A plus external housing
[Observation]: Hero throne V0.001.014
[Tu]: Olydbg1.1 (DIY Version), Lordpe, ImportRec1.6F
[Renuction]: Delax
[Operation Platform]: Windows XP SP2
[Author]: loveboom [dfcg] [fcg] [US]
[Brief Description]: This is a strange shell, which can not see any explanation about this shell outside, and the shell is decompressed by a DLL, and the original procedure is performed. It is a relatively new intensive mode.
[Detailed Procedure]:
OD has no special settings, open all exception items.
Let's take a look at this shell directly with Lordpe:
More interesting, the program only uses a DLL to extract and run the program.
Because the shell is decompressed by the DLL, then run again, we can't let the OD stop in the OEP, because OD is generally broken at the program's OEP, so it will interrupt at the program entrance. Change the setting of the OD:
Let the OD interrupt in the system DLL.
This allows you to load the program because the shell will change the IAT to the shell, so let's first add a segment in the program. My approach is to use the WinHex new key to 35KB (this definition due to IAT size), then load the program file with the Lordpe and add a segment, select from the disk load.
The lowermost paragraph is my new.
Now use OD to load the target program again, now interrupt in the system:
7C921231 C3 RETN; Interrupt in System DLL
7c921232 8BFF MOV EDI, EDI
After disconnecting the F2 breakpoint below the program's CODE:
Then press the F9 to run the program, after running, the program is interrupted in the shelldll.dll, that is, the DLL decoder file:
100025A2 8BCE MOV ECX, ESI; if you don't decompress it, continue
100025A4 6A 01 PUSH 1
100025A6 8B11 MOV EDX, DWORD PTR DS: [ECX]; Interrupt here
100025A8 895424 18 MOV DWORD PTR SS: [ESP 18], EDX; the code here decodes the original program.
100025AC 8B41 04 MOV EAX, DWORD PTR DS: [ECX 4]
100025AF 894424 1C MOV DWORD PTR SS: [ESP 1C], EAX
100025B3 8B51 08 MOV EDX, DWORD PTR DS: [ECX 8]
100025B6 895424 20 MOV DWORD PTR SS: [ESP 20], EDX
100025BA 8D5424 18 Lea EDX, DWORD PTR SS: [ESP 18]
100025BE 8B41 0C MOV EAX, DWORD PTR DS: [ECX C]
100025C1 8D4C24 28 LEA ECX, DWORD PTR SS: [ESP 28]
100025C5 51 PUSH ECX
100025C6 55 Push EBP
100025C7 52 PUSH EDX100025C8 8D4C24 20 LEA ECX, DWORD PTR SS: [ESP 20]
100025CC 894424 30 MOV DWORD PTR SS: [ESP 30], EAX
100025D0 E8 5Bebffff Call 10001130
100025D5 8B4C24 24 MOV ECX, DWORD PTR SS: [ESP 24]
100025D9 8B5424 28 MOV EDX, DWORD PTR SS: [ESP 28]
100025DD 8BC6 MOV EAX, ESI
100025DF 83C6 10 Add ESI, 10
100025E2 4B DEC EBX
100025E3 8908 MOV DWORD PTR DS: [EAX], ECX
100025E5 8B4C24 2C MOV ECX, DWORD PTR SS: [ESP 2C]
100025E9 8950 04 MOV DWORD PTR DS: [EAX 4], EDX
100025EC 8B5424 30 MOV EDX, DWORD PTR SS: [ESP 30]
100025F0 8948 08 MOV DWORD PTR DS: [EAX 8], ECX
100025F3 8950 0C MOV DWORD PTR DS: [EAX C], EDX
100025f6 ^ 75 aa jnz short 100025a2; did not decompress it
100025F8 5D POP EBP
100025F9 5B POP EBX
100025FA 8D4C24 08 Lea ECX, DWORD PTR SS: [ESP 8]
100025fe C74424 34 FFFFF> MOV DWORD PTR SS: [ESP 34], - 1
10002606 C1E7 04 SHL EDI, 4
10002609 E8 22EAFFFF CALL 10001030
1000260E 8B4C24 2C MOV ECX, DWORD PTR SS: [ESP 2C]
10002612 8BC7 MOV EAX, EDI
10002614 5F POP EDI
