Hying old shell simple shell [目 标]: Paradise XXXX (because it is plug-in, so do not write full name) [Tu]: Olydbg1.1 (DIY Version), Lordpe, ImportRec1.6f [Renuator]: Simple Take a goal of the shell [operation platform]: WinXP SP2 [author]: loveboom [DFCG] [FCG] [US] [related links]: go to the Internet search [brief description]: This is an old Hying shell Now it is very simple, but I have seen a new version of friends to know that there are a lot of BT, but it is not so mysterious :-). There is relatively small information about his shell, and fly, the boss said that you want to see it probably (he doesn't have time to see Hying shell), so I have a thick point, write a probably. [Detailed Procedure]: Directly in PEID Directly Display YC's shell, but I have already contacted a few Hying shells before, so I can see it using the extension method is Pelock -> HYING *, know what shell is good. I have followed a new version of the shell under the guidance of the Big Buffe HEXER, so this old version is very simple. It's better to enter the topic. Setting Ignore all anomalies, remove the debug logo. Load in EP .005D4DA8> 60 PUSHAD; ep is the inlet of the post pseudo yoda crypt 005D4DA9 E8 00000000 CALL 005D4DAE005D4DAE 5D POP EBP loaded directly: code segment breakpoint at f2 .Memory map, item 14 Address = 00401000 Size = 001AC000 (1753088.) Owner = L2Walker 00400000 Section = contains = code type = iMag 01001002 Access = r initial access = rWE After the break is turned off, F9 runs.
This is interrupted here: 00373670 AC LODS BYTE PTR DS: [ESI]; Interrupt Here 00373671 D2C8 ROR Al, CL00373673 32C1 XOR Al, CL00373675 04 66 Add Al, 66003679 02C6 AL, CH00373679 02C6 Add Al, DH0037367B 2ac2 SUB Al, DL0037367D 02C1 ADD AL, CL0037367F 2AC5 SUB AL, CH00373681 32C2 XOR AL, DL00373683 04 23 ADD AL, 2300373685 32C6 XOR AL, DH00373687 F6D0 NOT AL00373689 D2C8 ROR AL, CL0037368B D3CA ROR EDX, CL0037368D AA STOS BYTE PTR ES: [EDI] 0037368E 49 DEC ECX0037368F 0BC9 OR ECX, ECX00373691 ^ 75 DD JNZ SHORT 0037367000373693 53 PUSH EBX00373694 6A 04 PUSH 400373696 68 00100000 PUSH 10000037369B FF342B PUSH DWORD PTR DS: [EBX EBP] 0037369E 6A 00 PUSH 0003736A0 8D85 001D4000 LEA EAX , DWORD PTR SS: [EBP 401D00] 003736A6 50 PUSH EAX003736A7 8B85 33374000 MOV EAX, DWORD PTR SS: [EBP 403733] 003736AD E9 010E0000 JMP 003744B3003736B2 - E9 897C24EC JMP EC5BB340003736B7 897424 E8 MOV DWORD PTR SS: [ESP-18] , ESI003736BB FF85 47374000 INC DWORD PTR SS: [EBP 403747] 003736C1 8B9D 6B374000 MOV EBX, DWORD PTR SS: [EBP 40376B] 003736C7 83FB 01 CMP EBX, 1003736CA 75 0E JNZ SHORT 003736DA003736CC 61 POPAD003736CD 8B4424 CC MOV EAX, DWORD PTR SS: [ESP-34] 003736D1 8D78 02 LEA EDI, DWORD PTR DS: [EAX
