[Objective]: Legend plug-in 1.07 [tool]: Olydbg1.1 (DIY Version), Lordpe, ImportRec1.6f [Trek]: ARM 3.6 or below version of the CopyMem II Standard case [Operation Platform]: WinXP SP2 [work ]: Loveboom [DFCG] [FCG] [US] [related links]: ......
[Brief Description]: This is an ARM3.6 or below version of the CopyMem II shell, and the shell is not in the order, and there is no housing code. So it is easier.
[Detailed Procedure]:
OD setting: Ignore all exceptions modified OD (must Patch overputdebugstringa vulnerability), hide OD, ignore LockX (c000001e), as shown below:
The shelling process is divided into four parts: find
OEP
,
DUMP
Program, repair
IAT
, Fix the optimization of the main program.
Part 1: Find
OEP
Load the target program with OD:
0056E379> / $ 55 Push EBP; Shell Inlet
0056E37A |. 8bec MOV EBP, ESP
......
Because the ARM of 3.7 below does not detect the CC breakpoint of all APIs. So you can go directly to BP. First BP
Waitfordebugevnet breakpoint, then F9 runs, stop here:
7C85A268> 8BFF MOV EDI, EDI; First stop, pay attention to the stack after stopping.
7C85A26A 55 PUSH EBP
7C85A26B 8BEC MOV EBP, ESP
......
After stop, remove the CC breakpoint, see the information of the stack:
Note the address at ESP 4, displaying the address information in the DUMP window:
Then the BP WaiteProcessMemory breakpoint and run, after disconnecting, you can find the program in the DUMP window, there is OEP.
OEP is at 1C, the OEP of this program is 4014ac, and you will write down the first. In the first part of this, even if it is finished.
the second part:
DUMP
program
After you know OEP, if you go directly to FOLLOW 4014AC, you will not get anything, look at the stack information just disconnected, we can get what we need to use:
First calculate the position where true code is located, the calculation method is: OEP minus the address 401000 at the stack ESP 8 plus the buffer 003c64b8 at the ESP 0c, (as for the relevant article.) So the OEP code of this program is : 4014AC-401000 003C64B8 = 003C6964.
003c6964 / EB 10 JMP short 003c6976; here is the program original OEP code
003c6966 | 66: 623A Bound Di, DWORD PTR DS: [EDX]
003c6969 | 43 Inc EBX
003C696A | 2B2B SUB EBP, DWORD PTR DS: [EBX]
003c696c | 48 DEC EAX
Previously, the article was re-dealt with later, but this program does not have to be processed, with the dealing with the processed article, you can also skip this step to NEXT1.
The following is a case where this is a case. First look at the stack:
0012D98C 0056C421 / Call to WriteProcessMemory from mlex.0056c41b0012d990 000004c | HProcess = 0000004C (Window)
0012D994 00401000 | Address = 401000
0012d998 003c64b8 | buffer = 003c64b8
0012D99C 00001000 | Bytestowrite = 1000 (4096.)
