ARM single process shelling FTPRUSH V1.0
[Objective]: FTPRUSH V1.0 [Tu]: Olydbg1.1 (DIY Version), Lordpe, ImportRec1.6F [Renurative] Simple Underline Shell [Operation Platform]: Windows XP SP1 [Server]: Loveboom [DFCG] [FCG] [US] [Brief Description]: Some of the program's part of the program ran to the shell because of the different programs of the program and other ARM. So just write.
[Detailed Procedure]: Setting:
Ignore all exceptions, hide your OD, load the entrance to the shell:
007E4DE0> / $ 55 Push EBP; standard C entrance
007E4DE1 |. 8BEC MOV EBP, ESP
007E4DE3 |. 6A FF PUSH -1
When the program's EP is broken, he getModuleHandlea, then runs, of course, it will be interrupted in the middle, and we pay attention to the stack. When this appears, it is close to what we are looking for.
00127A48 01049B22 / CALL TO GETMODULEHANDLEA FROM 01049B1C
00127A4C 00127B84 / PModule = "MSVBVM60.DLL"
After seeing this, be careful to press several F9, now here:
00127A48 01049B22 / CALL TO GETMODULEHANDLEA FROM 01049B1C
00127A4C 00127B84 / PModule = "advapi32.dll"
Press once again.
When you see here, cancel the hardware breakpoint HD getModuleHandlea, then return to the program code:
01065 EC0 FF15 CCF00601 Call DWORD PTR DS: [106F0CC]; kernel32.GetModuleHandlea
01065ec6 3985 9cc4fffff CMP DWORD PTR SS: [EBP-3B64], EAX; Return to Here
01065 ECC 75 0F JNZ Short 01065edd
01065ECE C785 98C4FFFF 5> MOV DWORD PTR SS: [EBP-3B68], 1073B58
01065ed8 E9 C4000000 JMP 01065FA1
01065EDD 83A5 74C2FFF 0> And DWORD PTR SS: [EBP-3D8C], 0
01065EE4 C785 70C2FFF 9> MOV DWORD PTR SS: [EBP-3D90], 1074198
01065EEE EB 1C JMP Short 01065F0C
01065EF0 8B85 70C2FFFFFF EAX, DWORD PTR SS: [EBP-3D90]
01065ef6 83c0 0c Add Eax, 0C
01065EF9 8985 70C2FFFFFD DWORD PTR SS: [EBP-3D90], EAX
01065EFF 8B85 74C2FFFFM EAX, DWORD PTR SS: [EBP-3D8C]
01065F05 40 Inc EAX
01065F06 8985 74C2FFFF MOV DWORD PTR SS: [EBP-3D8C], EAX
01065F0C 8B85 70C2FFFFFFF EAX, DWORD PTR SS: [EBP-3D90]
01065f12 8338 00 CMP DWORD PTR DS: [EAX], 0; directly press F4 to execute here, then [EAX], 001065F15 0F84 86000000 JE 01065FA1
Specifically, you can see the figure below:
All IAT can be obtained after you change.
After the modification is completed, the F2 breakpoint below the CODE section:
This will soon get the OEP of the program:
0076C0AC 55 Push EBP; OEP
0076C0AD 8BEC MOV EBP, ESP
0076C0AF 83C4 F0 Add ESP, -10
0076C0B2 B8 A4B77600 MOV EAX, 0076B7A4
Don't worry about DUMP first, look at the code first:
0040525A - E9 5FC73303 JMP 037419BE; Take a look, how, the code goes in the shell
0040525F 0FC8 BSWAP EAX
00405261 76 00 jbe short 00405263
00405263 0FC8 BSWAP EAX
00405265 C740 04 B851400> MOV DWORD PTR DS: [EAX 4], 004051B8
0040526C 8968 08 MOV DWORD PTR DS: [EAX 8], EBP
0040526F A3 40467700 MOV DWORD PTR DS: [774640], EAX
00405274 C3 RETN
00405275 8D40 00 Lea Eax, DWORD PTR DS: [EAX]
00405278 31D2 XOR EDX, EDX
0040527A A1 40467700 MOV EAX, DWORD PTR DS: [774640]
0040527F 85c0 Test Eax, EAX
00405281 74 1C JE SHORT 0040529F
00405283 64: 8B0A MOV ECX, DWORD PTR FS: [EDX]
00405286 39C8 CMP EAX, ECX
00405288 75 08 JNZ Short 00405292
0040528A - E9 55C73303 JMP 037419E4; here is also
0040528F C3 RETN
Now we have to move the surgery, use the Lordpe all his DUMP, then open the memory page in OD to find the section we want DUMP double-click, save the data to the file:
After saving, we calculate the 03740000-400000 (IMGBASE) = 03340000, and it is better to write down.
Use Lordpe to load our segment we have just saved. And change the VA to the value we just recorded:
After changing, rebuild the file and rebuild options is:
After the reconstruction file is completed, fixdump is ok, and OK will end this time. Now the program also shows that I have already registered J.
Greetz:
Fly.jingulong, Yock, Tdasm.david.ahao.ufo (brother) .aran (sister) .all of my friends and you! By loveboom [dfcg] [fcg]
Email: bmd2chen@tom.com