10002615 5E POP ESI
10002616 64: 890D 0000000> MOV DWORD PTR FS: [0], ECX
1000261D 83C4 30 Add ESP, 30
10002620 C2 1000 RETN 10; We can directly press F4 here, do it here
After disconnect, Direct F4 is executed to 10002620, pay attention to because OD is at the CC at the program OEP, where the decoded OEP part code is incorrect, so we have to change an OEP code, and then change it back. After the operation is completed, the Code paragraph breakpoint, so that I have to analyze the processing of IAT:
1000236B 8B4424 0C MOV EAX, DWORD PTR SS: [ESP C] 1000236F C606 E9 MOV BYTE PTR DS: [ESI], 0E9; once again, it is interrupted here, here is filled in remote jump, let IAT partially remove
10002372 2BC6 SUB EAX, ESI; calculate the distance of the jump
10002374 83C0 FB Add Eax, -5
10002377 8946 01 MOV DWORD PTR DS: [ESI 1], EAX; fill in the remote address
1000237A 8B5424 14 MOV EDX, DWORD PTR SS: [ESP 14]; Take the address of the input table
1000237E 8B4424 20 MOV EAX, DWORD PTR SS: [ESP 20]; Remove the code that jumps to IAT, and then compares, jump to the API is usually FF25, FF15, etc.
10002382 3D 2D8B0000 CMP EAX, 8B2D; Comparison is the style of MOV EBP, DS: [xxxxxxxx]
10002387 893A MOV DWORD PTR DS: [EDX], EDI; fill IAT in the case
10002389 0F8F 9C000000 JG 1000242B; if it is greater than 8B2D
1000238F 0F84 86000000 JE 1000241B; if equals the processing of 8B2D
10002395 3D 158B0000 CMP EAX, 8B15; the style is not MOV EDX, DS: [xxxxxxxx]
1000239A 7F 68 JG Short 10002404; If it is greater than jumping
1000239C 74 38 JE SHORT 100023D6; Isometrically jumping to process 8b15
1000239E 3D A1000000 CMP EAX, 0A1; Comparison is the case of MOV Eax, DS: [xxxxxxxx]
100023A3 74 1B JE SHORT 100023C0; if it is, jump
100023A5 3D 0D8B0000 CMP EAX, 8B0D; Judgment is MOV ECX, DS: [xxxxxxxx]
100023AA 0F85 D9000000 JNZ 10002489; if not jumping
100023B0 8B4C24 10 MOV ECX, DWORD PTR SS: [ESP 10]; Handling MOV ECX, DS: [xxxxxxxx]
100023B4 8D46 06 LEA EAX, DWORD PTR DS: [ESI 6]
100023B7 C601 8B MOV BYTE PTR DS: [ECX], 8B100023BA C641 01 0D MOV BYTE PTR DS: [ECX 1], 0D
100023BE EB 24 JMP Short 100023E4
100023C0 8B4C24 10 MOV ECX, DWORD PTR SS: [ESP 10]; Handling MOV EAX, DS: [xxxxxxxx]
100023C4 8D46 05 LEA EAX, DWORD PTR DS: [ESI 5]
100023C7 C601 A1 MOV BYTE PTR DS: [ECX], 0A1
100023CA 8B5424 14 MOV EDX, DWORD PTR SS: [ESP 14]
100023CE 8951 01 MOV DWORD PTR DS: [ECX 1], EDX
100023D1 83C1 05 Add ECX, 5; because of MOV Eax, DS: [xxxxxxx] machine code is only five, so there is a point different
100023D4 EB 18 JMP Short 100023EE
100023D6 8B4C24 10 MOV ECX, DWORD PTR SS: [ESP 10]; Handling MOV EDX, DS: [xxxxxxxx]
100023DA 8D46 06 LEA EAX, DWORD PTR DS: [ESI 6]
100023DD C601 8B MOV BYTE PTR DS: [ECX], 8B
100023E0 C641 01 15 MOV BYTE PTR DS: [ECX 1], 15
100023E4 8B5424 14 MOV EDX, DWORD PTR SS: [ESP 14]; Processing the jump, write the address in DS: [xxxxxxxx], the address is the address of the previous sentence of EIP
100023E8 8951 02 MOV DWORD PTR DS: [ECX 2], EDX
100023EB 83C1 06 Add ECX, 6
100023EE 2BC1 SUB EAX, ECX; Calculation Distance
100023F0 C601 E9 MOV BYTE PTR DS: [ECX], 0E9; After the code is added to the API, fill in the code you want JMP returns the program.
