Teach you step-by-step encryption and decryption technology-compression and shelling (3) (1)

The fourth section manual shelling 1, the basic knowledge manual shelling is does not use the automatic shelling tool, but uses the dynamic debugging tool SoftICE or TRW2000 to shelling. This lesson to talk about some introductory knowledge, such as to understand the deeper shelling knowledge, please refer to the "Shell advanced" this lesson. Tools * Debugger: SoftICE, trw2000* Memory Crawl tool: Procdump, etc. * 16 tools: Hiew, UltraEdit, Hex workshop, etc. *pe editing tools: Procdump, Peditor, etc. Noun concept ★pe file: Microsoft has designed a new file format, portable executable (the PE format), which applies to all WIN32 based systems: Windows NT, Windows 2000, Win32s and Windows 95/98. ★ Base Address (ImageBase): refers to the loaded into the memory of the EXE or DLL program to start addresses, it is an important concept in Win32. In Windows NT, the default value is 10000h; for DLLs, the default is 400000h. In Windows 95, 10000h cannot be used to load 32-bit execution files because the address is in a linear address area shared by all processes, so Microsoft changes the default base address of the Win32 executable to 400000h. ★rva: The relative virtual address (relative virual addresses) is the offset of an item relative to the address of the file image. For example, the loader loads a PE file into the virtual address space, starting with 10000h of memory, and if a table in PE has a 10464h starting address in the image, the RVA of the table is 464h. Virtual Address (RVA) = offset + Base address (ImageBase) ★entry point: entry points, when the program completes the restoration of the original program, starts to jump to the newly restored program execution, at which point the address is the value of the entry point. Step ★ Determine the type of shell generally get the software, can be used tools FileInfo, GTW, TYP32 and other detection file types of tools to see what kind of shell, and then take measures. ★ Entry points (Entry point) It is difficult for beginners to locate the entry point after the shell is solved, but it is convenient to find the entry point after being skilled. Most PE Packers add one or more segments to a program that is encrypted. So it's possible to see a cross section of JMP. For example: UPX used a cross section of the JMP, Aspack used two times across the JMP. This kind of judgment is usually to trace the analysis program and find the entry point, as with TRW2000 can also try the command: pnewsec, which allows TRW2000 to break to the entry point. Pnewsec: A breakpoint is generated when running until a new section is entered into a PE program memory. (If you don't understand, later to the shell of the advanced will understand) in addition also can be used D.boy Shock Wave 2000, it can easily find any of the encryption shell entry point, ★dump take the memory of the restored file to find the entry point, where you can use Procdump full dump function to crawl the entire file in memory, The use of TRW2000 can also be used to command: Makepe command meaning: From the memory of the collation of a directive name of the PE format EXE file, the current EIP will become a new program entrance, the Production File import table has been regenerated. The generated PE file can run on any platform and computer. Pedump command meaning: The memory image of the PE file is directly imaged into the specified file. The generated files can only be run on the local computer and not on other system platforms or microcomputers. ★ Amend the file just dump to use procdump full dump function of the file, to use the Procdump or peditor, such as PE editing tools to amend the entry points (Entry point). 2, UPX V1.01 Shell target program: with UPX V1.01 compressed Notepad.exe method One, use TRW2000 to Shell ★ Use tools TRW2000 fileinfo★ determine the type of shells to get the software, available tools FileInfo, GTW, TYP32 and other detection file types of tools to see what software compression, in this we take FileInfo as an example, the target file copied to the FileInfo directory, under the Resource manager double-click FileInfo, and then press ENTER, You will see the report come out: Tell you this is UPX1.01 compressed software. ★ Entry points (Entry point) make use of trace analysis to determine entry point most PE Packers add one or more segments to the encrypted program. So it's possible to see a cross section of JMP. UPX used a cross section of the JMP. Is that you follow the step-by-step tracking will see the code has a jump, generally followed by the changes in the airspace file name, you can determine the entry point. Run TRW2000 and load the target program, then load, you will be interrupted at the main program entrance: At this time reasonable press F10, F7 and F12 go straight, note that the airspace will be: notupx! Upx1+2xxx. The following code appears in your tracking process: the details of the program are as follows: Xxx:xxxxxxxx Pushad; all registers into stack xxx:xxxxxxxx be2efd4200 MOV ESI, XXXXXXXX; send the next instruction to unpack xxx:xxxxxxxx 8dbed21ffdff LEA EDI, [esi+xxxxxxxx] ... <----press F10 to track; p XXX: XXXXXXXX ff96a8c90400 call [esi+xxxxxxxx]xxx:xxxxxxxx Popad; all registers out stack xxx:xxxxxxxx E9A44AFBFF 00401000; Jumps to the program's real entry point (OEP), and the file is fully decompressed. 0137:40ddbe POPA0137:40DDF jmp 00401000 <-This line has been completely unzipped and will skip to the Notepad entry point execution program (note a big jump here). ........................ 0137:401000 Push EBP <-The first line of the Notepad program as a result of the full decompression the entry point (Entry points) is found as: 401000◇ use TRW2000 unique command PNEWSECTRW2000 is also a good shelling tool, There are many unique commands that are very helpful to shelling, and using the PNEWSEC command also makes it easy to find entry points. Run TRW2000 and load the target program, then load, you will interrupt at the main program entrance, order: Pnewsec wait for a while, the program will be interrupted at the entry point. ◇ Shock Wave 2000 Shockwave 2000 is a d.boy developed a specialized search for Shell software entry point tool, first run Shock Wave 2000, click the Track button: start tracking, and then run to track the program, find the entry point, will be displayed in Enter. But using this Notepad program is not valid. ★dump the files that have been shelled in memory regardless of the method you use to find the entry point, you first have to go to the entry point line: 0137:401000 push ebp Execute command makepe path/filename or pedump path/filename So the shelling succeeds. Note: TRW2000 Makepe of the reconstructed PE file can be run across the platform, Pedump crawl file is not. Method Two, use SoftICE to Shell ★ Use tool TRW2000 FileInfo procdump★ entry point (Entry points) to determine ◇ using trace analysis to determine the entry point method with TRW2000. ★dump fetch files in memory 0137:40DDF jmp 00401000 Now this line, type the following command: A EIP (then press ENTER) JMP EIP (then press backCar) Press F5 This will change the code for the 0137:40DDF line. You will notice that when you type the "jmp EIP" and press ENTER, the 40DDF instruction is now a jmp. This will effectively make the program "pause" (somewhat similar to the TRW2000 suspend command). Press F5 to get you back to window. Run Procdump, click the right mouse button on the first list of tasks, and select Refresh list. Find Notepad.exe in the Task list, and click on the right mouse button above it. Then, select Dump (full) to save the shelled program name. Click the right mouse button on the Notepad.exe and select Kill Task. Note: Files crawled using this method cannot be run across platforms. ★ Amend the entry point of the newly-dump file the Notepad.exe program entrance is 00401000. Once again, use the Procdump PE editor function to open the Notepad.exe that has been shelled. In the Header infos, you will see that the program entry point (the entry value) is 0000dc70, which of course is wrong. If you try to run the Notepad.exe after shelling without changing the entry value, the program will not run. In Procdump you can see ImageBase = 00400000, the RVA of the entry value we traced above is 00401000, because: virtual address (RVA) = offset + Base address (ImageBase), so entry poin=00401000-00400000=1000, change the entry value to 1000 and click OK. Now, run the Notepad.exe after the shelling, it should run normally. 1 2 Next page >> content navigation to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passed (0 Votes) The original text: teach you step-by-step encryption and decryption technology--compression and shelling (3) (1) Return to network security home