[Objective]: One of my casually wrote (shell with PESPINV0.7)
[Tu]: Olydbg1.1
[Renuction]: Talk about its shell Stolen Code
[Operation Platform]: WinXP Pro SP1
[Author]: loveboom [dfcg] [fcg]
[Related Links]: Go to DFCG, because they accidentally added two pictures, there is no such big guy.
[Brief Description]: Today, today, I have been talking so long, and the second brothers have written so many things, I am not embarrassed, so I will write one.
[Detailed Procedure]:
I wanted to write a complete ruilion, I didn't expect my own level to do the dish, so I only got this outdoor east. This case's Stolen Code is actually very good, the new version is much better than the old version and IAT has improved a lot, IAI is similar to Aspride, and some IAT is turned to
In the shell, it is limited to the level, I don't know how to get the housing, please ask the expert to finger a second, thank you!
Start, let's prepare first, I use Flyfancy to spend the instruction plug-in, if you are a plugin written by HOT, maybe it may be changed, but this should
No problem.
Add the following code in the script configuration file:
Plus in JunkType, PESPIN
Like this
JunkType = Common, Telock, Ultraprotect, Custom, PESPIN
Add such stuff :)
PATLIST_PESPIN = _pes1, _jmp01, _call0111, _pespin1, _pespin_jne01, _pespin_jmp01
I changed the original JMP01 like this:
[Code_jmp01]
S = EB01??
R = EB0190
Add:
[Code_pes1]
JMP Label1
;
S = EB04 ?? EB04 ?? EBFB ??
R = 909090909090909090
[Code_call0111]
Call Label1
DB _JUNKCODE
S = e801000000 ??
R = e80100000090
[Code_pespin1]
S = E803000000EB04 ?? EBFB ??
R = E80300000000909090909090
[Code_pespin_jne01]
S = 7501 ??
R = 909090
[Code_pespin_jmp01]
S = EB04 ?? EB04 ?? EBFB ??
R = 909090909090909090
Everyone should understand the above, it may be a bit chaos, but it is too lazy to sort out: D
After writing these, use OD to start, set the OD: Alt O In addition to other hooks outside the Invalid or Privileged Instruction.
After loading, hidden, you will find your OD. Take a look after you do it.
There is an exception after loading, I haven't seen the code yet, press SHIFT F9 once, so that I have access to the entrance
005F6087> / EB 01 JMP short project1.005f608a; entrance
005f6089 | 68 60E80000 Push 0e860
Press f9 once, so abnormal:
005f7e9c FB STI; f9 once, here is abnormal
005f7e9d fff ???; unknown command
......
After the abnormality, press SHIFT F9 to see a lot ???
00400201 FFFF ???; Unknown Command
00400203 FFFF ???; Unknown Command
00400205 FFFF ???; unknown command
00400207 FFFF ???; unknown command
After seeing this information, then break BP LoadLibrarya, then press SHIFT F9 to the system:
77E5D961> 837C24 04 00 CMP DWORD PTR SS: [ESP 4], 0; After break, cancel the breakpoint
77E5D966 53 PUSH EBX
Cancel this breakpoint, then Alt F9 executes the site that returns to the program:
005f6e0e 85c0 Test Eax, Eax; kernel32.77e40000
005f6e10 0F84 2F070000 JE Project1.005f7545
Return to Press Ctrl F Find Command 'or [EDX], 0, very close, actually see it.
005f6e89 830a 00 or DWORD PTR DS: [EDX], 0; here is what we are looking for
005f6e8c 0f84 EF000000 JE Project1.005f6f81
005F6E92 8B02 MOV EAX, DWORD PTR DS: [EDX]
After found, press F4 directly to 5F6E89, if it is VB or Delphi file, the EDX is generally the beginning of IAT,
Then CTRL F9 is executed to the RET:
005f6eb1 012c24 Add dword PTR SS: [ESP], EBP
005f6eb4 810424 B4466F06 Add DWORD PTR SS: [ESP], 66F46B4
005F6EBB 68 286F630F PUSH 0F636F28
005F6EC0 812C24 9643230F SUB DWORD PTR SS: [ESP], 0F234396
005F6EC7 012C24 Add DWORD PTR SS: [ESP], EBP
005f6eca c3 Retn; execution here
After arriving, press F8 to enter here, here there is something we want,
005f6887 60 pushad
005F6888 EB 04 JMP short project1.005f688e
Ok, now I use my spending instruction to help it refreshed Alt Shift S to choose PESPIN range to 01FFF and then look very much, I have cleared 114.