100023F3 83E8 05 SUB EAX, 5
100023F6 5F POP EDI
100023F7 8941 01 MOV DWORD PTR DS: [ECX 1], EAX; Fill in the address
100023FA 5E POP ESI
100023fb 33c0 xor EAX, EAX
100023FD 5B POP EBX
100023FE 83C4 10 Add ESP, 10
10002401 C2 0C00 RETN 0C
10002404 3D 1D8B0000 CMP EAX, 8B1D; Judgment is MOV EBX, DS: [xxxxxxxx] 10002409 75 7e Jnz Short 10002489; If not jump
1000240B 8B4C24 10 MOV ECX, DWORD PTR SS: [ESP 10]; Handling MOV EBX, DS: [XXXXXXXX]
1000240F 8D46 06 Lea Eax, DWORD PTR DS: [ESI 6]
10002412 C601 8B MOV BYTE PTR DS: [ECX], 8B
10002415 C641 01 1D MOV BYTE PTR DS: [ECX 1], 1D
10002419 ^ EB C9 JMP SHORT 100023E4
1000241B 8B4C24 10 MOV ECX, DWORD PTR SS: [ESP 10]; Handling MOV EBP, DS: [XXXXXXXX]
1000241F 8D46 06 LEA EAX, DWORD PTR DS: [ESI 6]
10002422 C601 8B MOV BYTE PTR DS: [ECX], 8B
10002425 C641 01 2D MOV BYTE PTR DS: [ECX 1], 2D
10002429 ^ EB B9 JMP Short 100023E4
1000242B 3D 15FF0000 CMP EAX, 0FF15; Judgment is Call DS: [xxxxxxxx]
10002430 7F 3D JG SHORT 1000246F; If it is greater than it is jumped
10002432 74 2C JE SHORT 10002460; Is to jump to handle Call DS: [xxxxxxxx]
10002434 2D 358B0000 SUB EAX, 8B35; Whether to handle whether MOV ESI, DS: [xxxxxxxx]
10002439 74 15 JE SHORT 10002450; Equal
1000243B 83E8 08 SUB EAX, 8; Use another way to determine if it is MOV EDI, DS: [xxxxxxxx]
1000243E 75 49 JNZ Short 10002489; If you don't jump
10002440 8B4C24 10 MOV ECX, DWORD PTR SS: [ESP 10]; Handling MOV EDI, DS: [XXXXXXXX]
10002444 8D46 06 LEA EAX, DWORD PTR DS: [ESI 6]
10002447 C601 8B MOV BYTE PTR DS: [ECX], 8B
1000244A C641 01 3D MOV BYTE PTR DS: [ECX 1], 3D
1000244E ^ EB 94 JMP Short 100023E4
10002450 8B4C24 10 MOV ECX, DWORD PTR SS: [ESP 10]; Handling MOV ESI, DS: [xxxxxxxx]
10002454 8D46 06 LEA EAX, DWORD PTR DS: [ESI 6]
10002457 C601 8B MOV BYTE PTR DS: [ECX], 8B
1000245A C641 01 35 MOV BYTE PTR DS: [ECX 1], 35
1000245E ^ EB 84 JMP Short 100023E4
10002460 8B4C24 10 MOV ECX, DWORD PTR SS: [ESP 10]; Handling Call DS: [xxxxxxxx]
10002464 8D46 06 LEA EAX, DWORD PTR DS: [ESI 6]
10002467 C601 FF MOV BYTE PTR DS: [ECX], 0FF
1000246A ^ E9 71FFFFFF JMP 100023E0
1000246F 3D 25FF0000 CMP EAX, 0FF25; Judgment is JMP DS: [xxxxxxxx]
10002474 75 13 JNZ Short 10002489; If you don't jump
10002476 8B4C24 10 MOV ECX, DWORD PTR SS: [ESP 10]; Handling JMP DS: [XXXXXXXX]
1000247A 8D46 06 LEA EAX, DWORD PTR DS: [ESI 6]
1000247D C601 FF MOV BYTE PTR DS: [ECX], 0FF
10002480 C641 01 25 MOV BYTE PTR DS: [ECX 1], 25
10002484 ^ E9 5BFFFFF JMP 100023E4
10002489 5F POP EDI
1000248A C743 04 1527000> MOV DWORD PTR DS: [EBX 4], 2715
10002491 5E POP ESI
10002492 83C8 ff or eax, fffffff
10002495 5B POP EBX
10002496 83C4 10 Add ESP, 10
10002499 C2 0C00 RETN 0C
After reading, summarize the JMP API's code to the shell, IAT's processing In addition to MOV EAX, DS: [xxxxxxx] is a bit different, the other is fill in the value of EAX (JMP MOV) EBP and the like, then write the address to be jumped, the address is the address of the previous sentence of EIP is EIP-4, and the address to return will be filled in the address.
