The basic method of OD shelling

I. INTRODUCTION

Shell for program authors want to compress the program resources, registration protection purposes, the shell is divided into two types of compression shell and encryption shell
UPX Aspcak telock pelite nspack ...
Armadillo Asprotect acprotect EPE SVKP ...
As the name implies, the compression shell is only to reduce the program volume to the resource compression, the encryption shell is the program input table and so on encryption protection. Of course, the protection of the encryption shell is much stronger!

Ii. common methods of shelling
Pre-knowledge

1.PUSHAD (press stack) represents the entry point of the program,
2.POPAD (out of the stack) represents the exit point of the program, and Pushad want to correspond, generally find this oep is nearby
3.OEP: The entry point of the program, the software shell is hidden OEP (or with a fake oep/foep), as long as we find the program real OEP, you can immediately shelled.

Method One: Single Step tracking method
1. Load with OD, point "do not parse code!" ”
2. Step down to track F8 to achieve a downward jump. That means jumping up doesn't make it come true! (via F4)
3. When the program jumps back (including loops), we press F4 at the next code (or right-click Code, select Breakpoint--> run to selected)
4. The Green line indicates that the jump is not realized, regardless, the red line indicates that the jump has been realized!
5. If just loading the program, there is a call in the vicinity, we F7 to follow in, or the program is easy to run, so it will soon be able to go to the program Oep
6. At the time of tracking, if run to a call program to run, in this call F7 into
7. There are generally very large jumps (large spans), such as jmp XXXXXX or JE XXXXXX, or a retn that generally will soon go to the oep of the program.

BTW: In some cases can not be traced down, we could find in the vicinity of the large jump without implementation, right-click--> " Follow, then F2 down, shift+f9 run in the "follow" position, then cancel the breakpoint, continue F8 single-step tracking. It is generally easy to reach the oep!

Method Two: ESP law
ESP theorem shelling (esp in the Register of OD, we just at the command line of ESP hardware access breakpoint, will come to the OEP of the program!) ）
1. Start with the point F8, and notice that the ESP has no emergent (red) in the upper right-hand corner of the OD register. (This is just a general case, rather the ESP value we choose is the first ESP value after the key sentence)
2. Under command line: DD XXXXXXXX (refers to the ESP address in the current code, or HR XXXXXXXX), press ENTER!
3. Select the broken address, breakpoints---> hardware visit---> Word breakpoint.
4. Click F9 to run the program, directly to the jump, press F8, to arrive at the program Oep.

Method Three: Memory Mirroring method
1: Open the software with OD!
2: Click on the Options--Debugging options--exception, the inside of the Ignore all √ on! CTRL+F2 overloaded under the program!
3: Press ALT+M, open the memory mirror, find the first of the program. rsrc. Press F2 to break the breakpoint, then press SHIFT+F9 to run to the breakpoint, then press Alt+m to open the memory mirror image, Locate the first. rsrc. Code (that is, 00401000) on the top of the program, and press F2 to place a breakpoint! Then press SHIFT+F9 (or press F9 without exception) to reach the program directly oep!

Method Four: One step to reach Oep
1. Start pressing Ctrl+f, enter: Popad (only for a few shells, including the upx,aspack Shell), then press F2,F9 to run here
2. Come to the big jump, click F8, arrive at oep!

Method Five: The last anomaly method
1: Open the software with OD
2: Click on the Options--Debugging options--exception, the inside of the √ all removed! CTRL+F2 Overloaded under Program
3: The beginning of the program is a jump, here we press SHIFT+F9, until the program runs, note the number of times from the beginning to press SHIFT+F9 to the program run m!
4:CTRL+F2 Reload program, press SHIFT+F9 (this time the number of times to run the program m-1 Times)
5: In the lower right corner of OD we see an "se handle", when we press CTRL+G, enter the address before the SE handle!
6: Press F2 to break the breakpoint! Then press SHIFT+F9 to come to the breakpoint!
7: Remove the breakpoint, press F8 slowly go down!
8: oep! of the Arrival program

Method Six: Simulation tracking method
1: First try to run, follow up the program, see if there is no seh, such as dark piles
2:alt+m Open memory image, find (contains =sfx,imports,relocations)

Memory mirroring, Item 30
Address =0054b000
Size = 00002000 (8192.)
Owner=check 00400000
Section =.aspack
Contains =sfx,imports,relocations
Type =imag 01001002
Visit =r
Initial Access =rwe

3: The address is 0054b000, as we enter TC eip<0054b000 in the command line, enter, is tracking ing.

