Author: LenusFROM: poptown.gamewan.com/bbsE-MAIL:meila2003@163.com
1. Foreword See many friends in the forum, don't know what ESP law, what is the application of ESP, what is the principle of ESP? How to use ESP law? I saw me.
http://poptown.gamewan.com/dispbbs.asp?boardid=5&id=54&page=1
The survey found that everyone is very interested in the law of ESP, of course, because it is really easy to use, now I will tell everyone what is ESP law, what is the principle! !
BTW: After reading the manual shelling, it will be more helpful to you later.
Download in the address:
http://soft.winzhenng.com/softview/softview_23125.htm
2. Prepare knowledge
Before we start discussing the law of ESP, I will explain some simple assembly knowledge. 1.Call This command is a compilation basic directive for the access subroutine. Maybe you said, this I have long known! Don't worry, please continue to finish. What is the true meaning of CALL? We can understand this: 1. Press the address of the next line of the program to the stack; 2. JMP to the subroutine address of the Call. E.g:
00401029. E8 DA240A00 CALL 004A35080040102E. 5A POP EDX After executing 00401029, the program will press the 0040102e into the stack, then the JMP to 004A3508 address! 2. Ret and Call correspond to RET. For RET we can understand: 1. Add the address pointed to by the current ESP out of the stack; 2.JMP to this address. This completes the process of calling a subroutine. Where is the key place here: If we want to return to the parent program, when we perform the stack operation in the stack, be sure to ensure that the ESP points to the address we press in the stack before the RET of the stack. This is also the famous "stack balance" principle!
3. The principle of the narrow ESP law ESP law is the principle of "stack balance". Let's take a look at the entrance to the program! 1. This is the value of each register when adding the entrance of the UPX shell! EAX 00000000ECX 0012FFB0EDX 7FFE0304EBX 7FFDF000ESP 0012FFC4EBP 0012FFF0ESI 77F51778 ntdll.77F51778EDI 77F517E6 ntdll.77F517E6EIP 0040EC90 note-upx.
2. This is the value of the registers after the UPX shell JMP to OEP! EAX 00000000ECX 0012FFB0EDX 7FFE0304EBX 7FFDF000ESP 0012FFC4EBP 0012FFF0ESI 77F51778 ntdll.77F51778EDI 77F517E6 ntdll.77F517E6EIP 004010CC note-upx.004010CCC 0 ES 0023 32bit 0 (FFFFFFFF) P 1 CS 001B 32bit 0 (FFFFFFFF) A 0 SS 0023 32bit 0 (FFFFFFFF) Z 1 DS 0023 32bit 0 (fffffff) S 0 fs 0038 32bit 7ffde000 (FFF) T 0 GS 0000 NULLD 0O 0 lasterr error_mod_not_found (0000007E) Ha ha ~ Is it exactly the same outside of the EIP!
Why is this so? Let's take a look at the first line of the UPX shell:
0040EC90 N> 60 pushad // **** Note He 15B04000 MOV ESI, Note-UpX.0040B015 Pushad is to put all register stacks! We are in the last look at the shell:
0040ee0f 61 popad // **** Note Here ***** 0040EE10 - E9 B722FFFF JMP Note-Upx.004010cc // JMP to OEP
POP is to put all registers out!
And when we pushhad, ESP pressed the register into the stack of 0012ffc0---0012ffa4! as follows:
0012FFA4 77F517E6 returns to ntdll.77F517E6 from ntdll.77F78C4E // EDI 0012FFA8 77F51778 returns to ntdll.77F51778 from ntdll.77F517B5 // ESI0012FFAC 0012FFF0 // EBP0012FFB0 0012FFC4 // ESP0012FFB4 7FFDF000 // EBX0012FFB8 7FFE0304 // EDX0012FFBC 0012FFB0 // ECX0012FFC0 00000000 / / EAX
So this time, tell us the hardware access breakpoint for ESP's 0012FFA4 on the tutorial. That is to say, when the program is to access these stacks, the value of the original register is restored, and when you are going to jump to the OEP, OD helps us to interrupt.
So we stop at 0040EE10! Summary: We can assume the shell as a subroutine. When the case decompresses the code and decompressed, he must do the principle of the stack balance, so that the ESP = 0012FFC4 is made when the ESP is executed.
4. Generalized ESP Law
Many people will ask: ESP law is 0012FFA4, and the application range of ESP law can only be a compression shell! My answer is: NO! After reading it, you will know if you use 0012ffa8, the ESP law is not only used for compressed shells. He can also be used for encryption shells! ! !