After analysis, we write your own code;
1000237A / E9 025E0000 JMP 10008181
1000237F | 90 NOP
10002380 | 90 NOP
10002381 | 90 NOP10002382 | 3D 2D8B0000 CMP EAX, 8B2D
10002387 | 893A MOV DWORD PTR DS: [EDX], EDI
10002389 | 0F8F 9C000000 JG 1000242B
1000238F | 0F84 86000000 JE 1000241B
10002395 | 3D 158B0000 CMP EAX, 8B15
1000239A | 7F 68 JG SHORT 10002404
1000239C | 74 38 Je Short 100023D6
1000239E | 3D A1000000 CMP EAX, 0A1
100023A3 | 74 1B JE SHORT 100023C0
100023A5 | 3D 0D8B0000 CMP EAX, 8B0D
100023AA | 0F85 D9000000 JNZ 10002489
100023B0 | E9 5C5D0000 JMP 10008111
100023B5 | 90 NOP
100023B6 | 90 NOP
100023B7 | C601 8B MOV BYTE PTR DS: [ECX], 8B
100023BA | C641 01 0D MOV BYTE PTR DS: [ECX 1], 0D
100023BE | EB 24 JMP SHORT 100023E4
100023C0 | E9 4C5D0000 JMP 10008111
100023C5 | 90 NOP
100023C6 | 90 NOP
100023C7 | C601 A1 MOV BYTE PTR DS: [ECX], 0A1
100023CA | 8B5424 14 MOV EDX, DWORD PTR SS: [ESP 14]
100023CE | 8951 01 MOV DWORD PTR DS: [ECX 1], EDX
100023D1 | 83C1 05 Add ECX, 5
100023D4 | EB 18 JMP SHORT 100023EE
100023D6 | E9 365D0000 JMP 10008111
100023DB | 90 NOP
100023DC | 90 NOP
100023DD | C601 8B MOV BYTE PTR DS: [ECX], 8B
100023E0 | C641 01 15 MOV BYTE PTR DS: [ECX 1], 15
100023E4 | 8B5424 14 MOV EDX, DWORD PTR SS: [ESP 14]
100023E8 | 8951 02 MOV DWORD PTR DS: [ECX 2], EDX
100023EB | 83C1 06 Add ECX, 6
100023EE | 2BC1 SUB EAX, ECX
100023F0 | C601 00 MOV BYTE PTR DS: [ECX], 0
100023F3 | 33C0 XOR EAX, EAX
100023F5 | 90 NOP
100023F6 | 5F POP EDI100023F7 | 8941 01 MOV DWORD PTR DS: [ECX 1], EAX
100023FA | 5E POP ESI
100023FB | 33C0 XOR EAX, EAX
100023FD | 5B POP EBX
100023FE | 83C4 10 Add ESP, 10
10002401 | C2 0C00 RETN 0C
10002404 | 3D 1D8B0000 CMP EAX, 8B1D
10002409 | 75 7e Jnz Short 10002489
1000240B | E9 015D0000 JMP 10008111
10002410 | 90 NOP
10002411 | 90 NOP
10002412 | 90 NOP
10002413 | 90 NOP
10002414 | 90 NOP
10002415 | 90 NOP
10002416 | 90 NOP
10002417 | 90 NOP
10002418 | 90 NOP
10002419 | 90 NOP
1000241A | 90 NOP
1000241B | E9 F15C0000 JMP 10008111
10002420 | 90 NOP
10002421 | 90 NOP
10002422 | 90 NOP
10002423 | 90 NOP
10002424 | 90 NOP
10002425 | 90 NOP
10002426 | 90 NOP
10002427 | 90 NOP
10002428 | 90 NOP
10002429 | 90 NOP
1000242A | 90 NOP
1000242B | 3D 15FF0000 CMP EAX, 0FF15
10002430 | 7F 3D JG SHORT 1000246F
10002432 | 74 2C Je Short 10002460
10002434 | 2D 358B0000 SUB EAX, 8B35
10002439 | 74 15 Je Short 10002450
1000243B | 83e8 08 SUB EAX, 8
1000243E | 75 49 Jnz Short 10002489