2] 003736D4 55 PUSH EBP003736D5 8BEC MOV EBP, ESP003736D7 50 PUSH EAX003736D8 EB 20 JMP SHORT 003736FA003736DA 83FB 02 CMP EBX, 2003736DD 75 15 JNZ SHORT 003736F4003736DF 61 POPAD003736E0 8B4424 C8 MOV EAX, DWORD PTR SS: [ESP-38] 003736E4 FFB0 6F374000 PUSH DWORD PTR DS: [EAX 40376F] 003736EA 8B4424 D0 MOV EAX, DWORD PTR SS: [ESP-30] 003736EE 50 PUSH EAX003736EF 8D78 02 LEA EDI, DWORD PTR DS: [EAX 2] 003736F2 EB 06 JMP SHORT 003736FA003736F4 61 POPAD003736F5 8B4424 CC MOV EAX, DWORD PTR SS: [ESP-34] 003736F9 50 Push Eax; Jumping OEP003736FA C3 RETN After several tracking 003736f9 is Push OEP. Continue to find it, find here: 003737d3 87e6 xchg ESI, ESP003737D5 B9 7F0B0000 MOV ECX, 0B7F003737DA 58 POP EAX; here is cycled to extract the following code 003737DB F6D0 NOT AL003737DD 50 PUSH EAX003737DE 44 INC ESP003737DF ^ E2 F9 LOOPD SHORT 003737DA003737E1 87E6 XCHG ESI, ESP; we directly here at f4003737E3 6A 04 PUSH 4003737E5 68 00100000 PUSH 1000003737EA 68 00200000 PUSH 2000003737EF 6A 00 PUSH 0003737F1 FF95 33374000 CALL DWORD PTR SS : [EBP 403733]; Virtualalloc003737F7 8985 3C3D4000 MOV DWORD PTR SS: [EBP 403D3C], EAX003737FD C785 403D4000 0> MOV DWORD PTR SS: [EBP
403D40], 000373807 74 7A JE SHORT 0037388300373809 9C PUSHFD0037380A C8 BFFFF4 ENTER 0FFBF, 0F40037380E 3F AAS0037380F F0: 7A 42 LOCK JPE SHORT 00373854; LOCK prefix is not allowed00373812 FFFF ???; Unknown command code look directly at F4 has 3737E1 Unzipped, now look now. The following part of the friend who follows Hying shell knows that the shell is passed. Take the API function first judge whether the code is to draw the API code. If you want, you will puminate some code to the housing application specified address. Push Apiret's way, if you don't puminate, you will directly Push Ret.
So now I have to find the code that jumps to the API. This is easy, see a lot of this code in the code: 0037383B 8B85 2B374000 MOV Eax, DWORD PTR SS: [EBP 40372B] 00373841 E9 6D0C0000 JMP 003744B3; Here a 00373846 81340B C0751E56 XOR DWORD PTR DS: [EBX ECX], 561E75C00037384D 8D85 661E4000 LEA EAX, DWORD PTR SS: [EBP 401E66] 00373853 50 PUSH EAX00373854 8B85 2F374000 MOV EAX, DWORD PTR SS: [EBP 40372F] 0037385A E9 540C0000 JMP 003744B3 .; here again it can be judged 003744b3 a process is that the API look into: 003744B3 50 PUSH EAX003744B4 8B85 383D4000 MOV EAX, DWORD PTR SS: [EBP 403D38] 003744BA 50 PUSH EAX003744BB E8 08000000 CALL 003744C8003744C0 8B85 383D4000 MOV EAX, DWORD PTR SS: [EBP 403D38] 003744C6 FFE0 JMP EAX; Jump to the address of Push API RET 003744C8 60 Pushad; here start processing API003744C9 8B7C24 24 MOV EDI, DWORD PTR SS: [ESP 24] 003744CD 8B7424 28 MOV ESI, DWORD PTR SS: [ESP 28] 003744D1 66: 8B06 MOV AX, WORD PTR DS: [ESI] 003744D4 3C50 CMP Al, 50003744D6 72 0A JB Short 003744E2; ***** 003744D8 3C 57 CMP Al, 57; start Judging whether it is necessary to "care"