First, tell you an experience is also the fact --- When the PE file starts, it is the first line of code that enters the shell. The value of the register is always the value above, don't believe you try it yourself! And when arriving at OEP, the most programs are all stacks! (In addition to the program written by BC, BC is typically stack in the following sentences)
Now, according to the above ESP principle, we know that most shells are eSP = 0012FFC4 when running to OEP. This is the first sentence of the program is to write the 0012FFC0! Finally, we have got a generalized ESP law, and we can stop in the second sentence of OEP as long as the hardware is written in 0012ffc0! !
Let's take an example below, take the first article! After loading OD, come here:
0040D042 N> B8 00D04000 mov eax, Notepad.0040D000 // stop here 0040D047 68 4C584000 push Notepad.0040584C0040D04C 64: FF35 00000000 push dword ptr fs: [0] // first hardware interrupt, F90040D053 64: 8925 00000000 mov dword PTR fs: [0], ESP0040D05A 66: 9C Pushfw0040d05c 60 pushad0040d05d 50 push eax
Directly write the hardware write breakpoint, F9 running directly to 0012FFC0. (Pay attention to hardware interruption)
The first hardware interruption at 0040D04C, F9 continues!
0040d135 A4 MOVS BYTE PTR ES: [EDI], BYTE PTR DS: [ESI] // Access exception, no matter where he Shift F9 continues 0040d136 33c9 xor ECX, ECX0040D138 83FB 00 CMP EBX, 00040D13B ^ 7e A4 Jle Short Notepad.0040D0E1
Second hardware interrupt.
004058B5 64 DB 64 // broken here 004058B6 89 DB 89004058B7 1D DB 1D004058B8 00 dB 00004058B9 00 dB 00
Not here, F9 continues!
004010cc /. 55 push eBP004010CD |. 8bec Mov EBP, ESP // Break here, haha, arrived! (If there is a flower directive, you can display it with Ctrl A.) 004010CF |. 83ec 44 SUB ESP, 44004010D2 |. 56 Push ESI Quick! Not addiction, in one example.
Shelling advancement second article
If you can't discover the above method, the program is running directly! Nothing, we are using another way! Loaded, stop here, hide OD with plugins!
0040dbd6 n> ^ / E9 25E4FFFF jmp note_tel.0040c000 // stop here 0040dbdb 0000 add byte PTR DS: [EAX], Al0040dbdd 0038 Add byte Ptr DS: [EAX], BH0040DBDF A4 MOVS BYTE PTR ES: [EDI], byte PTR DS: [ESI] 0040DBE0 54 PUSH ESP
F9 is running, then skip with Shift F9 is here:
0040d817 ^ / 73 DC JNB Short Note_tel.0040d7f5 // Here 0040D819 CD20 64678F06 VXDCALL 68F67640040D81F 0000 Add byte PTR DS: [EAX], Al0040D821 58 POP EAX
Here is the hardware write breakpoint to 0012FFC0! (Type HW 12FFC0 in the command line) SHIFT F9 jumps to the second row of OEP: (analyze Ctrl A)
.. 004010CC / 55 push ebp004010CD | 8BEC mov ebp, esp // off here 004010CF | 83EC 44 sub esp, 44004010D2 | 56 push esi004010D3 | FF15 E4634000 call dword ptr ds:... [4063E4] 004010D9 | 8BF0 mov esi. , EAX004010DB |. 8A00 MOV Al, Byte Ptr DS: [EAX] 004010DD |. 3C 22 CMP AL, 22
In this way, we easily get two encrypted slices of the OEP problem!
5. Summary
Now we can answer some questions easily. What is the principle of 1.esp?
Stack balance principle. What is the scope of application of 2.ESP?
Almost all compression shells are partially added. As long as it is in JMP to OEP, the shell of ESP = 0012FFC4, theoretically we can use it. But when the break is broken, when the check is broken, it will break OD to disconnect, which requires a lot of summary and more accumulation. Welcome to share your experience and us.
3. Is it only possible to break the access breakpoint of 12ffa4?
Of course, that is just an embodiment of the law of ESP. We use the principle of ESP law, and should not be his specific value. You can't say 12FFA4, or 12FFC0 is ESP law, they are just an application of ESP law! 4. What should we do with Stolen Code?
Haha, this is exactly the best way to find Stolen Code! When we are broken, it is just broken in the place where the shell is handled Stolen Code, and I will go to OEP in F8!
6. The principles of the method of the later words are all my own experience, if there is anything wrong, there is no explanation. Also please Han! But if I feel very powerful, it is big, because the law of ESP is also taught me, not my first comment! I am just a rookie that is flying earlier. ^ - ^
I watched the above words hopes to help you when I look for OEP, but don't forget a word: the rookie thinks that OEP is very difficult, master thinks that repair is the hard! Ok, the next article should write IAT's repair principle! Let us work together! Finally, if you reprint the author and keep your article is complete, thank you for reading
