tracking
Method 2: shelling the ESP Law
Method 3: Memory tracking
Method 4: Tracing exit Method
Method 5: last exception Method
Method 6: loose shell Removal

The specific operations of the above methods will be given at the bottom of the article at the end. If you want to know more about it, you can check it out. You can save time.
========================================================== ========================================================== ========================

The second part focuses on

When ESP is off-shell, for those with key prompts (such as pushw or pushad), select ESP in the following line of key prompt.

The lazy method shelling, which is effective for the compressed shell; does not play a role in the encrypted shell.

When setting the "lazy method shelling", pay attention to it (the simple setting steps are detailed at the bottom of the article ):

1. First, ignore all exceptions // ignore all exceptions-this is required
2. Settings: "debug option" → "SFX" → "trace the actual entry in byte mode (very slow)"
3. Load related programs. // When the loaded program stops, the address of the stopped address is the address of the DUNP shelling file.

HR command: "HR" contains a byte breakpoint. When ESP is used for shelling, most of them use this.

========================================================== ========================================================== ========================

Part 3: The text of the note-the backbone of this article!

Section 1 shell with ezip 1.0 off hand

Because this shell will modify the PE Header and use od to shell it, even if it is fixed, it cannot run. Therefore, the simplest method is to use the lordpe tool for shelling. Procedure:

First, run the target software program (not OD, but double-click to open it as usual) → select the process of the target program from the lordpe list → right-click and select complete shelling. Finally, use importrec to fix the issue.

Section 2 hand-removed wwpack Shell

This shell is the same as the ezip 1.0 shell mentioned above. The OD shelling importrec still cannot run the repair program. Therefore, lordpe should be used for shelling.

Procedure: select the process of the target program from the lordpe list → right-click and select complete shelling. Finally, use importrec to fix the issue. Failed to run!

The most important thing is to use the rebuilding PE repair function provided by lordpe. re-build the PE Header and run it after reconstruction!

Section 3 shortcut for removing the UPX Shell

Use the "Key prompt" that we have already mentioned.

Specific Operation: After the OD is loaded into the program, press Ctrl + F and enter popad. Click "OK" to locate the command. Press F2, and then press F9. After stopping, press f2 to cancel the breakpoint. One step at f8!

Section 4 shell of the aspck

The ESP law is relatively quick to take off this shell. You can use the ESP in the second line (a call) after loading the program. // The second line of the shell of most programs is a call

In the command line in the lower left corner of the OD, enter the hr esp address (such as HR 0012ffa4) and F9 to run the command. Then, delete the breakpoint from the "Hardware breakpoint" in "OD" debugging menu ". This is very important! Last F8 step!

Section 5 use the memory image method to remove FSG 1.33 and pcshrink Shells

1. Ignore all exceptions
2. Alt + M open the memory image and find the first ". rsrc"
3. F2 (disconnected) and F9 (running)
4. Alt + M open the memory image and find the "code" segment;
5. F2 (down), Shift + F9 [this must be remembered. Remember to run SHIFT + F9;
6. Press f8. then press F4.

Section 6: the simplest method of removing the jdpack shell and pepack 1.0 Shell

We recommend that you use the memory mirroring method;

I found that the speed of ESP law is similar to that of single-step tracking, so I will not recommend it here. On the contrary, the ESP law is the quickest way to remove pepack 1.0 shells.

Section 7 simple methods of hand-removing pediminisher; dxpack 0.86; 32 lite 0.03a; petite 2.2 Shells

Remove pediminisher; dxpack 0.86; when using the two shells, you can use the ESP law mentioned earlier to completely shell the shells. Command: [hr esp address]

If you use ESP to remove 32 lite 0.03a, you must use importrec to fix it. For example, you can enter 10d50 in the input box for 001_d50]

When using the ESP law to remove petite 2.2, we recommend that you select ESP in the row address under pushad

Section 8 shell off exestealth 2.72

When we see this, we may be addicted to the ESP law. I would like to remind you that the shell of exestealth 2.72 is the easiest to use the "lazy method shelling" we mentioned at the beginning. The specific steps are as follows, refer to the second part of the article.

Section 9 handoffs nspack (Beidou) 1.3 shells

1. ESP law, command: hr esp Address [the program cannot run normally after shelling]
2. Use importrec to fix the issue. After the fix, the program runs normally.