003744DA 77 06 JA SHORT 003744E2003744DC 8807 MOV BYTE PTR DS: [EDI], AL003744DE 46 INC ESI003744DF 47 INC EDI ...... 003745F2 / E9 AD120000 JMP 003758A4003745F7 | 66: 3D CD03 CMP AX, 3CD003745FB | 75 05 JNZ SHORT 00374602003745FD | E9 A2120000 JMP 003758A400374602 | C607 68 MOV BYTE PTR DS: [EDI], 68; here to become a Push API RET 00374605 | 8977 01 MOV DWORD PTR DS: [EDI 1], ESI00374608 | C647 05 C3 MOV BYTE PTR DS: [EDI 5], 0C30037460C | 83C7 06 Add EDI, 60037460F | 897C24 FC MOV DWORD PTR SS: [ESP-4], EDI00374613 | 61 POPAD00374614 | 8B4424 DC MOV EAX, DWORD PTR SS: [ESP-24] 00374618 | C2 0800 RETN 8 After analyzing the code, we must move "surgery", changed at 003744D6:
003744d6 / E9 27010000 JMP 00374602; Skip here, directly into the way of PUSH API RETN, prevent shells from drawing the code F4 to 003737E1, several F8 reached the handle of IAT: 003738D8 0395 7F374000 Add Edx, DWORD PTR SS: [EBP 40377F] 003738DE 8B3A MOV EDI, DWORD PTR DS: [EDX] 003738E0 0BFF OR EDI, EDI; Analyzing there processed iat003738E2 75 05 JNZ SHORT 003738E9003738E4 E9 53050000 JMP 00373E3C; processed iat jump 003738E9 03BD 37374000 ADD EDI, DWORD PTR SS: [EBP 403737] 003738EF 83C2 05 ADD EDX, 5003738F2 8BF2 MOV ESI, EDX003738F4 56 PUSH ESI003738F5 8D85 0E1F4000 LEA EAX, DWORD PTR SS: [EBP 401F0E] 003738FB 50 PUSH EAX003738FC 8B85 2B374000 MOV EAX, DWORD PTR SS: [EBP 40372B]; getModuleHandlea00373902 E9 AC0B0000 JMP 00374B300373907 90 NOP00373908 90 NOP00373909 0BC0 OR EAX, EAX0037390B 75 1E jnz short 0037392b; judgment If the DLL is not loaded on the first LoadLibrary DLL0037390D 56 PUSH ESI0037390E 8D85 271F4000 LEA EAX, DWORD PTR SS: [EBP 401F27] 00373914 50 PUSH EAX00373915 8B85 2F374000 MOV EAX, DWORD PTR SS: [EBP 40372F] 0037391B E9 930B0000 JMP 003744B3 ;
LoadLibraryA00373920 FF15 0BC07505 CALL DWORD PTR DS: [575C00B] 00373926 E9 9D0D0000 JMP 003746C80037392B 0FB64E FF MOVZX ECX, BYTE PTR DS: [ESI-1] 0037392F 03F1 ADD ESI, ECX00373931 8BD6 MOV EDX, ESI00373933 8BF0 MOV ESI, EAX00373935 42 INC EDX00373936 8B0A MOV ECX, DWORD PTR DS: [EDX] 00373938 81E1 00000080 AND ECX, 800000000037393E 0BC9 OR ECX, ECX00373940 0F85 87000000 JNZ 003739CD 00373946 8B0A MOV ECX, DWORD PTR DS: [EDX] ...... 003739CD 8B0A MOV ECX, DWORD PTR DS: [ EDX] 003739CF 81E1 FFFFFF7F AND ECX, 7FFFFFFF003739D5 51 PUSH ECX003739D6 52 PUSH EDX003739D7 C1E1 05 SHL ECX, 5003739DA 6A 04 PUSH 4003739DC 68 00100000 PUSH 1000003739E1 51 PUSH ECX003739E2 6A 00 PUSH 0003739E4 8D85 FC1F4000 LEA EAX, DWORD PTR SS: [EBP 401FFC] 003739EA 50 PUSH EAX003739EB 8B85 33374000 MOV EAX, DWORD PTR SS: [EBP 403733]; VirtualAlloc003739F1 E9 BD0A0000 JMP 003744B3 ...... 00373A0A / 74 15 JE SHORT 00373A2100373A0C | 03BD 37374000 ADD EDI, DWORD PTR SS: [EBP 403737] 00373A12 | EB 09 JMP Short 00373A1D00373A14 | 8907 MOV DWORD PTR DS: [EDI], EAX;