BTW: When you use this method, you need to understand how he is going to be able to use it.

Method Seven: "SFX" method
1: Set OD, ignore all exceptions, that is, check the Exception tab
2: Switch to the SFX tab, select "Byte mode to track actual ingress (very slow)", OK.
3: Reload the program if it jumps out "compress code?" "Select" No ", OD directly arrives Oep)
How to distinguish between the shell and compression shell, the general characteristics of the OD load when there is an entry warning or ask is the compression program? Normal compression shell OD debugging without exception, the shell all have anti-tracking code, there will be many seh traps to make OD debugging to produce an exception.
The general idea of finding Oep is as follows:
First of all, the shell is a shell or compression shell, the compression shell is relatively easy, generally there is no abnormality.
Shell Decompression code starting point if it is

Pushfd
Pushad

If you find it when you are tracking

Popad
Popfd

Corresponding
Some shells have only

Pushad

And

Popad

Relative should
Also close by are

Retn
jmp

Such instructions, the occurrence of cross-break jumps generally to the oep place.
Of course there are other, such as JE Oep and so on, is generally a big jump between paragraphs, OD disassembly window is the same paragraph content, so better to distinguish between paragraph jumps.

Pay attention to two points when looking for Oep.
1, one step forward, do not look back.
2, observation. Note that Poshad, Poshfd,popad, POPFD, and so on, and the shell code at the corresponding, note that the address has changed greatly. Single Step tracking when F8 walk, f7,f4 step?

Here I'm talking about the general method of F8 (step Over) and F7 (step in), when rough heel is generally used F8 go, but some call is the transformation of JMP, at this time need F7 generation, A simple way to distinguish whether or not to deform jmp is to compare the target address of the call with the current address, and if the two are close to each other, it is generally a variant of jmp, with F7. For call distance is very far, can rest assured with F8 step, if you again with F7 step, just a waste of time. F8 step over the compression shell with a lot of F7 step over the encryption shell with a lot, if with F8 accidentally ran Fly (program run), tracking failure.

Encrypt Shell to find Oep
For the shell, my method is generally loaded with OD, hook off all exceptions (do not ignore any exceptions, in addition to ignoring the memory access exception in KERNEL32 tick. Sometimes because of abnormal too much can be properly ignored some exceptions), run, count how many times the SHIFT+F9 program runs, obviously after the last exception, the program will jump from Shell to oep start execution, this is our search Oep a key, if the program shift+f9 directly exit, It is obvious that the shell detection debugger, the simplest way to cope with is to use the Od plugin to hide od.
Single-step exception is to prevent our step-by-step tracking program, that is, F8,F7,F4, etc., INT3 interrupt is the detection of debugging with, only in the Win9x system effectively, the 2000/XP will appear breakpoint anomaly, the other exception is mainly interference debugging. This series of anomalies, although interfering with our debugging, but also showed us a path, that is, shift+f9 to skip all exceptions, and then find the last exception, and then its recovery anomaly at the next breakpoint, tracking to the shelling entry point.
Be sure to step out of all SEH exceptions if there is a lot of loops ahead and unzip each segment.
****************************************************************************************
Everyone first carefully taste the above "theory"! If you figure it out, you should be happy.

****************************************************************************************

OK, cut to the chase ....

