Summary of Safengine Shielden2.00 full protection shelling

[Article Title]: Safengine Shielden2.00 full protection shelling Summary (delphi_cm)
[Author]: justhxy
[Author mailbox]: justhxy@126.com
[Author Home Page]: http://hi.baidu.com/justhxy
[Author's QQ number]: 798489503
[Software name]: delphi crackme
[]: Search and download by yourself
[Protection method]: shielden 2.00
[Programming language]: delphi
[Tools]: od + sod + loadpe + impr
[Operating platform]: Win Xp
[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten us!
--------------------------------------------------------------------------------
[Detailed process]

1. cainiao only learns and doesn't mean it
2. In official se words: entry-level encryption
3. You can use the same method for version 2.03, but some of them are better summarized by yourself.
4. nooby is very powerful and hard-working. It increases the difficulty of every update. Thanks to him for creating the best shell (ps: I hate people who are better than myself but harder than myself, 5555)

Main Content: bypassing debugging detection + iat repair + anti_anti_dump

Anyone who has debugged shielden or se knows that the current new version has a function called "dynamic self-verification". This function directly causes the problem that the patch cannot take effect.
Therefore, there are only three methods to crack the program protected by sheilden, namely removing the thread, changing the check value, or shelling. I didn't test the first two methods, and it would be very troublesome, what's more, you may wonder how many dark piles are waiting for us (How can nooby's stuff be so simple), but shelling is different, you can do whatever you want ~~

First, let's take a look at the options I have selected (all protection-related options are selected)

1.jpg: 2Kx is required for downloading this attachment, which is automatically deducted from the download process.

2.jpg: 2Kx is required for downloading this attachment, which is automatically deducted from the download process.

3.jpg: 2Kx is required for downloading this attachment, which is automatically deducted from the download process.

Anti-debugging part:
This is not to mention that any od + sod can be used for anti-debugging of Shielden, but if your od cannot be used, you can consider the following aspects:
1. od interface solution
2, ctrl + f2
3, NtSetInformationThread
4. The password and hidden process in the configuration items of sod

The version of shielden2.00 mainly depends on sexx. tmp, so as long as you can get rid of this file, the rest of the basic can be ignored (I originally planned to dump this file out to see the code, and then the code was so disgusting, it's gone, alas)

If you cannot pass the debugger detection, stop playing .....

1. quickly reach oep:
Why is it near oep instead of oep? First, the initialization is completed when the oep is near, and the only thing we need to dump is that the initialization status is not changed. Second, the first byte of oep is stolen, the oep cannot be stopped, so there is no problem before or after the oep. How can you make it easy?

Don't try to get GetModuleHandleA near oep. It won't be broken down. Well, after reading this article, you will understand the principle. If you think carefully

If nothing is done, the combination of od + sod will not be able to break the hardware breakpoint and memory breakpoint, and the normal breakpoint will not be attacked as long as the proper time is found, so we only need to place normal breakpoints.

However, the timing of selection requires human flesh. As for how human flesh is made, Daniel has a great way to do it. I have adopted the f7 method all the time, here we provide you with a 254-complexity signature.
8A 02 88 01 41 42

The specific steps are as follows:
For a breakpoint under VirtualProtect, record the number of times n when an error pops up, and then stop at the n-1 times.
(This step may be removed. I think this step may be close to oep without being detected. Maybe you can try it on your own, I ran the script again and analyzed it. How annoying is the code)
Find the address of the signature, next f2 breakpoint
F9
The following steps are divided into two situations. The first case is that you have found the location of the oep in advance, and the second line of code under the oep is disconnected directly, f9 will be able to get to oep smoothly. If you do not know the location of oep, perform the following operations.

After stopping, alt + m, go to the memory window and search for the "8BFF558BEC837D080074 ?? FF7508E8 ???????? 85C074 ?? FF7004E8 ???????? 5dc2040064a118001168b40308b4008eb"
Disconnect all searched addresses, and then f9
Several times in a single step. When you return to the code segment, if you are familiar with the oep features of various languages, you will find that the feature has reached the vicinity of the oep (if not, it will be repeated several times, once)
Oep: Create an eip
Go to the second stage and prepare to repair iat

Fixed iat:
I think the iat encryption method is a highlight, which is very good and good, because I have followed each step for a long time, a lot of pain, 5555555555
First, you need to find the call called by the api. The immediate number of these calls is in the shell segment.
Then find the real api.
Let's use a pattern (254 complexity ):
97 8B 55 0C

After the address is found, the f2 breakpoint, f9, when the program stops, you will find the real api function, and you will not need to say anything about the rest.

After repair, use uif to process the input table, such as dump and import. In this case, the shell is removed, and the rest is to process anti-dump.

Anti-dump:
Nooby Niu uses anti to modify the image size. Alas, our cainiao are miserable ~~
Shielden's anti-dump processes PointerToSymbolTable, NumberOfSymbols, ResourceTableaddress, and ResourceTablesize. The first two are cleared, and the last two are modified to the correct ones.

So far, shelling is complete.

Note:
1. Most of the delphi programs can still simply perform this step.
2. programs compiled in other languages cannot be directly applied. You need to clarify the principle first and then change it slightly.
3. If all the operations are correct, check the iat call.
4. I did not write specific operation steps in some places, but I think they are basic things. I don't know how to operate them. I suggest you consolidate the foundation first, otherwise, you will not take it off again. It is really for you, Don't scold me.
4. If you have never written an article or made any contribution to the Forum, please ignore me. I didn't force you to read it.
5. In fact, I really want to write a tool to check the specific protection methods of safengine. I don't know if there is time. The key is to think about the different features and it will be a headache ....

Welcome to criticize and correct, welcome to contact me, QQ: 798489503 Email: justhxy@126.com Thank you