IAT to the original address is filled a first layer of encryption 00373A16 | 83C0 20 ADD EAX, 2000373A19 | 83C7 04 ADD EDI, 400373A1C | 49 DEC ECX00373A1D | 0BC9 OR ECX, ECX00373A1F ^ | 75 F3 JNZ SHORT 00373A1400373A21 / 59 POP ECX00373A22 58 POP EAX00373A23 8BF8 MOV EDI, EDI00373A25 57 PUSH EDI00373A26 51 PUSH ECX00373A27 EB 2D JMP Short 00373A5600373A29 8D47 1C LEA EAX, DWORD PTR DS: [EDI 1C]; here start to become a push [addr] xor [ESP], XorKeyret The RET here is to return to the truth to the address: 00373A2C 66: C707 FF35 MOV Word PTR DS: [EDI], 35FF00373A31 C747 06 8134240> MOV DWORD PTR DS: [EDI 6], 24348100373A38 8947 02 MOV DWORD PTR DS : [EDI 2], EAX00373A3B C647 0D C3 MOV BYTE PTR DS: [EDI D], 0C300373A3F 52 PUSH EDX00373A40 0F31 RDTSC00373A42 32E0 XOR AH, AL00373A44 C1C8 08 ROR EAX, 800373A47 02E0 ADD AH, AL00373A49 C1C8 08 ROR EAX, 800373A4C 32E0 XOR AH, AL00373A4E 8947 09 MOV DWORD PTR DS: [EDI 9], EAX00373A51 5A POP EDX00373A52 83C7 20 ADD EDI, 2000373A55 49 DEC ECX00373A56 0BC9 OR ECX, ECX00373A58 ^ 75 CF JNZ SHORT 00373A29; jump back to continue 00373A5A 59 POP ECX To facilitate our followers I turn it into: push [addr] xor [ESP], XorKeyret changes into push [addr] xor [ESP], XorKeyAdd ESP, 4RET is used for later operations, specific The code is as follows: 00373A38 8947 02 MOV DWORD PTR DS: [EDI 2], EAX00373A3B C647 0D C3 MOV BYTE PTR DS: [EDI D], 0C3;
Here is used here to process the form of ADD ESP, 4 00373A38 - E9 03C60000 JMP 0038004000373A3D 90 NOP00373A3E 90 NOP Write a preceding sentence at 00380040 8947 02 MOV DWORD PTR DS: [EDI 2], EAX00380043 C747 0D 83C404C> MOV DWORD PTR DS: [EDI D], C304C483; Make an Add ESP, 4 RET 0038004A - E9 F039FFFFFF JMP 00373A3F0038004F 90 NOP Continue to follow Here: 00373ABB 8D95 C73B4000 Lea EDX, DWORD PTR SS: [EBP 403BC7]; Here remove the correct function 00373AC1 52 PUSH EDX00373AC2 52 PUSH EDX00373AC3 8D85 283A4000 LEA EAX, DWORD PTR SS: [EBP 403A28]; where taken special API function, determines whether the special "care" 00373AC9 50 PUSH EAX00373ACA 8D85 E2204000 LEA EAX, DWORD PTR SS: [EBP 4020E2] 00373AD0 50 PUSH EAX00373AD1 8B85 60384000 MOV EAX, DWORD PTR SS: [EBP 403860]; lstrcmpiA comparison whether a particular function 00373AD7 E9 D7090000 JMP 003744B300373ADC 90 NOP00373ADD 5A POP EDX00373ADE 85C0 TEST EAX, EAX00373AE0 75 0B JNZ SHO RT 00373AED; If it is not a special function, there is still a lot of such comparisons, so we will change 00373AE2 8D85 E72F4000 Lea Eax, DWORD PTR SS: [EBP 402FE7] 00373AE8 E9 31030000 JMP 00373E1E ... 00373D9F 52 PUSH EDX; there is no special function, last come here 00373DA0 56 Push ESI00373DA1 8D85 B9234000 Lea Eax, DWORD PTR SS: [EBP 4023B9] 00373DA7 50 Push Eax00373DA8 8B85 27374000 MOV EAX, DWORD PTR SS: [EBP 403727];
GetProcAddress, acquire API00373DAE E9 00070000 JMP 003744B300373DB3 ^ 75 8B JNZ SHORT 00373D4000373DB5 9D POPFD00373DB6 3C 3D CMP AL, 3D00373DB8 40 INC EAX00373DB9 0003 ADD BYTE PTR DS: [EBX], AL00373DBB 9D POPFD00373DBC 40 INC EAX00373DBD 3D 40005350 CMP EAX, 5053004000373DC2 53 PUSH EBX00373DC3 E8 00070000 Call 003744C8; here is the code of the shell API, have been followed before, so no longer follow up, let's change now, let the shell "will treat".