After clearance:
005f6887 60 pushad
005f6888 90 NOP
005f6889 90 NOP
005F688A 90 NOP005F688B 90 NOP
005f688c 90 NOP
005f688d 90 NOP
005f688e 90 NOP
005f688f 90 NOP
005f6890 90 NOP
005f6891 0BFF or EDI, EDI
005f6893 75 16 JNZ short project1.005f68ab
005F6895 8B9D 8D2B4000 MOV EBX, DWORD PTR SS: [EBP 402B8D]
005F689B 2D 01000000 SUB EAX, 1
......
005f68cc 90 NOP
005f68cd 90 NOP
005F68CE 90 NOP
005F68CF 8B3B MOV EDI, DWORD PTR DS: [EBX]
005F68D1 03BD 852B4000 Add EDI, DWORD PTR SS: [EBP 402B85]
005F68D7 803F 4C CMP BYTE PTR DS: [EDI], 4C
005F68DA 75 2C jnz short project1.005f6908
005F68DC E8 260F0000 Call Project1.005f7807; Direct F4 to here
005f68e1 3D 531ef917 CMP Eax, 17f91e53
005f68e6 75 20 jnz short supply1.005f6908
005f68e8 8b85 812b4000 MOV EAX, DWORD PTR SS: [EBP 402B81]
005f68ee D1E1 SHL ECX, 1
Press F4 directly to the 005f68DC. Then continue looking down:
005F6918 8BBD 792B4000 MOV EDI, DWORD PTR SS: [EBP 402B79]
005f691e 3BC7 CMP EAX, EDI
005f6920 76 35 Jbe Short Project1.005f6957
Here to change to JMP 005F6957
005F6922 03BD 7D2B4000 Add EDI, DWORD PTR SS: [EBP 402B7D]
Change the above, pay attention to if it is a VB program, don't jump here, a hop program is OVER.
After finishing, look at here:
005F6951 FF95 C4394000 Call DWORD PTR SS: [EBP 4039C4]
005f6957 EB 01 JMP Short Project1.005f695a
005f6959 90 NOP
005F695A 894424 1C MOV DWORD PTR SS: [ESP 1C], EAX
This is changed here to MOV SS: [EDX], EAX
005F695E 61 POPAD
005f695f FF0424 Inc DWORD PTR SS: [ESP]
005F6962 0BC0 or Eax, Eax005f6964 C3 RETN
005f6965 EB 01 JMP short project1.005f6968
005f6967 90 NOP
Is it finished here? No, there is still it.
005F6968 57 Push EDI
005f6969 51 Push ECX
005F696A 90 NOP
005f696b 90 NOP
005f696c 90 NOP
005f696d 90 NOP
005f696e 90 NOP
005f696f 90 NOP
005f6970 90 NOP
005f6971 90 NOP
005f6972 90 NOP
005f6973 BF 4F825F00 MOV EDI, Project1.005F824F
005f6978 EB 01 JMP short project1.005f697b
005f697a 90 NOP
005F697B B9 65060000 MOV ECX, 665
005F6980 EB 01 JMP short project1.005f6983
005f6982 90 NOP
005F6983 3917 CMP DWORD PTR DS: [EDI], EDX
005f6985 74 0a Je short project1.005f6991
005f6987 47 inc Edi
005f6988 ^ e2 f9 loopd short project1.005f6983
005F698A EB 01 JMP Short Project1.005F698D
005f698c 90 NOP
005F698D 8902 MOV DWORD PTR DS: [EDX], EAX
Here, NOP
005f698f EB 25 JMP short project1.005f69b6
After changing these places (this can get all the API functions, but unfortunately there is a function or not, this later), press F4 to run to 005F6964
005f6962 0BC0 or EAX, EAX
005F6964 C3 RETN; press F4 here
Now we see the value of the ESP 0012ffa0, this is the same as the previous version, HR ESP 4 is also off the HR 12FFA4, and the run is directly
To the Stolen Code. Below you will see it, but use my flower to spend the instruction script and make a lot after cleaning. This version puts Stolen Code
Call is all deformed, but it is too simple. However, it is not perverted.
