[Author statement]: Just interested, there is no other purpose. Please advan to teach the heroes! [Debug Environment]: WinXP, Ollydbg1.10c, WinHex, PeiD, Lordpe, Peditor, ImportRec ------------------------------------------------------------------------------------------------------------------ --- [Shelling process]: Many brothers don't like to take off the DLL shell, I am also like this. The DLL is more than an exe, and it needs to be repaired. However, you can't give up all because of trouble, such as many other things in life ... I haven't written something for a few days, and I am busy and there is no mood. Seeing the jar with ollydbg off the DLL shell, I wrote this simple thing. In fact, there is a lot of discussion on the shelling of DLL in the second edition of Encryption and Decryption. Ftgg.dll is a bit special. If the DLL is not relocated directly with the ollydbg1.10c, the DLL_Loader.exe is loaded with DLL_LOADER.EXE. So this time we use the ollydbg1.10c to load this DLL, and DUMP will then process the relocation table. --------------------------------- First, DUMP
Code:
10037000 EB 06 JMP Short FTGG.10037008 // After entering OD, stop
10037002 68 90960000 Push 9690 // OEP RVA
10037007 C3 RETN
10037008 9C Pushfd
10037009 60 Pushad
1003700A E8 02000000 Call FTGG.10037011
Because this stuff is a version of the shell before Pecompact 2.0, the OEP is very good to find, the 2nd instruction of the case in the mouth is the RVA address of the OEP. OEP = 10000000 9690 = 10009690 Directly at 10009690 The hardware execution breakpoint, or the in-memory breakpoint, the F9 is interrupted in OEP.
Code:
10009690 55 Push EBP
10009691 8bec MOV EBP, ESP
10009693 53 PUSH EBX
10009694 8B5D 08 MOV EBX, DWORD PTR SS: [EBP 8]
10009697 56 Push ESI
10009698 8B75 0C MOV ESI, DWORD PTR SS: [EBP C]
1000969B 57 Push EDI
1000969C 8B7D 10 MOV EDI, DWORD PTR SS: [EBP 10]
1000969F 85F6 Test ESI, ESI
100096A1 75 09 JNZ Short FTGG.100096AC
Use the Lordpe to select the process of ollydbg's loaddll.exe, select ftgg.dll in the list below, then completely remove the housing to get dumped.dll. After DUMP, do not turn off the OLLYDBG, but also prepare for the following processing relocation table. -------------------------------- Second, the input table is still borrowed by IMPORTREC. Just find an API call from the program, such as: 100095C4 FF15 60B10110 Call DWORD PTR DS: [1001B160]; Kernel32.getVersion follows 1001b160 in the transition, seeing many function addresses up and down, obviously find IAT start and ending addresses : Code:
1001AFF0 00 00 00 00 00 00 00 00 00 00 00 ..............
1001B000 9A 18 DA 77 EA 22 Da 77 0B 59 Da 77 F0 59 Da 77 ... w. ". W.y.w.y.w
1001B010 00 00 00 00 19 52 31 77 00 00 00 B0 1B C4 77 ..... R1W ....... w
1001B390 00 00 00 00 DF 71 F7 72 26 16 F7 72 6C 71 F7 72 ..... q.r & .. rlq.r
1001B3A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Start address = 1001b000 End Address = 1001B3A0 Run ImportRec, select OllydBG's LoadDll.exe process, then click "Select DLL", select ftgg.dll, fill in RVA = 0001B000, size = 3A0, OEP = 00009690, point "get import ". Correct Dumpfixer and correct blocks with PEDITOR DUMPFIXER and correct blocks. Fixdump! --------------------------------- Third, the relocation table fix is only the case is still the shell or not, There is a relocation table needs to be processed. When we stay at 10009690 OEP, although ftgg.dll did not be relocated when using ollydbg1.10c loading, its relocation code has been unspeakable, so we will find this code now to determine heavy RVA and size of the positioning table. Provide a simple way to find this processing code: Ctrl g: 10037000, that is, the entry point to the shell. Then Ctrl S searches the command sequence throughout the block:
Code:
Add ESI, EBX
XOR EAX, EAX
Find the following code:
Code:
10038652 8B9D E6904000 MOV EBX, DWORD PTR SS: [EBP 4090E6] / / [EBP 4090E6] = 10000000
10038658 3B9D 5F974000 CMP EBX, DWORD PTR SS: [EBP 40975F] // [EBP 40975F] = 10000000
1003865E 75 01 JNZ Short FTGG.10038661 / / Retained positioning if it does not match the image base address! / / Can be changed to z = 0, so that you jump here
10038660 C3 RETN
10038661 8BB5 63974000 MOV ESI, DWORD PTR SS: [EBP 409763] = 00032000 RVA of the table
10038667 03F3 Add ESI, EBX // ESI = 00032000 10000000 = 10032000
10038669 33c0 xor eax, eax // found here
1003866B 66: 8B43 3C MOV AX, WORD PTR DS: [EBX 3C]
1003866F 03C3 Add Eax, EBX
10038671 8B80 C0000000 MOV EAX, DWORD PTR DS: [EAX C0]
10038677 85c0 Test Eax, EAX
10038679 75 08 jnz short ftgg.10038683
1003867B 2B9D 5F974000 SUB EBX, DWORD PTR SS: [EBP 40975F]
10038681 EB 0F JMP Short FTGG.10038692
Now we have a breakpoint in its RETN's 10038652, then Ctrl F2 reloads this DLL, F9 runs, and interrupts at 10038652. Analysis is seen. Because there is no relocation here, we can change the flag bit z = 0 in order to find the address and size of the relocation table, so that the 1003865E is jumped, you can see [EBP 409763] = 00032000 at 10038661, this is heavy RVA of the positioning table!