OD loading, because I do not ignore all the exception in the beginning, so a load on the hint there is an exception, we shit+f9, "No", stopped at the entrance. (Do not ignore all the exceptions, please check your OD)

00401000 pencryp> FC CLD//stop here.
00401001 FC CLD
00401002 FC CLD
00401003-NOP
00401004-e9 BDBA0000 jmp Pencrypt.0040cac6
00401009-e3 D5 JECXZ Short Pencrypt.00400fe0

The following is the beginning of the use of the last exception method ...

We have been crazy press shit+f9, in the heart to count how many times, the program ran:)
I've pressed it 3 times.

OK, now we re-load the program, after the entrance, we Again "crazy" press SHIT+F9, how many times? 2 times (3-1=2)

0040CCD2 4 B Dec ebx//Stop right here.
0040CCD3 6F Outs Dx,dword ptr Es:[edi]
0040CCD4 6368 arpl Word ptr ds:[eax+69],bp
0040ccd7 8b4424 mov eax,dword ptr ss:[esp+4]

All right, we'll stop here first.

Look at the dump window.
0012FFBC 0012ffe0 Pointer to next SEH record
0012FFC0 0040ccd7 SE handle//ctrl+g, to 0040ccd7
0012ffc4 77e614c7 back to Kernel32.77e614c7
0012ffc8 00000000
0012FFCC 00000000
0012ffd0 7ffdf000

F2 down, Shit+f9 Run, stop to 0040ccd7, cancel breakpoint, single step F8

0040ccd7 8b4424 mov eax,dword ptr ss:[esp+4]//stop here
0040CCDB 8b00 mov eax,dword ptr ds:[eax]
0040CCDD 3D 04000080 CMP eax,80000004
0040cce2 JE Short pencrypt.0040ccea//Skip Away

0040ccea/eb. jmp short pencrypt.0040ccee//jump here and jump again
0040CCEC |49 Dec ecx

0040ccee  60  pushad //Jump Here, key hints, continue f8 
0040ccef  9c  pushfd //Key Tips  
0040ccf0  be 00104000  mov esi,pencrypt.<moduleentrypoin> 
0040ccf5  8BFE  mov edi,esi 
0040ccf7  B9 00100000  mov ecx,1000 
0040ccfc  BB 2b11d2bb  mov ebx, bbd2112b 
0040cd01  ad  lods dword ptr ds:[esi] 
0040cd02  33c3  xor eax,ebx 
0040cd04  ab  stos dword ptr es:[edi] 
0040cd05  ^ E2 fa  loopd Short PENCRYPT.0040CD01&N Bsp To jump back the  
0040cd07  9d  popfd//F4 here, continue f8 
0040cd08  61  popad 
0040cd09   EB 02  jmp short pencrypt.0040cd0d //Jump away

0040cd0d Pushad//Jump Here, key hints, continue F8
0040CD0E 9C PUSHFD//Key Tips
0040cd0f be 00504000 mov esi,pencrypt.00405000
0040CD14 8BFE mov Edi,esi
0040cd16 B9 00040000 mov ecx,400
0040cd1b BB 2B11D2BB mov ebx,bbd2112b
0040CD20 AD lods dword ptr Ds:[esi]
0040cd21 33C3 xor EAX,EBX
0040cd23 AB stos dword ptr Es:[edi]
0040cd24 ^ E2 FA loopd Short PENCRYPT.0040CD20//to jump back
0040CD26 9D POPFD//F4 Here, continue F8, Key Tips
0040CD27 Popad//Key Tips
0040CD28 BD CC104000 mov ebp,pencrypt.004010cc//See here yet? 004010CC
0040cd2d FFE5 jmp EBP//Jump to Oep

。。。。。。。

004010CC-Push EBP; pencrypt.004010cc//oep,dump
004010CD 8BEC mov ebp,esp
004010CF 83EC esp,44 Sub

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
After shelling found that the program can not run, with Imprec repair into the function table, fill in the Oep place 10cc, point it automatic search, and then point to get input information, see the input table all valid, point repair Grab file button, choose Dump file, repair it, run still can't run. Then we have LORDPE to rebuild the PE function!

The basic method of OD shelling