Thinstall2.517 Unpackme shelling

[Author] simonzh2000

[Tools] Ollydbg1.10, LordPE

[Cracking platform] Win2000 Pro SP4 English

[Software name] Mole.exe with Thinstall2.517 shelling

[Author's statement] This note is only used for study and communication. It is just a beginner who is interested in technology and has no other purpose. If anything is inappropriate, I hope the author understands.

I learned about the departure from the DardBull brother, and I also took a break to add something.

Use OD to load Mole.exe, use the IsDebug V1.4 plug-in to remove the OD debugger flag, and ignore exceptions,

F9 is running, and there is no exception. It is a little different from the normal shell.

Let's take a look at TaskMgr. There are two processes. It seems to be a debugging shell. This is easy to do.

1. The parent process CreatePrcess creates a sub-process and marks the sub-process as being debugged.
2. The sub-process starts to run under the parent process debugging. Because of the flag, different routes are taken.
3. The parent process uses WaitForDebugEvent to receive debugging events generated by the child process and takes response measures.
4. After the parent process is processed, call ContinueDebugEvent to continue the sub-process running. Repeat 3 until the end of the process.

Come back, BP CreateProcessA, F9, broken below

7FF760FA FF15 7470F87F call dword ptr ds: [7FF87074]; KERNEL32.CreateProcessA

Look up and down

7FF7600A 55 PUSH EBP
7FF7600B 8BEC mov ebp, ESP
7FF7600D 81EC E0000000 sub esp, 0E0
7FF76013 833D E86FF97F 0> cmp dword ptr ds: [7FF96FE8], 0 // is there an IsDebuggerPresent address?
7FF7601A 75 1C jnz short 7FF76038

7FF7601C 68 F87BF87F PUSH 7FF87BF8; ASCII "IsDebuggerPresent"
7FF76021 68 EC7BF87F PUSH 7FF87BEC; ASCII "kernel32"
7FF76026 FF15 D872F87F call dword ptr ds: [7FF872D8]; KERNEL32.GetModuleHandleA
7FF7602C 50 PUSH EAX
7FF7602D FF15 C872F87F call dword ptr ds: [7FF872C8]; KERNEL32.GetProcAddress
7FF76033 A3 E86FF97F mov dword ptr ds: [7FF96FE8], EAX

7FF76038 C705 F06FF97F 9> mov dword ptr ds: [7FF96FF0], 94
7FF76042 68 F06FF97F PUSH 7FF96FF0 // LPOSVERSIONINFO
7FF76047 FF15 9C70F87F call dword ptr ds: [7FF8709C]; KERNEL32.GetVersionExA
7FF7604D A1 AC69F97F mov eax, dword ptr ds: [7FF969AC]
7FF76052 25 00000002 and eax, 2000000
7FF76057 85C0 test eax, EAX
7FF76059 0F84 B3010000 JE 7FF76212

7FF7605F FF15 9870F87F call dword ptr ds: [7FF87098]; KERNEL32.GetCurrentProcessId
7FF76065 50 PUSH EAX
7FF76066 68 FCCEF87F PUSH 7FF8CEFC; ASCII "% d. df"
7FF7606B 8D85 38 ffffff lea eax, dword ptr ss: [EBP-C8]
7FF76071 50 PUSH EAX
7FF76072 E8 5A0B0000 CALL 7FF76BD1 // sprintf (buffer, "% d. df", pid)
7FF76077 83C4 0C add esp, 0C
7FF7607A 8985 30 ffffff mov dword ptr ss: [EBP-D0], EAX
7FF76080 8B85 30 ffffff mov eax, dword ptr ss: [EBP-D0]
7FF76086 8B00 mov eax, dword ptr ds: [EAX] // buffer1
7FF76088 8985 2 cffffff mov dword ptr ss: [EBP-D4], EAX
7FF7608E FFB5 2 cffffff push dword ptr ss: [EBP-D4]
7FF76094 6A 00 PUSH 0
7FF76096 6A 04 PUSH 4
7FF76098 FF15 9470F87F call dword ptr ds: [7FF87094]; KERNEL32.OpenFileMappingA
7FF7609E 8945 fc mov dword ptr ss: [EBP-4], EAX; hFileMap
7FF760A1 8D8D 38 ffffff lea ecx, dword ptr ss: [EBP-C8]
7FF760A7 E8 690E0000 CALL 7FF76F15 // RtlFreeHeap (buffer1)
7FF760AC 837D FC 00 cmp dword ptr ss: [EBP-4], 0 // OpenFileMapping success?
7FF760B0 0F85 5C010000 JNZ 7FF76212 // success. It is a sub-process, skip

7FF760B6 C785 58 FFFFFF 4> mov dword ptr ss: [EBP-A8], 44 // failed, is the parent process
7FF760C0 8D85 58 ffffff lea eax, dword ptr ss: [EBP-A8] // LPSTARTUPINFO
7FF760C6 50 PUSH EAX
7FF760C7 FF15 7870F87F call dword ptr ds: [7FF87078]; KERNEL32.GetStartupInfoA
7FF760CD E8 0017 ffff call 7FF677D2 // The final CALL G