10002440 | B8 3D8B0000 MOV EAX, 8B3D
10002445 | E9 C75C0000 JMP 10008111
1000244A | 90 NOP
1000244B | 90 NOP
1000244C | 90 NOP
1000244D | 90 NOP
1000244E | 90 NOP
1000244F | 90 NOP
10002450 | B8 358B0000 MOV EAX, 8B35
10002455 | E9 B75C0000 JMP 10008111
1000245A | 90 NOP
1000245B | 90 NOP
1000245C | 90 NOP
1000245D | 90 NOP
1000245E | 90 NOP
1000245F | 90 NOP
10002460 | E9 AC5C0000 JMP 10008111
10002465 | 90 NOP
10002466 | 90 NOP
10002467 | 90 NOP
10002468 | 90 NOP
10002469 | 90 NOP
1000246A | 90 NOP
1000246B | 90 NOP
1000246C | 90 NOP
1000246D | 90 NOP
1000246E | 90 NOP
1000246F | 3D 25FF0000 CMP EAX, 0FF25
10002474 | 75 13 JNZ Short 10002489
10002476 | E9 965C0000 JMP 10008111
1000247B | 90 NOP
1000247C | 90 NOP
1000247D | 90 NOP
1000247E | 90 NOP
1000247F | 90 NOP
10002480 | 90 NOP
10002481 | 90 NOP
10002482 | 90 NOP
10002483 | 90 NOP
10002484 | 90 NOP
10002485 | 90 NOP
10002486 | 90 NOP
10002487 | 90 NOP
10002488 | 90 NOP
10002489 | 5F POP EDI
1000248A | C743 04 1527000> MOV DWORD PTR DS: [EBX 4], 2715
10002491 | 5E POP ESI
10002492 | 83C8 ff or eax, fffffffff
10002495 | 5B POP EBX
10002496 | 83C4 10 Add ESP, 10
10002499 | C2 0C00 RETN 0C
Then write a paragraph on the air:
10008111 8B4C24 10 MOV ECX, DWORD PTR SS: [ESP 10]
10008115 51 PUSH ECX
10008116 8BCE MOV ECX, ESI; Fill in code to programs 10008118 3C A1 CMP Al, 0A1
1000811A 74 34 JE SHORT 10008150; Processing EAX = A1
1000811C 90 NOP
1000811D 9C Pushfd
1000811E 66: 8BD0 MOV DX, AX
10008121 66: C1E0 08 SHL AX, 8
10008125 8ac6 MOV Al, DH
10008127 9D POPFD
10008128 66: 8901 MOV WORD PTR DS: [ECX], AX; Write Eax's value
1000812B 8D46 06 LEA EAX, DWORD PTR DS: [ESI 6]
1000812E 8B5424 18 MOV EDX, DWORD PTR SS: [ESP 18]; because the previous ECX is in the stack, so this is ESP 18
10008132 90 NOP
10008133 90 NOP
10008134 90 NOP
10008135 90 NOP
10008136 90 NOP
10008137 90 NOP
10008138 8951 02 MOV DWORD PTR DS: [ECX 2], EDX; Fill in DS: [xxxxxxxx]
1000813B 59 POP ECX
1000813C 66: C701 0000 MOV WORD PTR DS: [ECX], 0; fill in the code to the code
10008141 C741 02 0000000> MOV DWORD PTR DS: [ECX 2], 0
10008148 ^ E9 9EA2FFFF JMP 100023EB; Treatment over
1000814D 90 NOP
1000814E 90 NOP
1000814F 90 NOP
10008150 8801 MOV BYTE PTR DS: [ECX], Al; Processing 0A1
10008152 8D46 05 LEA EAX, DWORD PTR DS: [ESI 5]
10008155 8B5424 18 MOV EDX, DWORD PTR SS: [ESP 18]
10008159 8951 01 MOV DWORD PTR DS: [ECX 1], EDX
1000815C 59 POP ECX
1000815D C601 00 MOV BYTE PTR DS: [ECX], 0