0012D9A0 0012DAA8 / PBYTESWRITTEN = 0012DAA8
0012D9A4 00000002
0012D9A8 00000002
0012D9AC 0012F5A4
0012d9b0 00000000
0012D9B4 00000000
0012D9B8 00000000
0012D9BC 00000000
0012D9C0 00000000
0012D9C4 00000000
0012D9C8 00000000
0012d9cc 00000000
0012D9D0 00000000
0012D9D4 00000000
0012D9D8 00000000
0012D9DC 00000000
0012d9E0 00000000
0012d9E4 00000000
0012d9E8 00000000
0012d9EC 00000000
0012D9F0 00000000
0012D9F4 00000000
0012D9F8 00000000
0012D9FC 00000000
0012Da00 00000000
0012DA04 0012BDA4
0012DA08 00000000
0012DA0C 7C9305C8 RETURN TO NTDLL.7C9305C8 from NTDLL.7C922F2F
0012DA10 005EC790 mlex.005ec790
0012DA14 0012BE70
0012DA18 7C930551 RETURN TO NTDLL.7C930551 from NTDLL.7C9305A2
0012DA1C 00561378 MLEX.00561378
0012DA20 7C93056D Return to NTDLL.7C93056D from NTDLL.7C92EE02
0012DA24 0012BEC4
0012DA28 00000000
0012DA2C 00000000
0012DA30 00000000
0012DA34 00000000
0012DA38 00000020
0012DA3C 0012C368
0012DA40 0012BDEC
0012DA44 004A6C1C MLEX.004A6C1C
0012DA48 0012C7FC
0012DA4C 0012BE20
0012DA50 00000039
0012DA54 004C1AB5 MLEX.004C1AB5
0012DA58 0012BE20
0012DA5C 0012BE08
0012DA60 004A6E3B MLEX.004A6E3B
0012DA64 0012BE20
0012DA68 00000039
0012DA6C 0012C368
0012DA70 00000001
0012DA74 00000000
0012DA78 0012C340
0012DA7C 004A77D8 MLEX.004A77D8
0012DA80 0012BE20
0012DA84 828BF055
0012DA88 003C74B80012DA8C 003C74B8
0012DA90 5C3A4431
0012DA94 75636F44
0012DA98 00000020
0012DA9C 00401000 mlex.00401000
0012DAA0 00000020
0012DAA4 003C74B8
0012DAA8 00001000
0012DAAC 003c74b8
0012DAB0 / 0012DAE4
0012DAB4 | 0056B12E RETURN TO MLEX.0056B12E from Mlex.0056B475
0012DAB8 | 00000000
Right click at 0012DAB4 followed:
In the code window:
0056b129. E8 47030000 Call 0056b475; this CALL processing decoding
0056b12e> 83C4 0C Add ESP, 0C; follow here
......
After the Ctrl F looks command: Call 0056B475 will find two places (if ARM3.7 or above, there will be several), the second place is:
0056B3E4. E8 8C000000 Call 0056B475; Second place
0056B3E9. 83C4 0C Add ESP, 0C
0056b3ec. 9c pushfd
0056b3ed. 60 pushad
......
The second place NOP will be broken:
0056B3E4 90 NOP; second place
0056B3E5 90 NOP
0056B3E6 90 NOP
0056B3E7 90 NOP
0056B3E8 90 NOP
0056B3E9. 83C4 0C Add ESP, 0C
After processing.
l
NEXT1:
After coming here, modifying the code will be DUMP, let the program hang up to DUMP, and change the EIP as JMP EIP as the SICE method.
Modify 003c6964:
003c6964 / EB 10 JMP Short 003c6976
003c6966 | 66: 623A Bound Di, DWORD PTR DS: [EDX]
003c6969 | 43 Inc EBX
003C696A | 2B2B SUB EBP, DWORD PTR DS: [EBX]
change into:
003c6964 - EB Fe Jmp Short 003c6964
003c6966 66: 623A Bound Di, DWORD PTR DS: [EDX]
003c6969 43 Inc EBX
003C696A 2B2B SUB EBP, DWORD PTR DS: [EBX]
003c696c 48 DEC EAX
This then let the program "hang up", open the Lordpe to select the second process, then select Armdump's plugin,
You can Dump Full programs after you choose. The second part is completed. Part III: Repair
IAT
The code has been DUMP, we now have to fix the IAT. Turn off the OD of the previously opened, then load the programs just dump, find the IAT start position in the OEP attachment. A relatively simple found address 533000 (no need to worry about making mistakes before the start position. After remember the address, use OD to load the target again, break: BP DebugActiveProcess, after running, you can see the Process ID. After you come here, open an OD to attach this process. The addition is interrupted in the system, press F9 to run, press F12 to stop in the run, because the code is dead cycle :-)
0056E379> - EB Fe JMP Short
0056E37B EC in Al, DX; I / O Command
After the pause, change the EP code back, change to 558B (PUSH EBP, MOV EBP, ESP), in fact, the shell is like a two-process standard case, and the method of the two-process standard shell can get IAT. specific method:
After the code is changed, the BP OpenMuteExa is directly removed, and the F9 is turned off and then clears the breakpoint to note the contents of ESP C.
