This note is for the early ximo of the shelling Basic video tutorial, organized notes. The tools used in this note:
http://download.csdn.net/detail/obuyiseng/9466056
Introduction:the FSG shell is a compression shell. We use 9 ways of shelling here.
Tools: Exeinfope or Peid, OD, LORDPE, Importreconstructor
Shelling files: 05. pecompact2.x Shell. rar
1 Single Step we found that there are two calls will fly, then we need to go in the run-and-fly place, and then in the following.
The first call to run, we should not step in at this time but enter
The second flight call, we should not step in at this time but enter
OEP
2 ESP law step here, and follow in the Data window, the next breakpoint, single-step tracking, you can refer to the previous note content.
3 using BP VirtualFree breakpoint first down BP VirtualFree breakpoint
Then Shift+f9 run, then press F2 to cancel the breakpoint
Then ALT+F9 executes to the user code
Ctrl+f to find push 8000 (signature)
F2 set breakpoints, shift+f9 run to this, and then cancel breakpoints
Then you can follow the steps and you will reach Oep
4 same set BP VirtualFree first set breakpoints
Then, two times shift+f9.
Then, cancel the breakpoint. Alt+f9 and executes to user code
Then step away, and you'll reach Oep.
5.1, after loading the program, you will find the first line has an address0040a86d > B8 74de4500 mov eax,qqspirit.0045de74
2, at the address of the next breakpoint BP 0045de74
3. Then shift+f9 run, and cancel breakpoint
4, we are in the Retn next line set breakpoints, and then shift+f9 Run, and cancel the breakpoint
045de74 B8 F9CB45F0 mov eax,f045cbf9
0045de79 8d88 9E120010 Lea Ecx,dword PTR ds:[eax+1000129e]
0045de7f 8941 mov dword ptr ds:[ecx+1],eax
0045de82 8b5424 mov edx,dword ptr ss:[esp+4]
0045de86 8b52 0C mov edx,dword ptr ds:[edx+c]
0045de89 C602 E9 mov byte ptr ds:[edx],0e9
0045de8c 83c2 Add edx,5
0045de8f 2BCA Sub Ecx,edx
0045de91 894A FC mov dword ptr ds:[edx-4],ecx
0045de94 33c0 xor Eax,eax
0045de96 C3 RETN
0045de97 B8 78563412 mov eax,12345678//down Breakpoint
5, then single-step follow can, will reach Oep
61. Set BP VirtualAlloc breakpoint, then shift+f9 Run, and cancel breakpoint
2. Alt+f9 execution to user code pull down and see jmp. Run to this
3, then one step can be.
7. Last exception law, 1, option---DEBUG Settings---exception------Cancel all exceptions.
2. Then reload the program into
3, according to SHIFT+F9, found 2 times SHIFT+F9 will let the program run up, (the reason is called the last exception method, we are using the last exception, that is, we have run shift+f9 have m times, let the program run up, then we reload the program, only need to press M-1 Times Shift+f9 Can)
4, because 2 times to fly, we press 1 times shift+f9, and then find the SE handle in the Stack window
5, then we go to 0045de74 place, and in Retn next line down (and the 5th kind of similar)
045de74 B8 F9CB45F0 mov eax,f045cbf9
0045de79 8d88 9E120010 Lea Ecx,dword PTR ds:[eax+1000129e]
0045de7f 8941 mov dword ptr ds:[ecx+1],eax
0045de82 8b5424 mov edx,dword ptr ss:[esp+4]
0045de86 8b52 0C mov edx,dword ptr ds:[edx+c]
0045de89 C602 E9 mov byte ptr ds:[edx],0e9
0045de8c 83c2 Add edx,5
0045de8f 2BCA Sub Ecx,edx
0045de91 894A FC mov dword ptr ds:[edx-4],ecx
0045de94 33c0 xor Eax,eax
0045de96 C3 RETN
0045de97 B8 78563412 mov eax,12345678//down
6, Shift+f9 run to this location, cancel the breakpoint, then single step to follow
Note:
If you can not use the last exception method to remove the strong shell, a use shift+f9 to fly directly, solve the following
in the Od plugin--strongod--options--skip Some exceptions option is canceled, restart OD and try again.
Once the use is complete, we will
ExceptionAnd
-skip Some Exceptions option Recovery
82 times Memory 1, in the Memory window, locate the first. rsrc, and then F2 the breakpoint, and run
2. Find again in the Memory window
3, then single-step with can, when encountered Retn, to retn the next line set breakpoints, and then single step.
9 at GetVersion
1, because the program is written in C + +, you can set the at GetVersion Breakpoint.
2. Set breakpoints down at RETN and run
3, then cancel the breakpoint, one step, drag up will see Oep
Simple shelling Tutorial notes (7)---hand off pecompact2.x shell