10008160 90 NOP
10008161 90 NOP10008162 C741 01 0000000> MOV DWORD PTR DS: [ECX 1], 0
10008169 83E9 01 SUB ECX, 1
1000816C ^ E9 7AA2FFFF JMP 100023EB; Hand Jump
10008171 90 NOP
10008172 90 NOP
10008173 90 NOP
10008174 90 NOP
10008175 90 NOP
10008176 90 NOP
10008177 90 NOP
10008178 90 NOP
10008179 90 NOP
1000817A 90 NOP
1000817B 90 NOP
1000817C 90 NOP
1000817D 90 NOP
1000817E 90 NOP
1000817F 90 NOP
10008180 90 NOP
10008181 8B5424 14 MOV EDX, DWORD PTR SS: [ESP 14]; put the IAT part in the program
10008185 81EA 40435F00 SUB EDX, 5F4340; Here is to put the IAT address of the shell to the new segment in front of us, pay attention, the value here may be different after each load
1000818B 90 NOP; Second We want to handle it, what is 5C4010 every second time, we changed to 5C4004, and disconnected here
1000818C 90 NOP; after I use the script
1000818D 90 NOP
1000818E 895424 14 MOV DWORD PTR SS: [ESP 14], EDX
10008192 90 NOP
10008193 90 NOP
10008194 90 NOP
10008195 90 NOP
10008196 90 NOP
10008197 8B4424 20 MOV EAX, DWORD PTR SS: [ESP 20]
1000819B ^ E9 E2A1FFFF JMP 10002382
100081A0 90 NOP
You can find a hop's jump for IAT:
On top of the next break, then write the script:
Var value
Var Edivalue
Var Sedi
Mov value, C
Mov Edivalue, EDI
And eDiValue, FF000000
Mov Sedi, Edivalue
Run
LBL1:
Eoe LBL2
CMP EIP, 100021E7 // Judgment is processed in IATJE LBL2
Mov Edivalue, EDI / / Rough Division
And eDiValue, FF000000
CMP Edivalue, SEDI
JNE lbl3 // If the first two digits of the address are considered to be different
Add Value, C
LBLSUB:
Sub Edx, Value
CMP EDX, 5C479C / / Here, the part of the above roughly left is finished
Je lbl4
CMP EDX, 5C4B0C // Found Address 8
Je lbl4
CMP EDX, 5C4C40 // Found Address 8
Je lbl4
LBLSUB1:
Run
JMP LBL1
LBL2:
RET
LBL3:
Mov sedi, edivalue // found that different lines are set
Add Value, 8
JMP LBLSUB
LBL4:
Add EDX, 4 // This is also used to set the boundary line
Sub Value, 4
JMP LBLSUB1
After running the script, you can get a very complete program, then Dump and Fixdump can run.
Ok, take it back!
Note: The program is best not to fall off in XP, because,,,,,,,,,,,,,,,,,,
Second, this shell handle IAT is not very good, so don't any tips in IAT failure, this should be paid attention to.
Grab the successful IAT to see:
Greetz:
Fly.jingulong, Yock, Tdasm.david.ahao.ufo (brother) .alan (Sister) .all of my friends and you!
By LoveBoom [DFCG] [FCG]
Email: bmd2chen@tom.com