Write the following code in a blind:
00401000 60 pushad
00401001 9C PUSHFD
00401002 68 F0FB1200 PUSH 12FBF0; ASCII "168 :: DAC4C6C5E3"
00401007 33C0 XOR EAX, EAX
00401009 50 Push EAX
0040100A 50 Push EAX
0040100B E8 2FDB407C Call kernel32.createmutexa
00401010 9D POPFD
00401011 61 POPAD
00401012 - E9 04DC407C JMP kernel32.openmutexa
Position the EIP to the code (Ctrl *), change the OD exception setting after writing the code:
Open memory access error exception. Then F9 runs the program, after the memory is abnormal, ignore all of the exceptions and off the BP getModuleHandlea 5, SHIT F9 ignores the abnormality continues to run, the API is disconnected, the breakpoint, Alt F9 executes the return to user code:
00ca532b ff15 a450cc00 Call DWORD PTR DS: [CC50A4]; kernel32.GetModuleHandlea
00ca5331 8B0D 60D8CC00 MOV ECX, DWORD PTR DS: [CCD860]; return to this
00ca5337 89040e MOV DWORD PTR DS: [ESI ECX], EAX
00ca533a A1 60D8CC00 MOV EAX, DWORD PTR DS: [CCD860]
00ca533f 393c06 CMP DWORD PTR DS: [ESI EAX], EDI00CA5342 75 16 JNZ SHORT 00CA535A
00ca5344 8D85 B4Feffff Lea Eax, DWORD PTR SS: [EBP-14C]
00ca534a 50 push eax
00ca534b ff15 b850cc00 Call DWORD PTR DS: [CC50B8]; Kernel32.LoadLibrarya
00ca5351 8B0D 60D8CC00 MOV ECX, DWORD PTR DS: [CCD860]
00ca5357 89040e MOV DWORD PTR DS: [ESI ECX], EAX
00ca535a A1 60D8CC00 MOV EAX, DWORD PTR DS: [CCD860]
00ca535f 393c06 CMP DWORD PTR DS: [ESI EAX], EDI
00ca5362 0f84 AD000000 JE 00ca5415; here MAGIC JMP is changed to JMP
Change to JMP 00ca5415
00ca5368 33c9 xor ECX, ECX
00ca536a 8b03 MOV EAX, DWORD PTR DS: [EBX]
After the modification, Alt m opens the memory page, and it is broken in the Text section:
After the break is complete, F9 is going to the OEP:
004014AC 6D INS DWORD PTR ES: [EDI], DX; Interrupt here, although the code is not available here, but you can get the correct IAT
004014AD 66:16 Push SS
......
After disconnection, use ImportRec to make IAT fixes, IAT's start address uses our top 533000-400000 = 133000, the size can be written bigger (of course, you can also calculate). CUT invalid pointer is fixed again. . Drawings:
Repair IAT is completed (
Note: If it is
3.7x
Or the above version is still in downtown, more operations).
Part IV: Fixed
/
optimization
The program has now been basically finished, and now makes a job. Turn off two ODs, change the code of OEP with Lordpe. Clear the unused segment and then use Lordpe Fixdump:
Finished! J.
Greetz:
Fly.jingulong, Yock, TDASM.David.hexer, Hmimys, Ahao.ufo (Brother) .aran (Sister) .all of my friends and you!
By LoveBoom [DFCG] [FCG] [US]
Email: loveboom # 163.com
Date: 2006-3-27 16:57