005f7088 55 push ebp: *****
005f7089 EB 01 JMP short project1.005f708c
005f708b 90 NOP005F708C 8BEC MOV EBP, ESP: *****
005f708e eb 01 jmp short supply1.005f7091
005f7090 90 NOP
005f7091 83c4 f0 Add ESP, -10: *****
005f7094 EB 01 JMP short project1.005f7097
005f7096 90 NOP
005F7097 B8 983A4600 MOV EAX, Project1.00463a98: *****
005f709c EB 01 JMP short suppl1.005f709f
005f709e 90 NOP
005f709f 68 A9705F00 Push Project1.005f70a9
005F70A4 - E9 8Bebe0ff jmp Project1.00405c34: *****
005F70A9 A1 F8584600 MOV EAX, DWORD PTR DS: [4658F8]: *****
005F70AE EB 01 JMP Short Project1.005F70B1
005f70b0 90 NOP
005F70B1 8B00 MOV EAX, DWORD PTR DS: [EAX]: *****
005F70B3 EB 01 JMP short project1.005f70b6
005f70b5 90 NOP
005F70B6 68 C0705F00 Push Project1.005f70c0
005F70BB - E9 F07DE5FF JMP Project1.0044eeb0: *****
005F70C0 8B0D DC594600 MOV ECX, DWORD PTR DS: [4659dc]: *****; Project1.00466BD8
005f70c6 EB 01 JMP short project1.005f70c9
005f70c8 90 NOP
005F70C9 A1 F8584600 MOV EAX, DWORD PTR DS: [4658F8]: *****
005f70ce EB 01 JMP Short Project1.005f70d1
005f70d0 90 NOP
005F70D1 8B00 MOV EAX, DWORD PTR DS: [EAX]: *****
005f70d3 EB 01 JMP short project1.005f70d6
005f70d5 90 NOP
005F70D6 8b15 8c384600 MOV EDX, DWORD PTR DS: [46388C]: *****; Project1.004638D8
005F70DC EB 01 JMP short project1.005f70df005f70de 90 NOP
005f70df 68 E9705F00 Push Project1.005f70e9
005f70e4 - E9 DF7DE5FF JMP Project1.0044EEC8: *****
005f70e9 A1 F8584600 MOV Eax, DWORD PTR DS: [4658F8]: *****
005f70ee EB 01 JMP Short Project1.005F70F1
005f70f0 90 NOP
005F70F1 8B00 MOV EAX, DWORD PTR DS: [EAX]: *****
005f70f3 EB 01 JMP Short Project1.005F70F6
005f70f5 90 NOP
005f70f6 68 00715f00 Push Project1.005f7100; ASCII "h
Q_ "
005F70FB - E9 487EE5FF JMP Project1.0044ef48: *****
005f7100 68 0A715F00 Push Project1.005f710a
005f7105 - E9 52cce0ff jmp project1.00403d5c: *****
005F710A 8D40 00 Lea Eax, DWORD PTR DS: [EAX]: *****
005F710D EB 01 JMP short Project1.005f7110
005f710f 90 NOP
005f7110 - E9 BBCBE6FF JMP Project1.00463cd0: *****
It's still good, it's hard, it's hard, it's better to organize:
Push EBP
MOV EBP, ESP
Add ESP, -10
Mov Eax, 463A98
Call 405c34
MOV Eax, DWORD PTR DS: [4658F8]
MOV Eax, DWORD PTR DS: [EAX]
Call 0044eeb0
MOV ECX, DWORD PTR DS: [4659DC]
MOV Eax, DWORD PTR DS: [4658F8]
MOV Eax, DWORD PTR DS: [EAX]
Mov EDX, DWORD PTR DS: [46388C]
Call 0044eec8
MOV Eax, DWORD PTR DS: [4658F8]
MOV Eax, DWORD PTR DS: [EAX]
Call 0044ef48
Call 00403D5C
Lea Eax, DWORD PTR DS: [EAX]
Hey, the following paragraph gives Pespin to eat, can be evil!