Code:
10038683 03C3 Add Eax, EBX
10038685 2B9D 5F974000 SUB EBX, DWORD PTR SS: [EBP 40975F]
1003868B 0118 Add DWORD PTR DS: [EAX], EBX
1003868D 83C0 04 Add Eax, 4
10038690 0118 Add DWORD PTR DS: [EAX], EBX
10038692 Ad Lods DWORD PTR DS: [ESI] // [ESI] = [10033C34] = 00000000
10038693 0BC0 or EAX, EAX
10038695 74 6F JE SHORT FTGG.10038706 // End, jump
10038697 8BD0 MOV EDX, EAX
10038699 0395 E6904000 Add Edx, DWORD PTR SS: [EBP 4090E6]
1003869f Ad Lods DWORD PTR DS: [ESI] 100386A0 8BC8 MOV ECX, EAX
100386A2 83E9 08 SUB ECX, 8
100386A5 D1E9 SHR ECX, 1
100386A7 66: C785 55974000 00> MOV Word PTR SS: [EBP 409755], 0
100386B0 33C0 XOR EAX, EAX
100386B2 66: Ad Lods Word PTR DS: [ESI]
100386B4 0BC0 or EAX, EAX
100386B6 74 49 Je Short fTGG.10038701
100386B8 66: 0385 55974000 Add Ax, Word PTR SS: [EBP 409755]
100386BF 66: 8985 55974000 MOV Word PTR SS: [EBP 409755], AX
100386C6 50 Push EAX
100386C7 C1E8 0C SHR EAX, 0C
100386CA 83F8 01 CMP EAX, 1
100386CD 75 0e Jnz Short FTGG.100386DD
100386CF 58 POP EAX
100386D0 25 FF0F0000 and Eax, 0FFF
100386D5 03C2 Add Eax, EDX
100386D7 66: 0158 02 Add Word PTR DS: [EAX 2], BX
100386DB EB 24 JMP short fTGG.10038701
100386DD 83F8 02 CMP EAX, 2
100386E0 75 0D JNZ Short ftgg.100386ef
100386E2 58 POP EAX
100386e3 25 ff0f0000 and Eax, 0FFF
100386E8 03C2 Add Eax, EDX
100386EA 66: 0118 Add Word PTR DS: [EAX], BX
100386ed EB 12 JMP short fTGG.10038701
100386EF 83F8 03 CMP EAX, 3
100386F2 75 0C jnz short fTGG.10038700
100386F4 58 POP EAX
100386F5 25 FF0F0000 and Eax, 0FFF
100386FA 03C2 Add Eax, EDX
100386FC 0118 Add DWORD PTR DS: [EAX], EBX
100386fe EB 01 JMP short fTGG.1003870110038700 58 POP EAX
10038701 49 DEC ECX
10038702 75 AC jnz short ftgg.100386b0
10038704 EB 8C JMP short ftgg.10038692
10038706 C3 RETN // ESI = 10033C38
The above is the processing of the program to the relocation table, we can go off at the RETN of 10038706, F9 run, and then get the size of the relocation table. ESI = 10033c38, relocation table end address = 10033c38-4 = 10033C34 Relocking table size = 10033C34- Start address 10032000 = 1C34 Open DUMPED_.DLL with WinHex, copy the 16 credit value between 32000-33c34, and save it to 1. BIN is running to see the tools written by the snow to repair the tool PECOMANGELA.EXE for the PECOMPACT plus the shell DLL redistribution table, open the 1.bin, quickly prompt the Pediy.bin file to create success! Use WinHex to copy all 16 credits in Pediy.bin, write to 32000 of Dumped_.dll, replace the original relocation data. Fix the relocation table RVA = 00032000, size = 00001C34, saved. If you want to simply optimize the back-behind file, you can use FileScan. OK, the shell after the shell can be loaded normally, because there is no previously called the main program, it can only be done this step. If there is a check of DLL in the main program, it is only solved from the main program.