Section 10 alternative method ASPack 2.12r shell removal skills

CTRL + s search: retn 0C [There is a space between retn and zero C] Find and look down, as shown below:

Retn 0c
Push 0 // under retn 0c
Retn // press F2 (down) at this location; F9 (run)

Click F8 (single step) after stopping, and then press F7 (follow-up) to see if this is hard to understand? It doesn't matter. If it's me, I can't understand it, so I have prepared for it. The detailed steps are as follows (this is part of a program ):

After the program is interrupted, you will be here:

0046b3b8 C2 oc00 retn 0C // start F8 (single step)
0046b3b9 68 64584500 push registra.00455864 // here the call comes from 00455864 (OEP)
0046b3c0 C3 retn // F7 (follow-up) enters OEP

Note: The shell ESP cannot be detached directly.

========================================================== ========================================================== ======================================

Procedure

Common shelling knowledge:
1. pushad (pressure stack) indicates the entry point of the program
2. popad (Out stack) indicates the exit point of the program, which corresponds to pushad. This is generally found, indicating that the OEP may be nearby.
3. OEP: the entry point of the program. If the software is shelled, the OEP is hidden (or a false OEP is used ),
As long as we find the real OEP of the program, we can immediately shell it.

Method 1: single-step tracking
1. Load with OD without analyzing the code!
2. Track F8 in one step, which is implemented by jumping down
3. When the program jumps back (including loops), we press F4 in the next code (or right-click the code and select breakpoint -- run to the selected code)
4. The green line indicates that the jump is not implemented. Ignore it. The red line indicates that the jump has been implemented!
5. If you have just loaded the program and there is a call nearby, we will follow F7, so that we can quickly get to the program's OEP
6. During tracking, if a call program runs, F7 enters
7. There are usually large jumps, such as JMP xxxxxx or je xxxxxx or OEP with rete.

Let's see if it can be run. It can be a Microsoft Visual Basic 5.0/6.0 program.

Next, let's look at the second method.
　

Method 2: Off-shell ESP Law (esp in the OD register, we only need to access the breakpoint of the ESP hardware in the command line, and we will come to the OEP of the Program)
1. Press F8 after loading with OD. Note that ESP does not appear in the register in the top-right corner of OD.
2. In the command line: dd 0012ffa4 (0012ffa4 refers to the ESP address in the current Code), press Enter!
3. Select an offline address and use the hardware to access the word breakpoint.
4. Press F9 to run the program and directly go to the jump point. Press F8 to reach the program OEP and shell the program.
　
It can be run. This indicates that the shell is successfully removed. The third method is described below.

Method 3: Memory tracking:
1: Open the software with od!
2: click "option"> "debug option"> "exception" to hook up all the ignored items, and press Ctrl + F2 to reload the program.
3: press Alt + m to open the memory image and find the first image. rsrc. press the breakpoint under F2, then press SHIFT + F9 to run to the breakpoint, and then press Alt + m to open the memory image and find it. the code above rsrc, press f2 to break the breakpoint, and then press SHIFT + F9, directly

Program OEP, shelling

I don't know why my computer does not arrive at OEP directly. It may be a system problem. I want to place an order several times here.

You can also run the command. See the following method.

Method 4: Tracing exit Method
Arrive at OEP in one step (the experience accumulated by our predecessors)
1. Start to press Ctrl + F, input: popad (only applicable to a few shells, including ASPack shells), and then press F2, F9 to run here
2. Go to the big jump, click F8, and shell off.

Run the command. See the following method.

Method 5: The last exception method (this shelling method cannot be demonstrated on my PC, probably because of a system problem, but you can find OEP by following the steps below)
1: Open the software with OD
2: click "option"> "debug option"> "exception", remove all the hooks, and press Ctrl + F2 to reload the program.
3: here we press SHIFT + F9 until the program runs, and write down the number of times from start SHIFT + F9 to program running
4: Ctrl + F2 reload the program and press SHIFT + F9 (the number of times the program runs-1 time)
5: In the lower-right corner of the OD, we can see a se handle. Press Ctrl + G to enter the address before the se handle!
6: Press f2 to start the breakpoint, and then press SHIFT + F9 to start the breakpoint!
7: remove the breakpoint and press F8 to go down slowly
8: reach the program's OEP, shelling

Last Method

Method 6: loose shelling (because this shelling method is slow, I will not demonstrate it here. You can follow the steps below to find OEP)
1. Load software with OD
2. Click "option"> "debug option"> "SFX ".
3. Select "real entrance tracking in byte mode (very slow )"
4. Reload the software
5. OD starts to automatically track the entry point
6. Direct Access to OEP and shelling (applicable to a few shells)

========================================================== ========================================================== ==============================