I will find the code to come back here, but I am fainting, I'm going to see the metamorphosis.
004011FC - FF25 F0825F00 JMP DWORD PTR DS: [5F82F0]
00401202 8BC0 MOV EAX, EAX
00401204 - FF25 EB825F00 JMP DWORD PTR DS: [5F82EB]
0040120A 8BC0 MOV EAX, EAX0040120C - FF25 E6825F00 JMP DWORD PTR DS: [5F82E6]
00401212 8BC0 MOV EAX, EAX
00401214 - FF25 E1825F00 JMP DWORD PTR DS: [5F82E1]
0040121A 8BC0 MOV EAX, EAX
0040121C - FF25 0A835F00 JMP DWORD PTR DS: [5F830A]
00401228 8BC0 MOV EAX, EAX
00401224 - FF25 DC825F00 JMP DWORD PTR DS: [5F82DC]
0040122A 8BC0 MOV EAX, EAX
0040122C - FF25 05835F00 JMP DWORD PTR DS: [5F8305]
00401232 8BC0 MOV EAX, EAX
00401234 - FF25 D7825F00 JMP DWORD PTR DS: [5F82D7]
How to fix this, I have no way to solve it yet: (Please give a guideline, thank you!
The article hit this, it is over 2 o'clock in the morning, no longer written, if you may see if there is any way to fix it tomorrow.
An automatic script with a VB is attached:
/ *
//
PESPIN 0.3X - 0.4x -> Cyberbob Unpack Script V0.1 (Only for VB)
Author: loveboom
Email: bmd2chen@tom.com
OS: WinXP SP1, OLLYDBG 1.1, OLLYScript v0.85
Date: 02:06 2004-07-05
Config: Ignore Other Exceptions Except 'Invalid or Privileged Instruction'
Note: if you have one or more question, email me please, thank you!
//
* /
CODE:
MSGYN "SETTING: IGNORE OTHER EXCEPTIONS EXCEPT 'INVALID ORPILEGED INSTRUCTION', CONTINUE?"
CMP $ Result, 0
Je lblret
Var Addr
Var Espval // ESP Value
Var Iatstart // Iat Start Address
VAR CBASE
VAR CSIZE
GMI EIP, Codebase
Mov CBase, $ Result
GMI EIP, CODESIZE
Mov CSIZE, $ RESULT
Start:
DBH
Run
ESTO
ESTO
LBL1:
GPA "LoadLibrarya", "kernel32.dll"
BP $ Result
ESTO
LBL2:
BC $ RESULT
RTU
CMP EIP, 70000000
JB LBL3
STO
RTU
LBL3:
Findop EIP, # 830a00 #
CMP $ Result, 0
Je lblabort
Go $ RESULT
Mov Iatstart, EDX
RTR
STO
LBL4:
Mov espval, ESP // ESP Value
Add espval, 4 // ESP 4
BPHWS Espval, "R"
Run
LBL5:
BPHWC EspvalbPRM CBASE, CSIZE
Run
LBL6:
BPMC
LBLFixOep:
MOV Addr, EIP
Add Addr, 6
LOG "OEP IS:"
Log addr
MOV [Addr], 68
Add Addr, 1
Mov Espval, ESP
Add Espval, 4
MOV [Addr], [Espval]
Add Addr, 4
MOV [addr], # e8f0fffffff
Add Addr, 5
Log "IAT Start Address IS:"
Log Iatstart
CMT Addr, "Please open log window, you will see it."
Lblend:
Msg "script by loveboom [dfcg] [fcg], thank you for using my script!"
LBLRET:
RET
lblabort:
MSG "Error, Script Aborted!, Maybetaget Is Not Protect By PESPIN 0.3x - 0.4x -> Cyberbob"
RET
Greetz:
Fly, Jingulong, Yock, TDASM, David, AHAO, VCASM, UFO (Brother), ALAN (Sister), All of my friends and you!
By LoveBoom [DFCG] [FCG]
Email: bmd2chen@tom.com