00373AE0 / E9 BA020000 JMP 00373D9F; skip to skip this special encryption function 00373AE5 | 90 NOP ...... 00373DC8 2B85 3C3D4000 SUB EAX, DWORD PTR SS: [EBP 403D3C] 00373DCE 8985 403D4000 MOV DWORD PTR SS: [EBP 403D40], EAX00373DD4 60 PUSHAD00373DD5 3D C01F0000 CMP EAX, 1FC000373DDA 76 3E JBE SHORT 00373E1A; determining whether enough space to put iat00373DDC 6A 04 PUSH 400373DDE 68 00100000 PUSH 100000373DE3 68 00200000 PUSH 200000373DE8 6A 00 PUSH 000373DEA 8D85 0F244000 LEA EAX, DWORD PTR SS: [ EBP 40240F] 00373DF0 50 PUSH EAX00373DF1 8B85 33374000 MOV EAX, DWORD PTR SS: [EBP 403733]; VirtualAlloc00373DF7 E9 B7060000 JMP 003744B300373DFC EB 64 JMP SHORT 00373E6200373DFE 8F05 00000000 POP DWORD PTR DS: [0] 00373E04 58 POP EAX00373E05 ^ E9 8BFEFFFF JMP 00373C9500373E0A 8985 3C3D4000 MOV DWORD PTR SS: [EBP 403D3C], EAX00373E10 C785 403D4000 0> MOV DWORD PTR SS: [EBP 403D40], 000373E1A 61 POPAD00373E1B 5B POP EBX00373E1C 8BC3 MOV EAX, EBX00373E1E 3347 09 XOR EAX, DWORD PTR DS: [EDI 9] 00373E21 8947 1C MOV DWORD PTR DS: [EDI 1C], EAX00373E24 5A POP EDX00373E25 0FB642 FF MOVZX EAX, BYTE PTR DS: [EDX-1] 00373E29 03D0 ADD EDX, EAX00373E2B 42 INC EDX00373E2C 83C7 20 ADD EDI, 2000373E2F 59 POP ECX00373E30 49 DEC ECX00373E31 ^ 0F85 28FCFFFF JNZ 00373A5F; the specified DLL is not processed Go back to continue 00373E37 ^ E9 A2FAFFF JMP 003738DE; the processing is finished, pointing the next DLL here, we don't have to follow what,
Directly at 003736F9.003736F9 50 Push EAX; here jump to OEP003736FA C3 RETN operation .00373F0E ^ / EB FA JMP Short 00373F0A; First Abnormal 00373F10 8985 43374000 MOV DWORD PTR SS: [EBP 403743], EAX ... ... 00373E94 6285 443D4000 Bound Eax, Qword PTR SS: [EBP 403D44]; Second Abnormal 00373E9A ^ EB F8 JMP Short 00373E94 After the second exception is broken, it is broken. Disconnected, now to write a program to fix the code: 003736FA 60 PUSHAD; protected site 003736FB 9C PUSHFD003736FC bE 28814D00 MOV ESI, 4D8128; take the original address of the IAT 00373701 81FE F4824D00 CMP ESI, 4D82F4; end Analyzing there 00373707 73 1F JNB SHORT 0037372800373709 8B1E MOV EBX, DWORD PTR DS: [ESI]; Remove the first layer encryption address 0037370B 83fb 00 cmp EBX, 0; when it is used to determine whether it is 0 0037370E 74 13 JE Short 0037372300373710 81fb 0000C000 CMP EBX, 0C00000 Judgment whether the encrypted address 00373716 73 0B JNB Short 0037372300373718 FFD3 Call EBX; Call first layer of content 0037371A 8B5C24 F8 MOV EBX, DWORD PTR SS: [ESP-8]; The first 3F0000 This is returned to the first Layer 2 Address 0037371E 8B5B 01 MOV EBX, DWORD PTR DS: [EBX 1]; because we have already patted code in front, so here is directly [EBX 1] is correct IAT address 00373721 891E MOV DWORD PTR DS: [ESI] , EBX; write API to the correct position 00373723 83C6 04 Add ESI, 400373726 ^ EB D9 JMP Short 0037370100373728 9D POPFD00373729 61 POPFD0037372A C3 RETN This treatment, use IMP to see, there are no repairs in two places, this simple, put The above code will change a few words. Specific me is very simple,
I don't talk much. I finally had an invalid function, I will do it directly. Greetz: fly.jingulong, yock, tdasm.david.ahao.ufo (brother) .ause (sister) .all of my friends and you!
By LoveBoom [DFCG] [FCG] [US] Email: bmd2chen # Tom.com
