ENCRYPTPE 2003.5.18
Main program shell
[Observation]: Encryptpe 2003.5.18 Main Program
[Tu]: Olydbg1.1 (DIY Version), Lordpe, ImportRec1.6F
[Renuction]: Delax
[Operation Platform]: Windows XP SP1
[Author]: loveboom [dfcg] [fcg] [US]
[Brief Description]: Don't plan to release it, just use it as yourself
[Detailed Procedure]:
Set:
Ignore all exceptions, else selected two exception addresses with 0EEDFADE and C0000008 (Invalid Handle) and invisible.
Step 1: Looking for a program
OEP
After you are ready, let's find OEP to be useful.
004b7000> 60 pushad; inlet of the shell
004b7001 9c pushfd
After loading, set it well, press F9 to run, and there is a long time.
After canceling int3, you have to wait for a long time, you can do something else. After INT3, INT3 is abnormal.
7119CF58 90 NOP; first break here
7119CF59 64: 8F05 0000000> POP DWORD PTR FS: [0]
Press the SHIFT F9 to enter the second INT3 abnormality interrupt:
7119cf58 90 NOP; second time is also broken here
7119CF59 64: 8F05 0000000> POP DWORD PTR FS: [0]
7119CF60 C3 RETN
Now open the memory page, F2 breakpoint at the section where the program is located:
Then press the program to break at the OEP of the program:
Now find the location of the input table, just choose one place:
00406AA0 90 NOP; I am looking for it here
00406AA1 - E9 7EB3AB00 JMP 00ec1e24
The first step is also completed, this step will record the OEP: 499780, and 00406AA0 address of the program, let's know that the shell is changed, let IAT jumps to the shell, and there is still a long period of time, directly Repair? Of course, it is not the code for the repair program.
Second step
:
Fix code code
After the load is loaded, the memory access interrupt is discharged at 00406AA0 after it is loaded.
711A451A 8B07 MOV EAX, DWORD PTR DS: [EDI]; first discharging
711A451C 8B55 F0 MOV EDX, DWORD PTR SS: [EBP-10]
711A451F 83F2 FF XOR EDX, Fffffffff
......
711A4569 66: 8B03 MOV AX, Word PTR DS: [EBX]
Second interruption
Ok, now we have to write down the address of the 711A4569, then come again, at 711A4569, the hardware execution breakpoint, because the program does not have the 711A4569 this address, so we have to run for a while, then you can go.
711A456C 66: 3D FF25 CMP AX, 25FF
711A4570 74 0B JE SHORT 711A457D
711A4572 66: 3D FF15 CMP AX, 15FF
711A4576 74 05 JE SHORT 711A457D711A4578 E8 EF7BF8FF CALL 7112C16C
711A457D 8B7D FC MOV EDI, DWORD PTR SS: [EBP-4]; Encryptp.0049D250
711A4580 8B37 MOV ESI, DWORD PTR DS: [EDI]
Here to change our things, so changed to MOV ESI, EDI
711A4582 81FE 00000080 CMP ESI, 80000000
711A4588 72 05 JB SHORT 711A458F
711A458A E8 DD7BF8FF CALL 7112C16C
711A458F 66: 813B FF25 CMP Word PTR DS: [EBX], 25FF
The judgment here is not jumping off the API, if it is changed.
711A4594 75 07 JNZ SHORT 711A459D
Therefore, we will change it to JMP 711A459D.
711A4596 66: C703 90E9 MOV Word PTR DS: [EBX], 0E990
Here the normal thing fills the normal thing into the JMP XXXX NOP.
711A459B EB 05 JMP SHORT 711A45A2
711A459D 66: C703 90E8 MOV Word PTR DS: [EBX], 0E890
Here is also changed here, otherwise it becomes a Call XXXX, NOP method, so it is necessary to fall here.
711A45A2 8B5D E8 MOV EBX, DWORD PTR SS: [EBP-18]
711A45A5 83C3 06 Add EBX, 6
711A45A8 8B45 E0 MOV EAX, DWORD PTR SS: [EBP-20]
711A45AB 03C0 Add Eax, EAX
711A45AD 03D8 Add EBX, EAX
711A45AF 8B45 E8 MOV EAX, DWORD PTR SS: [EBP-18]
711A45B2 8B38 MOV EDI, DWORD PTR DS: [EAX]
711A45B4 0FB703 MOVZX EAX, Word PTR DS: [EBX]
711A45B7 2D 00300000 SUB EAX, 3000
711A45BC 03F8 Add Edi, EAX
711A45BE 037D DC Add EDI, DWORD PTR SS: [EBP-24]
711A45C1 2BF7 SUB ESI, EDI; ********
711A45C3 83EE 04 SUB ESI, 4; ********
The two lines here are destroyed, and NOP falls.
711A45C6 8937 MOV DWORD PTR DS: [EDI], ESI
711A45C8 33C0 XOR EAX, EAX
After the chart is changed, the figure is as follows:
After the completion of the modification, cancel the hardware breakpoint just now. If you go to the OEP, now we look at what has changed:
00406AA0 - FF25 50D24900 JMP DWORD PTR DS: [49D250]; how, have changed the code 00406AA6 8BC0 MOV EAX, EAX
00406AA8 - FF25 4CD24900 JMP DWORD PTR DS: [49D24C]
Now give the program down. Go to the third step.
Step 3: Repairing the input table
Now there is a bad input table is not processed. Now we will load the program again, then the memory access breakpoint will be sent under the address of the OEP you wrote before, and the result is disconnected here:
71122943 F3: A5 REP MOVS DWORD PTR ES: [EDI], DWORD PTR DS>
71122945 89C1 MOV ECX, EAX
After disconnect, cancel the memory access breakpoint, the MR getProcAddress, the memory access breakpoint. Run again, disconnect:
After the 7119d30c is discontinued, press CTRL B to find 334DFC89088955F8, find here:
711A3385 334D FC XOR ECX, DWORD PTR SS: [EBP-4]
This is changed here to MOV ECX, SS: [EBP-4]
711A3388 8908 MOV DWORD PTR DS: [EAX], ECX
711A338A 8955 F8 MOV DWORD PTR SS: [EBP-8], EDX
Here is the destruction, NOP falls here.
711A338D 85FF TEST EDI, EDI
After the situation is changed:
After the change, remove all the internal memory breakpoints, and go to HE 711A4569, run it, after interruption, we can get a full input table. Now look at the location and size of IAT, the size is not countless, write one The approximate value of all IAT can be obtained is OK.
I am lazy, I chose the IAT start address: 9D160 (RVA), the size is 1000, then the invalidate to CUT is dropped.
This is fine, now fill in the OEP and fixdump.
The program can now run normally.
There is no longer written behind.
Improve myself last shelling method, directly below the EPE0 section, after disconnecting Mr getProcaddress, and if it is not interrupted in the GetProcadDress entrance, find:
711A3385 334D FC XOR ECX, DWORD PTR SS: [EBP-4]
This is changed here to MOV ECX, SS: [EBP-4]
711A3388 8908 MOV DWORD PTR DS: [EAX], ECX
711A338A 8955 F8 MOV DWORD PTR SS: [EBP-8], EDX
Greetz:
Fly.jingulong, Yock, Tdasm.david.ahao.ufo (brother) .alan (Sister) .all of my friends and you!
By LoveBoom [DFCG] [FCG]
Email: bmd2chen@tom.com
