Summary of manual Mole Box Shell removal, molebox shell practice

Summary of manual Mole Box Shell removal, molebox shell practice

Author: Fly2015

This program is a shell program that I love to crack the shell practice 8th. The shell of this program is the MoleBox V2.6.5 shell. These are advertisements and can be ignored directly. The previous manual Mole Box V2.6.5 shell removal blog has provided a stupid shell removal method. When fixing the IAT table of the shell removal program, the solution is to manually record the system API address and then manually restore the encrypted system API. The following describes how to fix IAT tables in a slightly better way.

 

Review the previous steps of finding the original OEP of the shelling program.

The ESP law is used to shell the shell program. After the hardware write breakpoint is broken, the F7 address is 0046997B3 in one step, it is found that the eax in the Call EAX command is saved as the VA address 0045159C of the real OEP of the shelling program.

The real OEP of the shelling program is found, but the OD plug-in OllyDump, Load PE + ImportREC, or Scylla_x86 is used to shell the program, and then run the program. The program running after shelling is found to have an error.

Then find out the reason. It turns out that some function API addresses are encrypted, and the specific function is encrypted. Obviously, the function address of the system API stored at address 00455170 is the first encrypted processing (for details about how to find the IAT table, refer to the previous blog ).

Ctrl + F2 debug the analysis program dynamically again. To find out how the function in the IAT table is encrypted, you need to write the Dword-type hardware breakpoint at address 00455170, after F9 for four times, the address 00455170 is displayed as the address of the function of the encrypted system API ,. The address of the system API function obtained by calling the GetProcAddress function is saved to ds: [ECX]. It is worth noting that.

The F8 single-step debugging program takes several steps and finds that function 00471620 called at address 00470F42 is used to encrypt the system API in the IAT table.

Follow up function 00471620 in one step and find that the function address at ds: [ECX] has been modified by means of replacement.

OK. When the program calls functions in the encrypted IAT table, the final function calls the system API, that is, it only adds the called proxy function to the system API. In this case, the code for modifying the system API function in the IAT table is sent to path, that is, NOP.

Change mov dword ptr ds: [ecx], the assembly code for modifying the function call address in the IAT table, eax to two nop commands, and then F8 to run the program in one step. No problem.

F9 runs the program. Because the hardware writing breakpoint is still in accordance with the ESP Law, the program will be disconnected from the set hardware writing breakpoint. F8 can find the program's real OEP in a few steps ,.

Obviously, the VA address of the real OEP of the shelling program is 0045159C, And F7 follows up with the OEP. Tool, use Load PE combined with ImportREC or Scylla_x86 (cut out invalid function pointers) to perfectly shell the shelling program.

Run the program after shelling to verify that shelling is successful.

Manual Mole Box Shell removal summary document and shelling procedures: http://download.csdn.net/detail/qq1084283172/8908073

Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.